This is a comprehensive list of Alibaba Cloud's primary security controls, categorized by their function within a cloud environment. Alibaba Cloud uses a multi-layered security framework, often referred to as "Cloud-native Security," designed to protect infrastructure, data, applications, and identities.
These controls form the first line of defense by managing who can access cloud resources and what actions they can perform.
Resource Access Management (RAM): A service that allows you to centrally manage user identities and their access permissions to Alibaba Cloud resources. It supports policies to define fine-grained permissions for users, groups, and roles.
Multi-Factor Authentication (MFA): Adds an extra layer of security by requiring users to provide a second form of verification (like a dynamic code) in addition to their password when logging in.
Identity as a Service (IDaaS): Provides a centralized platform for managing identities across multiple applications and cloud services. It supports single sign-on (SSO), centralized account management, and authentication policies.
Bastionhost: A security management platform that provides centralized O&M (Operations and Maintenance) management, access control, and auditing for servers, databases, and network devices. It helps prevent unauthorized access and records all O&M operations for compliance and security analysis.
These controls protect the network infrastructure from unauthorized access, attacks, and data leakage.
Virtual Private Cloud (VPC): Allows you to create an isolated network environment in Alibaba Cloud. You have full control over your VPC, including selecting IP address ranges, creating subnets, and configuring route tables and network gateways.
Security Groups: Act as virtual firewalls for your Elastic Compute Service (ECS) instances to control inbound and outbound traffic at the instance level. You can define rules to allow or deny traffic based on protocols, ports, and source/destination IP addresses.
Cloud Firewall: A cloud-native firewall that provides centralized traffic management and threat protection for your cloud assets. It offers features like access control, intrusion prevention (IPS), traffic analysis, and visualization.
Anti-DDoS Basic & Pro/Premium: Protects your cloud resources from Distributed Denial of Service (DDoS) attacks. Basic provides fundamental protection against common attacks, while Pro/Premium offer advanced defense capabilities, higher mitigation capacity, and dedicated support for large-scale attacks.
Web Application Firewall (WAF): Protects your web applications from common web attacks such as SQL injection, Cross-Site Scripting (XSS), and malicious bot traffic. It inspects HTTP/HTTPS traffic and blocks malicious requests based on security rules.
These controls are designed to protect individual cloud hosts (ECS instances) and containerized workloads from malware, vulnerabilities, and unauthorized changes.
Security Center: An all-in-one security management platform that provides threat detection, vulnerability management, baseline checks, and compliance assessment for cloud hosts, on-premises servers, and containers. It uses big data analytics and machine learning to identify unusual activities and potential threats. Key features include:
Anti-ransomware: Detects and blocks ransomware attacks on servers.
Virus Detection and Removal: Scans for and removes viruses, trojans, and other malware.
Vulnerability Management: Identifies and helps remediate software vulnerabilities in operating systems and applications.
Baseline Check: Assesses server configurations against security best practices and compliance standards.
Container Security: Alibaba Cloud offers specific security controls for containerized environments, including image scanning for vulnerabilities and malicious code, runtime protection for containers, and compliance checks for Kubernetes configurations.
These controls focus on protecting data throughout its lifecycle, including at rest, in transit, and during processing.
Key Management Service (KMS): A secure and managed service for creating, managing, and protecting encryption keys. It allows you to encrypt data at rest in various Alibaba Cloud services like Object Storage Service (OSS), Relational Database Service (RDS), and Elastic Block Storage (EBS).
Data Security Center (DSC): Helps you discover, classify, and protect sensitive data across your Alibaba Cloud environment. It provides features like data masking, anomaly detection, and data leakage prevention to comply with data privacy regulations.
SSL Certificates Service: Allows you to purchase, deploy, and manage SSL/TLS certificates to enable HTTPS encryption for your websites and applications, ensuring secure data transmission over the internet.
Cloud Hardware Security Module (HSM): Provides dedicated physical hardware security modules for key storage and cryptographic operations, offering the highest level of security for sensitive keys and compliance with regulatory requirements.
These controls protect applications from logic exploits and ensure the legality and appropriateness of user-generated content.
Content Moderation: Uses AI and machine learning to automatically inspect and filter multimedia content (images, videos, text, audio) for illegal, inappropriate, or harmful material, helping businesses maintain compliance and brand reputation.
Fraud Detection: Helps identify and prevent fraudulent activities in business scenarios such as user registration, login, transaction, and marketing campaigns. It analyzes user behavior and risks to reduce potential losses.
Anti-Bot Service: Provides comprehensive bot defense for websites, applications, and APIs. It identifies and manages bot traffic, distinguishing between good bots (like search engine crawlers) and malicious bots (like those used for scraping, brute-force attacks, and credential stuffing).
These controls provide visibility, auditing, and compliance capabilities across the entire cloud environment.
ActionTrail: Records API calls and other events within your Alibaba Cloud account. It provides a detailed audit trail of user actions, which is essential for security analysis, resource tracking, and compliance auditing.
Config: A service that allows you to track configuration changes to your Alibaba Cloud resources and evaluate them against security and compliance rules. It helps maintain configuration consistency and identify misconfigurations that could lead to security risks.
Cloud Monitor: Provides real-time monitoring and alerting for the performance and availability of your cloud resources, as well as some security-related metrics. It can be used to detect potential security issues based on resource usage anomalies.