Alibaba Cloud
AWS
Google Cloud
Microsoft Azure
Microsoft Entra IDOverview
Statement
This security configuration benchmark covers foundational elements of Alibaba Cloud. The recommendations detailed here provides prescriptive guidance for configuring security options for a subset of Alibaba Cloud services with an emphasis on foundational, testable, and architecture agnostic settings. Specific Alibaba Cloud Services in scope for this document include:
- Elastic Compute Service (ECS)
- Virtual Private Cloud (VPC)
- Object Storage Service (OSS)
- Relational Database Service (RDS)
- Container Service for Kubernetes (ACS)
- Key Management Service (KMS)
- Resource Access Management (RAM)
- ActionTrail
- Security Center
Intended Audience
This document is intended for system and application administrators, security specialists, auditors, help desk, platform deployment, and/or DevOps personnel who plan to develop, deploy, assess, or secure solutions in Alibaba Cloud services.
Assessment Status
An assessment status is included for every recommendation. The assessment status indicates whether the given recommendation can be automated or requires manual steps to implement. Both statuses are equally important and are determined and supported as defined below:
-
Automated
Represents recommendations for which assessment of a technical control can be fully automated and validated to a pass/fail state. Recommendations will include the necessary information to implement automation.
-
Manual
Represents recommendations for which assessment of a technical control cannot be fully automated and requires all or some manual steps to validate that the configured state is set as expected. The expected state can vary depending on the environment.
Recommendations
Procedures and mapped controls
1. Identity and Access Management
Mapped controls
Avoid the use of the 'root' account
Ensure no root account access key exists
Ensure MFA is enabled for the 'root' account
Users Should Have Multi-Factor Authentication (MFA/2SV)
Ensure users not logged on for 90 days or longer are disabled for console logon
Ensure access keys are rotated every 90 days or less
Ensure RAM password policy requires at least one uppercase letter
Ensure RAM password policy requires at least one lowercase letter
Ensure RAM password policy requires at least one symbol
Ensure RAM password policy requires at least one number
Ensure RAM password policy requires a minimum length of 14 or greater
Ensure RAM password policy prevents password reuse
Ensure RAM password policy expires passwords within 90 days or less
Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour
Ensure RAM policies that allow full '*:*'' administrative privileges are not created
Ensure RAM policies are attached only to groups or roles
2. Logging and Monitoring
Mapped controls
Ensure that ActionTrail is configured to export copies of all Log entries
Ensure the OSS used to store ActionTrail logs is not publicly accessible
Ensure audit logs for multiple cloud resources are integrated with Log Service
Ensure Log Service is enabled for Container Service for Kubernetes
Ensure virtual network flow log service is enabled
Ensure Anti-DDoS access and security log service is enabled
Ensure Web Application Firewall access and security log service is enabled
Ensure Cloud Firewall access and security log analysis is enabled
Ensure Security Center Network, Host and Security log analysis is enabled
Ensure log monitoring and alerts are set up for RAM Role changes
Ensure log monitoring and alerts are set up for Cloud Firewall changes
Ensure log monitoring and alerts are set up for VPC network route changes
Ensure log monitoring and alerts are set up for VPC changes
Ensure log monitoring and alerts are set up for OSS permission changes
Ensure log monitoring and alerts are set up for RDS instance configuration changes
Ensure log monitoring and alerts are set up for unauthorized API calls
Ensure log monitoring and alerts are set up for Management Console sign-in without MFA
Ensure log monitoring and alerts are set up for usage of 'root' account
Ensure log monitoring and alerts are set up for Management Console authentication failures
Ensure log monitoring and alerts are set up for disabling or deletion of customer created CMKs
Ensure log monitoring and alerts are set up for OSS bucket policy changes
Ensure log monitoring and alerts are set up for security group changes
Ensure that Logstore data retention period is set to 365 days or greater
3. Networking
Mapped controls
Ensure management ports are restricted from the internet
Ensure legacy networks do not exist
Ensure VPC flow logging is enabled in all VPCs
Ensure routing tables for VPC peering are 'least access'
Ensure the security groups are configured with fine grained rules
4. Virtual Machines
Mapped controls
5. Storage
Mapped controls
Ensure buckets are not publicly accessible
Ensure that logging is enabled for OSS buckets
Ensure that 'Secure transfer required' is set to 'Enabled'
Ensure that the shared URL signature expires within an hour
Ensure that URL signature is allowed only over https
Ensure network access rule for storage bucket is not set to publicly accessible
Ensure server-side encryption is set to 'Encrypt with Service Key'
Ensure server-side encryption is set to 'Encrypt with BYOK'
6. Relational Database Services
Mapped controls
Ensure RDS instances require all incoming connections to use SSL
Ensure that RDS instances are not open to the world
Ensure that 'Auditing' is set to 'On' for applicable database instances
Ensure that 'Auditing' Retention is 'greater than 6 months'
Ensure that 'TDE' is set to 'Enabled' for applicable database instances
Ensure RDS instance TDE protector is encrypted with BYOK (Use your own key)
Ensure parameter 'log_connections' is set to 'ON' for PostgreSQL Database
Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
Ensure server parameter 'log_duration is set to 'ON' for PostgreSQL Database Server
7. Kubernetes Engine
Mapped controls
Ensure Log Service is set to 'Enabled' on Kubernetes Engine Clusters
Ensure CloudMonitor is set to Enabled on Kubernetes Engine Clusters
Ensure role-based access control (RBAC) authorization is Enabled on Kubernetes Engine Clusters
Ensure Cluster Check is triggered at least once per week for Kubernetes Clusters
Ensure Kubernetes web UI / Dashboard is not enabled
Ensure Basic Authentication is not enabled on Kubernetes Engine Clusters
Ensure Network policy is enabled on Kubernetes Engine Clusters
Ensure ENI multiple IP mode support for Kubernetes Cluster
Ensure Kubernetes Cluster is created with 'Private cluster' enabled
8. Security Center
Mapped controls
Ensure that Security Center is Advanced or Enterprise Edition
Ensure that all assets are installed with security agent
Ensure that Automatic Quarantine is enabled
Ensure that Webshell detection is enabled on all web servers
Ensure that notification is enabled on all high risk items
Ensure that Config Assessment is granted with privilege
Ensure that scheduled vulnerability scan is enabled on all servers
Ensure that Asset Fingerprint automatically collects asset fingerprint data
Query logic
These are the stored checks tied to this framework.
