How does Security Center protect serverless assets? - Security Center

Security Center provides the serverless asset protection feature. You can use the feature to protect your workloads deployed on Alibaba Cloud serverless assets, such as elastic container instances of Elastic Container Instance (ECI) and Serverless App Engine (SAE) instances that are created by using Container Service for Kubernetes (ACK) Serverless clusters. The feature can detect common threats and vulnerabilities, generate alerts, and check baselines. This topic describes how to add serverless assets and use the serverless asset protection feature.

Billing rules

The public preview of the serverless asset protection feature ends on July 31, 2024 (UTC+8). After the public preview ends, the free trial of the feature is no longer available. If you want to use the feature, you must purchase the feature by using the pay-as-you-go billing method in the Security Center console. For more information, see the Step 1: Purchase the serverless asset protection feature and complete authorization section in this topic.

Start of billing

After you purchase the serverless asset protection feature and complete the required authorization, you can use the feature. You are charged for assets that are added to the feature and on which the Security Center agent is online based on the pay-as-you-go billing method. The fee is USD 0.000003 per core-second. The system calculates the number of cores for added assets each day and generates the bills the next day. For more information, see Billing overview.

Stop of billing

The system stops checking serverless assets that are added to the serverless asset protection feature and stops billing in the following scenarios:

Billing is stopped for all serverless assets
- On the Overview page of the Security Center console, turn off the switch for Serverless Asset Protection in the Pay-as-you-go Feature section.
- On the Assets > Serverless Asset page of the Security Center console, click Suspended.
- The current Alibaba Cloud account has overdue payments.
Billing is stopped for specific serverless assets
On the Assets > Serverless Asset page of the Security Center console, remove specific assets from the serverless asset protection feature. For more information, see the Step 3: Add or remove assets section in this topic.

Overview of adding serverless assets

Supported serverless assets

Security Center supports elastic container instances and SAE instances that are created by using ACK managed clusters, ACK dedicated clusters, ACK Serverless clusters, or Platform for AI.

Method of adding serverless assets

After enabling the serverless asset protection feature, Security Center automatically synchronizes serverless assets including elastic container instances and SAE instances that are in the Running state within your Alibaba Cloud account to Security Center and displays the assets in the serverless asset list. After you add assets to the feature, you can use the serverless asset protection feature.

Important

For instances created before the serverless asset protection feature is enabled, you need to restart the instances after activation. After the the Security Center agent is restarted and runs normally, you can use the security scan feature for your Serverless assets.

How does Security Center add serverless assets

The first time you purchase a feature by using the pay-as-you-go billing method in the Security Center console and purchase the serverless asset protection feature, you can specify serverless assets that you want to protect. If you do not specify serverless assets, all serverless assets within your account are added to the feature, and new serverless assets are automatically added to the feature. For more information, see Purchase the serverless asset protection feature in a free edition of Security Center in the Step 1: Purchase the serverless asset protection feature and complete authorization section in this topic.
If you use a paid edition of Security Center, take note of the following items:
- If you did not purchase the serverless asset protection feature at least once, all serverless assets within your account are added to the feature after the purchase, and new assets are automatically added.
- If you purchased the serverless asset protection feature at least once, the serverless assets that were previously added to the feature are automatically re-added after your new purchase. If no elastic container instances and SAE instances were previously added to the feature, all serverless assets within your account are added after your new purchase, and new assets are automatically added.
For more information, see Purchase the serverless asset protection feature in a paid edition of Security Center in the Step 1: Purchase the serverless asset protection feature and complete authorization section in this topic.
If your Alibaba Cloud account has overdue payments and you purchased the serverless asset protection feature, the serverless assets that were previously added to the feature remain unchanged after you settle the overdue payments.

Install and start the Security Center agent on an elastic container instance

If you use elastic container instances that are created by using ACK managed clusters, ACK dedicated clusters, or ACK Serverless clusters, you must install the Security Center agent on the instances and start the agent when you create the instances. This way, you can use the security capabilities of the serverless asset protection feature. To install and start the Security Center agent on an elastic container instance, you can use the following methods:

Install and start the Security Center agent on an elastic container instance-based pod that runs in an ACK Serverless cluster

Log on to the ACK console and go to the details page of a cluster. In the left-side navigation pane, choose Workloads > Pods. On the Pods page, click Create from YAML. In the YAML template, choose spec > template > metadata, add the annotations parameter, and then set the parameter to k8s.aliyun.com/eci-aliyundun-enabled: "true". For more information, see Overview of elastic container instances.

