In different scenarios, cloud platforms and cloud services may generate different configurations according to business needs. Take OSS service as an example, some OSS buckets require public read and write access, while others only allow public read and private write access. The default configurations provided by cloud services may not be secure in different business scenarios. Therefore, enterprises should detect the security risks of default configurations of cloud services. Then, based on the actual business scenarios of the enterprise, assess the impact and acceptability of the relevant risks. The analysis of default configuration risks of cloud platforms and services needs to consider the following dimensions:
Risk Assessment Dimension | Description | Example |
Identity management | Check the identity authentication method, password complexity, and RAM roles/users. | RAM password policy can be used to ensure password complexity. It is recommended to have a password length of at least 14-32 characters. |
Permission management | Check if there is excessive authorization or other authorization-related issues in the cloud platform and services | Check if the policies of RAM identities include high-risk RAM actions and remove unused actions based on the operation logs in the past month. |
Access control | Check the access methods, controls of the cloud platform and cloud services to ensure they meet security requirements | Enabling public network access for RDS may be at risk of being invaded by attackers. It is recommended to disable public network access. |
Network security | Check if the network settings of resources comply with specifications and compliance requirements | Binding a private VPC with a public network NAT gateway may expose the public network to the risk of being attacked. |
Data security | Check if resources have enabled data access control and encryption when processing data | Enable server-side encryption for OSS storage. |
Log auditing | Check if resources have enabled logging and monitoring. | When users access OSS, a large number of access logs will be generated. The log storage feature allows you to generate an object with a fixed naming rule in your specified bucket (the target bucket) for storing the access logs of OSS by hour. You can use Alibaba Cloud Data Lake Analytics or build a Spark cluster to analyze these log files. |
Disaster recovery and backups | Check if the data backup strategy for resources has been effectively configured and executed | Regularly backup NAS files in the NAS console to recover files in a timely manner when data loss or damage occurs. |