Alibaba Cloud Security Guide

Alibaba Cloud Security

Security on Alibaba Cloud is built on a shared responsibility model — Alibaba Cloud secures the underlying infrastructure (physical data centers, hypervisors, network fabric, and managed service internals), while customers are responsible for securing their data, applications, identity configurations, and network rules. Alibaba Cloud provides a comprehensive suite of security services covering identity and access management, network security, data protection, threat detection, and compliance management that rivals any major cloud provider.

Alibaba Cloud's security capabilities have been forged by defending some of the most attacked internet properties in the world — Alibaba Group's e-commerce platforms face billions of cyber attacks annually, including massive DDoS campaigns, sophisticated bot attacks, and persistent credential stuffing operations. The Anti-DDoS platform alone has mitigated attacks exceeding 1 Tbps. These same protection capabilities and operational expertise are available to all Alibaba Cloud customers through managed security services.

This guide covers RAM identity management, network security, data encryption, DDoS protection, Web Application Firewall, Security Center, ActionTrail auditing, and compliance frameworks available on Alibaba Cloud.

Resource Access Management (RAM)

RAM is Alibaba Cloud's identity and access management service, controlling who can access which resources and under what conditions. RAM provides several identity types:

RAM Users

Individual identities for people who need access to Alibaba Cloud resources. Each RAM user has their own credentials (console password and/or AccessKey pair) and can be assigned permissions through policies. Best practices:

• Create individual RAM users for each person — never share credentials
• Enable MFA (multi-factor authentication) for all RAM users with console access
• Use RAM groups to assign permissions at the team level rather than individually
• Enforce strong password policies: minimum 14 characters, complexity requirements, 90-day rotation
• Disable AccessKey pairs for users who only need console access

# Create a RAM user
aliyun ram CreateUser \
  --UserName "engineer-jane" \
  --DisplayName "Jane Smith"

# Enable console access with MFA requirement
aliyun ram CreateLoginProfile \
  --UserName "engineer-jane" \
  --Password "****" \
  --MFABindRequired true \
  --PasswordResetRequired true

# Create a RAM group
aliyun ram CreateGroup \
  --GroupName "DevOps-Engineers" \
  --Comments "DevOps team with infrastructure management access"

# Add user to group
aliyun ram AddUserToGroup \
  --UserName "engineer-jane" \
  --GroupName "DevOps-Engineers"

# Attach policy to group
aliyun ram AttachPolicyToGroup \
  --PolicyType System \
  --PolicyName AliyunECSFullAccess \
  --GroupName "DevOps-Engineers"

RAM Roles

RAM roles provide temporary credentials that can be assumed by trusted entities — RAM users, Alibaba Cloud services (ECS, Function Compute, etc.), or external identity providers via SAML/OIDC federation. Roles are the preferred mechanism for granting cross-service access and implementing the principle of least privilege:

• Service Roles: Allow Alibaba Cloud services to access resources on your behalf. For example, an ECS instance role allows applications running on ECS to access OSS without embedding AccessKeys.
• Cross-Account Roles: Enable access between different Alibaba Cloud accounts. The trusting account creates a role that the trusted account's users can assume.
• Federated Roles: Enable SSO from external identity providers (Okta, Azure AD, ADFS) to Alibaba Cloud using SAML 2.0 or OIDC protocols.

RAM Policies

RAM policies define permissions using a JSON-based policy language. Policies specify allowed or denied actions on specific resources with optional conditions:

# Custom policy: Allow EC2-like operations in specific VPC only
cat > custom-policy.json << 'POLICY'
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecs:RunInstances",
        "ecs:CreateInstance",
        "ecs:StartInstance",
        "ecs:StopInstance",
        "ecs:DeleteInstance"
      ],
      "Resource": "acs:ecs:cn-hangzhou:*:instance/*",
      "Condition": {
        "StringEquals": {
          "ecs:VpcId": "vpc-bp1****"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "ecs:*",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ecs:tag/Environment": "production"
        },
        "StringNotEquals": {
          "ram:PrincipalTag/Role": "senior-engineer"
        }
      }
    }
  ]
}
POLICY

aliyun ram CreatePolicy \
  --PolicyName "RestrictedECSAccess" \
  --PolicyDocument "$(cat custom-policy.json)" \
  --Description "ECS access restricted to specific VPC and non-prod resources"