Example of a YAML template:

apiVersion: apps/v1 # for versions before 1.8.0 use apps/v1beta1
kind: Deployment
metadata:
  name: nginx-deployment-basic
  labels:
    app: nginx
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      annotations:
        k8s.aliyun.com/eci-aliyundun-enabled: 'true'
      labels:
        app: nginx
    spec:
    #  nodeSelector:
    #    env: test-team
      containers:
      - name: nginx
        image: nginx:1.7.9 # replace it with your exactly <image_name:tags>
        ports:
        - containerPort: 80
        resources:
          limits:
            cpu: "500m"

If you use an image to create resources, add the k8s.aliyun.com/eci-aliyundun-enabled key for the Annotations parameter in the Advanced step and set the value to true. For more information, see Create a stateless application from an image.

Install and start the Security Center agent on an elastic container instance-based pod that runs in an ACK managed cluster or an ACK dedicated cluster

Log on to the ACK console and go to the details page of a cluster to deploy the ack-virtual-node component and schedule pods to your elastic container instance. For more information, see Schedule pods to elastic container instances that are deployed as virtual nodes.

In the left-side navigation pane of the details page of the cluster, choose Workloads > Pods. On the Pods page, click Create from YAML. In the YAML template, choose metadata, add the annotations parameter, and then set the parameter to k8s.aliyun.com/eci-aliyundun-enabled: "true". Choose spec > containers and configure the env environment variable. Set the name field to ECI_CONTAINER_TYPE and the value field to sidecar.

Example of a YAML template:

apiVersion: v1
kind: Pod
metadata:
  name: test-aegis-alinux2-lifsea-x86
  labels:
    eci: "true"
  annotations:
    k8s.aliyun.com/eci-aliyundun-enabled: "true"
spec:
  containers:
  - name: sidecar
    image: registry-vpc.cn-shanghai.aliyuncs.com/eci_open/centos:7
    command:
    - /bin/sh
    - -c
    args:
    - sleep inf
    env:
    - name: ECI_CONTAINER_TYPE
      value: sidecar
  - name: nginx
    image: registry-vpc.cn-shanghai.aliyuncs.com/eci_open/centos:7
    command:
    - /bin/sh
    - -c
    args:
    - sleep inf

Security capabilities

The serverless asset protection feature provides the following security capabilities:

Alert detection: The feature can detect and allows you to handle common types of alerts that are generated on serverless assets, such as Webshell, Unusual Network Connection, and Suspicious Process. For more information, see Alerts for containers.
Vulnerability detection: On the Risk Governance > Vulnerabilities page, you can click the number below Disclosed Vulnerabilities to view the supported vulnerabilities in the Detectable Vulnerabilities panel.
The feature can only detect application vulnerabilities but does not support fixing of the vulnerabilities. Application vulnerabilities are risks scanned in the software on your server. You must manually upgrade the software or modify configurations based on the remediation suggestions provided in the vulnerability details to eliminate security threats.
Baseline check: The feature allows you to identify and handle baseline risks on serverless assets that are detected by using check items. For example, the Kubernetes(ECI) Pod Internationally Agreed Best Practices for Security baseline includes the Minimize the admission of root containers and Minimize the admission of containers with capabilities assigned check items. For more information about items that can be detected, see Baseline check.

Security Center classifies added serverless assets into different instance types based on the container runtime status. The following table describes the supported security capabilities for each instance type.

Instance type	Supported security capability
Elastic container instance	Alert detection Vulnerability detection Baseline check
RunD container instance	Alert detection

Step 1: Purchase the serverless asset protection feature and complete authorization

Purchase the serverless asset protection feature in a free edition of Security Center

If you use the Basic edition or free trial of Security Center, you can separately purchase the serverless asset protection feature.

Go to the Security Center buy page and log on with your Alibaba Cloud account.
On the buy page, set the Billing Method parameter to Pay-as-you-go and the Serverless Asset Protection parameter to Yes.
Click Custom Quota Binding. In the Quota Management dialog box, select All Servers or Specific Servers to protect all assets or specific assets.
If you do not select an option in the dialog box, all serverless assets within your account are automatically added to the serverless asset protection feature, and new serverless assets are also automatically added for protection. After you purchase the feature, you can also manually add serverless assets to the feature or remove serverless assets from the feature. For more information, see Step 3: Add or remove assets.
Read and select Security Center Terms of Service and click Order Now.

Security Center automatically synchronizes all serverless assets within your account to the Serverless Asset page and adds serverless assets to the feature based on the configuration of the Protection Quota parameter.

