Elastic Compute Service:Data security

Confidentiality of data storage

• Encrypted cloud disks

  • Feature description: When you create an ECS instance with its system disk and data disks, or when you create a data disk separately, select the Encrypt option for the disk. After the disk is created, data within the operating system of the ECS instance is automatically encrypted on the host when written to the disk. The data is automatically decrypted when read. This process is transparent to the operating system. You do not need to build or maintain a key management infrastructure. Disk encryption protects data privacy and autonomy, and provides a secure boundary for your business data.

  • For configuration instructions, see Encrypting a cloud disk.

  Important

  For enterprises with high security and compliance requirements, you may need to enforce encryption for all RAM users under your enterprise account to protect data confidentiality. ECS lets you configure custom policies to restrict RAM users to creating only encrypted disks. For more information, see Restrict RAM users to creating only encrypted disks.

• Encrypted snapshots

  An encrypted snapshot is a backup of the encrypted data stored on an encrypted disk, which can be a system disk or a data disk. If a disk is encrypted, snapshots created from it automatically inherit the encryption property. The snapshot data remains encrypted during storage and transfer. The data stays encrypted even if the snapshot is copied to another region or used to restore a disk.

• Encrypted images

  Image encryption uses encryption algorithms to protect data in an image from unauthorized access and disclosure. Even if an unauthorized person accesses the image data, they cannot read or decrypt it, which secures the data stored in the image. You can create an encrypted image from an ECS instance that has an encrypted system disk or from an encrypted snapshot. You can also copy a non-encrypted image to create an encrypted image.

Confidentiality of network data transmission

ECS provides multiple security features to ensure confidentiality during data transfer. This section describes how to use the security-hardened mode to access instance metadata, use a VPN Gateway for secure access, and use HTTPS to access ECS resources.

• Access instance metadata in security-hardened mode

  • Feature description: In normal mode, you can access the Metadata Service to view instance metadata without any authentication. If the instance metadata contains sensitive information, it can be intercepted or leaked during transfer. If an ECS service has a Server-Side Request Forgery (SSRF) vulnerability, an attacker can use the Metadata Service to obtain Security Token Service (STS) tokens. This creates a risk similar to an AccessKey pair leak. Compared to the normal mode, the security-hardened mode provides better protection against SSRF attacks using token-based authentication to access instance data.

  • Configuration method: Select the security-hardened mode to access the Metadata Service and obtain metadata. For more information, see Instance metadata.

• Use a VPN Gateway for secure access

  • Feature description: A VPN Gateway establishes encrypted tunnels to securely and reliably connect your on-premises data centers, office networks, and Internet clients to your virtual private clouds (VPCs) in Alibaba Cloud. VPN Gateway provides two connection methods: IPsec-VPN and SSL-VPN. It uses Internet Key Exchange (IKE) and the IPsec protocol to encrypt data in transit and ensure data security.

    • IPsec-VPN connection: Before a data packet is sent over an IPsec-VPN connection, it is encrypted by the IPsec protocol. IPsec is a suite of protocols used for data encryption and authentication to ensure data integrity.

    • SSL-VPN connection: Install an SSL client certificate on the client to establish an SSL-VPN connection between the client and the VPN Gateway. Traffic transmitted over the SSL-VPN connection is encrypted using the SSL protocol to provide data encryption, identity authentication, and data integrity.

    For more information, see What is VPN Gateway?

  • Configuration method: This feature is supported by default.

• Use HTTPS to access ECS resources

  • Feature description: HTTPS builds on HTTP using Transport Layer Security (TLS)/SSL to encrypt data in transit. This prevents data from being monitored, intercepted, or tampered with by third parties. ECS supports HTTPS for encrypted transmission and provides 256-bit encryption to meet the requirements for transmitting sensitive information. TLS 1.2 encryption is used when you connect to an instance using a session management connection in the console, log on to an instance using an SSH key pair, or use Cloud Assistant for remote access.

  • Configuration method: This feature is supported by default.

  Important

  Alibaba Cloud provides the acs:SecureTransport condition key. After you enable this setting, you can access ECS resources only over HTTPS, which protects the confidentiality of data in transit. You can configure a custom policy to restrict RAM users to accessing ECS resources only over HTTPS. For more information, see Custom policies.

Confidentiality of the computing environment for data at runtime

• Feature description: In addition to data storage and transmission, the confidentiality of the computing environment for data at runtime is also critical. Security-enhanced ECS instances use technologies such as hardware encryption, isolation, and user auditing to provide a secure, reliable, and isolated environment. These instances offer different levels of protection to meet various security and performance requirements. Security-enhanced ECS instances include instance types that provide memory encryption by default, trusted computing, and confidential computing. For more information, see Overview of security capabilities.

• Configuration methods: For more information, see Trusted computing capabilities, Confidential computing capabilities, and Best practices for security capabilities.