Network Security

Network security on Alibaba Cloud involves multiple layers of defense:

Security Groups

Stateful firewalls applied at the ECS instance level. Security groups control inbound and outbound traffic by protocol, port range, and source/destination. Key best practices:

• Follow the principle of least privilege — only open ports that are explicitly required
• Never open SSH (22), RDP (3389), or database ports (3306, 5432) to 0.0.0.0/0
• Use security group references to allow traffic between tiers (e.g., web SG references app SG)
• Implement separate security groups for each application tier: web, application, database
• Regularly audit security group rules and remove unused or overly permissive rules

Network ACLs

Stateless firewall rules applied at the vSwitch (subnet) level. Network ACLs provide an additional layer of defense with explicit deny rules. Use Network ACLs to block known malicious IP ranges and enforce subnet-level isolation policies.

Cloud Firewall

Alibaba Cloud Firewall is a managed network security service that provides centralized firewall management for internet-facing traffic, VPC-to-VPC traffic, and VPC-to-on-premises traffic. Cloud Firewall includes:

• Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)
• Centralized policy management for all VPCs in an account
• Traffic visualization and topology mapping
• Vulnerability scanning and virtual patching
• Access control lists for east-west traffic between VPCs

DDoS Protection

Alibaba Cloud provides three tiers of DDoS protection, leveraging the same infrastructure that protects Alibaba Group's platforms:

• Anti-DDoS Basic: Free, automatic protection for all EIP and SLB instances. Provides up to 5 Gbps of DDoS mitigation. Sufficient for most small to medium workloads.
• Anti-DDoS Pro: Enhanced protection with dedicated scrubbing capacity. Supports up to 1 Tbps mitigation for volumetric attacks. Deployed in Chinese mainland regions. Provides a clean IP that proxies traffic to your origin.
• Anti-DDoS Premium: Global DDoS protection for workloads serving international users. Uses Alibaba's global network of scrubbing centers. Supports Sec-MCA (Security-MCA) for intelligent traffic scheduling during attacks.

Web Application Firewall (WAF)

Alibaba Cloud WAF protects web applications from common web attacks including SQL injection, cross-site scripting (XSS), command injection, and web scraping. WAF is deployed as a reverse proxy between users and your web servers:

• Protection against OWASP Top 10 vulnerabilities
• Bot management and intelligent anti-crawling
• Rate limiting and CC (Challenge Collapsar) attack protection
• Custom rule engine for application-specific protection rules
• API security with OpenAPI schema validation
• Account security with risk-based authentication and brute force protection

Data Protection

Protecting data at rest and in transit is a fundamental security requirement:

Key Management Service (KMS)

KMS provides centralized key management for encrypting data across Alibaba Cloud services. KMS supports Customer Master Keys (CMK) with automatic rotation, hardware security modules (HSMs) for key storage, and integration with over 30 Alibaba Cloud services for transparent encryption.

# Create a CMK for data encryption
aliyun kms CreateKey \
  --Description "Production data encryption key" \
  --KeyUsage ENCRYPT/DECRYPT \
  --Origin Aliyun_KMS \
  --ProtectionLevel HSM

# Enable automatic key rotation (365-day period)
aliyun kms UpdateRotationPolicy \
  --KeyId key-**** \
  --EnableAutomaticRotation true \
  --RotationInterval "365d"

# Encrypt data
aliyun kms Encrypt \
  --KeyId key-**** \
  --Plaintext "sensitive-data-here"

# Create a secrets manager secret
aliyun kms CreateSecret \
  --SecretName "prod/database/password" \
  --SecretData "****" \
  --VersionId "v1" \
  --EncryptionKeyId key-****

Secrets Manager

KMS Secrets Manager stores, rotates, and retrieves sensitive configuration data such as database passwords, API keys, and certificates. Secrets Manager supports automatic rotation for RDS database credentials and custom rotation functions through Function Compute.