Purchase the serverless asset protection feature in a paid edition of Security Center

If you use one of the following paid editions of Security Center, you can also purchase the serverless asset protection feature: Anti-virus, Advanced, Enterprise, and Ultimate.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose Assets > Serverless Asset.
On the Serverless Asset page, click Activate Now.
Alternatively, turn on the switch for Serverless Asset Protection in the Pay-as-you-go Feature section of the Overview page.
In the dialog box that appears, acknowledge and select I have read and agree to Security Center (Pay-as-you-go) Terms of Service., and click Activate Now.

After you purchase the serverless asset protection feature, add serverless assets to the feature based on the following information:

If you did not purchase the feature at least once, Security Center automatically synchronizes and adds all existing and new serverless assets within your account to Security Center and the feature.
If you purchased the feature at least once, the elastic container instances that were previously added to the feature are automatically re-added. If no elastic container instances and SAE instances were previously added to the feature, all serverless assets within your account are added after your new purchase, and new assets are automatically added.

Step 2: Synchronize the information about the most recent assets

If you recently created serverless assets, you can click Synchronize Assets to synchronize the information about the most recent serverless assets to Security Center.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose Assets > Serverless Asset.
On the Serverless Asset page, click Synchronize Assets.
Security Center obtains the information about the most recent serverless assets and updates the asset list.
Note
The system requires 1 minute to update the information. Wait until the information is updated.

Step 3: Add or remove assets

The security and risk scan capabilities of the serverless asset protection feature can be provided for serverless assets only after the assets are added to the feature.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose Assets > Serverless Asset.
On the Serverless Asset page, find the serverless asset that you want to manage and view the color of the icon in the Agent column.
- Green indicates that the Security Center agent runs as expected on the asset. You can add or remove the asset to or from the feature.
- Gray indicates that the Security Center agent is offline due to a reason. For example, the agent is not installed or the network connection is unstable. In this case, you can add the asset to the feature and remove the asset from the feature. However, the assets added to the feature are not protected by the feature and no fees are generated. You can install and start the Security Center agent on the required assets. For more information, see the Overview of adding serverless assets section in this topic.
The serverless assets can be protected only after they are added to the feature and the Security Center agent runs as expected on the assets. In this case, the fees for the feature are generated based on the pay-as-you-go billing method.
In the upper-part of the asset list, click Quota Management below Instances That Do Not Consume Quota.
In the Quota Management dialog box, select Add or Remove for the operation type, select serverless assets, and then click OK.
If you want new serverless assets to be automatically added to the feature, select Automatically Add New Assets.

Step 4: View and handle security risks

After a serverless asset is added to Security Center and protected by the serverless asset protection feature, Security Center detects alerts that are generated on the asset in real time and performs vulnerability detection and baseline checks based on the specified cycles. You can view the most recent detection or check time on the Vulnerabilities or Baseline Check page.

To handle security risks on a serverless asset, perform the following operations:

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose Assets > Serverless Asset.
On the Serverless Asset page, find the required asset and check the security status in the Risk Status column. If At Risk is displayed in this column, alerts, vulnerabilities, or baseline risks are detected on the asset.
Click the asset name or View in the Actions column to view information about the security risks on the asset.
On the page that appears, click Alerts, Vulnerabilities, and Baseline Risks to view each type of security risks.
Handle alerts.
Find an alert that you want to handle and click Details in the Actions column to view information about the alert. You can check whether the alert corresponds to actual risks.
Then, you can click Handle in the Actions column to handle the alert. If the alert corresponds to actual risks, select Isolation for Handling Method. If the alert does not require handling or you want to ignore the alert, select Add to Whitelist, Ignore, or Handled manually for Handling Method.
Handle vulnerabilities.
Click Vulnerabilities to view the vulnerabilities that are detected on the asset.
Vulnerabilities can be exploited by attackers. We recommend that you handle the detected vulnerabilities at the earliest opportunity. The serverless asset protection feature does not support quick fixing of application vulnerabilities. We recommend that you fix an application vulnerability based on the information provided. For more information, see Purchase the vulnerability fixing feature.
Handle baseline risks.
Click Baseline Risks to view the baseline risks that are detected on the asset. Find a baseline risk that you want to handle and click Details in the Actions column to view the risk details and security reinforcement suggestions. You can determine whether to handle the baseline risk or add the baseline risk to the whitelist.
You can fix only specific baseline risks in the Security Center console. If a Fix button is displayed in the risk list of the details page of the baseline risk, you can directly fix the baseline risk in the Security Center console.