11 Security Recommendations for Production Instances on Alibaba Cloud


Before we begin, you’ll need an Alibaba Cloud account. In case you are new to Alibaba Cloud, you can get $10 worth in credit through my referral link to get started.

1. Identity and Access Management

A root account has unrestricted access to all resources in an Alibaba Cloud account, so it is NOT recommended to use this account on a regular basis. Instead, create subaccounts using Alibaba Cloud’s Resource Access Management (RAM) service.

  • Create groups and assign users to the groups
  • Create custom policies following the least privilege principle and assign the policies to groups rather than individual users
  • Audit built-in policies and custom before assigning it.

2. Enable ActionTrail

Alibaba Cloud ActionTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Alibaba Cloud account. With ActionTrail, you can log, continuously monitor, and retain account activity related to actions across your Alibaba infrastructure. ActionTrail provides event history of your Alibaba account activity. This event history simplifies security analysis, resource change tracking, and troubleshooting.

  • VPC flow
  • OSS Bucket
  • Service Load Balancer logs
  • Traffic flows
  • Key Management Services

3. KMS and Encryption Setup

Alibaba Cloud Key Management Service (KMS), which is a secure and easy-to-use management service provided by Alibaba Cloud. KMS allows you to use keys securely and conveniently and focus on developing encryption and decryption functions, without having to spend a great deal in protecting the confidentiality, integrity, and availability of keys.

  • Through the envelop encryption technology, users can store the Customer Master Key (CMK) in KMS and deploy only the encrypted data key, and users can call KMS to decrypt the data key only when they need to use it.
  • Protect the HTTPS certificate on the server
  • perform local encryption and decryption

4. Protect Data Stored in OSS Buckets

Typically, an OSS bucket name is not a secret, and there are many ways to figure it out. Once an attacker knows it, there are multiple misconfigurations that can be used to either access or modify information stored in the OSS bucket policy. Since many companies store sensitive data in OSS buckets, any data leaks could be devastating.

  • OSS bucket allows for full anonymous access
  • OSS bucket allows for arbitrary file listing
  • OSS bucket allows for arbitrary file upload and exposure
  • OSS bucket allows for blind uploads
  • OSS bucket allows arbitrary read/writes of objects
  • OSS bucket reveals ACP/ACL

5. TLSv1.2 on Server Load Balancer

A better TLS security can be applied to your exposed only with right TLS policy in place which in large would be able to mitigate the following vulnerability from your exposed endpoint.

  • CCS injection vulnerability
  • renegotiation vulnerabilities
  • CRIME vulnerability
  • BREACH vulnerability
  • POODLE (SSL) vulnerability
  • FREAK vulnerability
  • BEAST vulnerability
  • LOGJAM vulnerability

6. Reduce External Exposure of Alibaba Cloud Resources

As part of the design of your offering, you should have controls in place to ensure an ECS can only access their data and resources they are authorized to access. What controls can you put in place? What assurances can you offer to your ECS instance that their data can’t be accessed by another ECS? This all bubbles down to the least privilege principle: the less you expose the offering to external world, the more secure design can be achieved.

  • Operates at the instance level (first layer of defense)
  • Supports allow rules only
  • Is statefull: Return traffic is automatically allowed, regardless of any rules
  • Evaluate all rules before deciding whether to allow traffic
  • Applies to an ECS instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on

7. Secure Bastion Hosts

A bastion host is a server whose purpose is to provide access to a private network from an external network, such as the Internet.

Host 8gwifi
Port 22
User alicloud
IdentityFile /root/.ssh/id_rsa
IdentitiesOnly yes
ForwardAgent yes
ssh root@  --> Bastion server
ssh --> From Bastion to production server
  • Bastion hosts is single point of accessing the private ECS instance; its security should be considered high enough.
  • Utilize SSH Identity based login to connect to bastion hosts.
  • Harden the bastion by limiting the access from given public IP or IP range.
  • Monitor the logins.
  • Disable root logins on bastion hosts.
  • Have different bastion hosts to connect to production vs development environment.

8. Hardening ECS OS Images

By default ECS provisioned OS images are open to world, it’s security posture is not much as it’s required for the production environment . This choice is left to end-user to take this responsibility of the OS hardening which is provisioned in the Alibaba ECS. The requirement should be approved by the hardening process or by leveraging an approved custom images.

9. Vulnerability and Penetration Testing of ECS Instance

Before starting this activity, you need to request for permission from Alibaba to your root account. Once you permission is granted, then only you can start the Vulnerability Testing(VT) and Penetration Testing (PT) activity. Otherwise any suspected traffic spikes will be block by Alibaba Cloud Security Intelligence.

10. Monitoring

There are many resources in the Alibaba cloud which needs to be monitored performing any manual scrubbing on the logs are error prone tasks so take help of monitoring solution.

  • Root sign-in on console
  • RAM Accounts without MFA
  • Production security group changes
  • User, Group, and Role Membership Events
  • Billing
  • KMS key changed/deleted
  • OSS bucket API keys reads/writes
  • Casual Logins (Login after certain period )
  • Nginx/httpd or apache web servers errors logs
  • SSH too many failed authentication
  • SSH successful logins
  • sudo commmand invocations
  • Processes with listening sockets
  • Open connection
  • Zombie process
  • User and group list
  • Group membership changes
  • SSH authorized_keys for users
  • SSH known_hosts for users
  • APT /YUM GPG keys changes/added

11. Incident Management and Response

This is last point I would cover and plays an important role in maintaining your Alibaba Cloud security posture referred as Incident management and response. Even by following all of the above best practices, errors may occur when you are deploying your solution on Alibaba Cloud. To ensure business continuity, you need to plan for incident management and response in advance.


  • Root account shouldn’t be use for any provisioning, this account is having highest level of privilege, ensure you have protected with MFA.
  • For any endpoints that is exposed publicly, build a security control around it, utilize the least privilege and defense of depth principle.
  • Security is continuous, and this continuity can be achieved through proper approved automation and well defined process.
  • Never ignore any security events or alerts.
  • Care and due diligence is the key of maintaining the Alibaba Cloud security posture healthy.
  • Alibaba Cloud is committed towards data protection for all customers. Visit our Security and Compliance Center to learn more.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud


Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com