Security Center

Alibaba Cloud Security Center is a unified security management platform that provides threat detection, vulnerability management, baseline checks, and compliance scanning across your entire Alibaba Cloud environment:

• Threat Detection: Machine learning-based detection of intrusions, malware, ransomware, cryptocurrency mining, and unusual network activity. Over 250 detection models.
• Vulnerability Management: Automated scanning for OS vulnerabilities, application vulnerabilities, and web content management system (CMS) vulnerabilities. Includes one-click patching for supported systems.
• Baseline Checks: Configuration compliance scanning against CIS benchmarks, Alibaba Cloud security best practices, and custom baselines. Detects misconfigurations like weak passwords, unnecessary services, and risky permissions.
• Container Security: Image scanning for vulnerabilities in container images stored in ACR. Runtime protection for Kubernetes clusters with behavioral anomaly detection.
• Cloud Security Posture Management (CSPM): Scans cloud resource configurations for security risks — open security groups, public OSS buckets, unencrypted databases, and IAM misconfigurations.

ActionTrail Auditing

ActionTrail records API calls made to Alibaba Cloud services, providing a comprehensive audit trail for security investigations, compliance reporting, and operational troubleshooting. ActionTrail is equivalent to AWS CloudTrail:

• Records all management API calls (create, modify, delete operations)
• Supports multi-region and global trails for complete coverage
• Delivers events to SLS (for real-time analysis) and/or OSS (for archiving)
• Events include caller identity, source IP, timestamp, action, and response
• 90-day free event history available in the console without configuration

# Create a trail for all regions
aliyun actiontrail CreateTrail \
  --Name "security-audit-trail" \
  --OssBucketName "audit-trail-archive" \
  --OssKeyPrefix "actiontrail/" \
  --SlsProjectArn "acs:log:cn-hangzhou:*:project/audit-logs" \
  --SlsWriteRoleArn "acs:ram::*:role/aliyunactiontraildefaultrole" \
  --EventRW "All" \
  --TrailRegion "All" \
  --IsOrganizationTrail false

# Start the trail
aliyun actiontrail StartLogging \
  --Name "security-audit-trail"

# Query recent events
aliyun actiontrail LookupEvents \
  --LookupAttribute '[{"Key":"EventName","Value":"CreateSecurityGroup"}]' \
  --MaxResults 20

Compliance and Certifications

Alibaba Cloud holds a comprehensive set of compliance certifications for operating in regulated industries:

• Global: ISO 27001, ISO 27017, ISO 27018, ISO 27701, ISO 22301, SOC 1/2/3, CSA STAR, PCI DSS
• China: Multi-Level Protection Scheme (MLPS) Level 3, Classified Protection of Information Systems
• Asia-Pacific: MTCS Level 3 (Singapore), IRAP (Australia), PDPA (Thailand), FISC (Japan)
• Europe: GDPR, C5 (Germany), ENS (Spain)
• Middle East: NESA (UAE), SAMA (Saudi Arabia)

Use Alibaba Cloud Config (similar to AWS Config) to continuously evaluate resource configurations against compliance rules and receive alerts when resources drift from compliance baselines.

Security Architecture Best Practices

Implement these practices for a secure Alibaba Cloud environment:

• Least privilege: Grant minimum permissions required for each role. Start with no access and add permissions as needed.
• Defense in depth: Layer security controls — security groups, Network ACLs, WAF, Cloud Firewall, and application-level authentication.
• Encrypt everything: Enable encryption at rest (KMS) and in transit (TLS/SSL) for all services. Use HTTPS exclusively for external-facing endpoints.
• Monitor and alert: Enable ActionTrail, CloudMonitor, and Security Center. Configure alerts for suspicious activities and security events.
• Automate security: Use Terraform and CI/CD pipelines to enforce security configurations as code. Prevent configuration drift through automated remediation.
• Incident response: Document and rehearse incident response procedures. Use Security Center's investigation features to trace attack paths and identify affected resources.