Avoid the use of the 'root' account
Connectors
Covered asset types
Expected check: eq []
AlibabaIAM1{...AssetFragment}Multi-factor authentication (MFA) is enabled for all IAM users that have a console password
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{hasIAMUserCredentials:{passwordEnabled:true,mfaActive:false}}){...AssetFragment}Google Cloud IAMUsers Without MFA
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(where: { NOT: { user: { isEnrolledIn2Sv: true } } }) {
...AssetFragment
}
}Entra Users Without MFA With Access to Azure
Connectors
Covered asset types
Expected check: eq []
{
users(where: { mfaActive: false, NOT: { iamRoleAssignments_SOME: null } }) {
...AssetFragment
}
}Multi-factor authentication is enabled for all RAM users that have a console password
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{hasIAMUserLoginProfile_SOME:{mfaBindRequired:false}}){...AssetFragment}Entra users without mfa
Connectors
Covered asset types
Expected check: eq []
{
users(where: { mfaActive: false }) {
...AssetFragment
}
}Users not logged on for 90 days or longer are disabled for console logon
Connectors
Covered asset types
Expected check: eq []
AlibabaIAM5 {...AssetFragment}Access keys are rotated every 90 days or less
Connectors
Covered asset types
Expected check: eq []
AlibabaIAM6 {...AssetFragment}RAM password policy requires at least one uppercase letter
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { requireUppercaseCharacters: false}) {...AssetFragment}RAM password policy requires at least one lowercase letter
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { requireLowercaseCharacters: false}) {...AssetFragment}RAM password policy requires at least one symbol
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { requireSymbols: false}) {...AssetFragment}RAM password policy requires at least one number
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { requireNumbers: false}) {...AssetFragment}RAM password policy requires a minimum length of 14 or greater
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { minimumPasswordLength_LT: 14}) {...AssetFragment}RAM password policy prevents password reuse
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { passwordReusePrevention_NOT: 24 }) {...AssetFragment}RAM password policy expires passwords within 90 days or less
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { maxPasswordAge_GT: 90 }) {...AssetFragment}RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { maxLoginAttempts_LT: 5 }) {...AssetFragment}RAM policies that allow full '*:*'' administrative privileges are not created
Connectors
Covered asset types
Expected check: eq []
iamPolicies(where: { policyType: "Custom", iamPolicyStatements_SOME: { effect: "Allow", actions_INCLUDES: "*" } }) {...AssetFragment}
RAM policies are attached only to groups or roles
Connectors
Covered asset types
Expected check: eq []
iamUsers(where: { iamPolicies_SOME: { idFromProvider_NOT: null } }) {...AssetFragment}Alibaba ActionTrails that export copies of all log entries
Connectors
Covered asset types
Expected check: eq []
{
AlibabaLogging1 {...AssetFragment}
}The OSS used to store ActionTrail logs is not publicly accessible
Connectors
Covered asset types
Expected check: eq []
{buckets(where: {OR: [ {acl: "public-read"}, {acl: "public-read-write"}], trails_NOT: null}){...AssetFragment}}Alibaba IAM account summaries with Anti-DDos log service enabled
Connectors
Covered asset types
Expected check: eq []
{
iamAccountSummaries(
where: {
hasIAMAccountSummaryItem_SOME: { key: "antiDDoSHasLogStore", value: 1 }
}
) {
connector {...AssetFragment}
}
}
Web Application Firewall access and security log service is enabled
Connectors
Covered asset types
Expected check: eq []
domains(where: { OR: [ {slsLogActive: false}, {wafActive: false} ] }) {...AssetFragment}Security Groups with management ports not restricted from the internet
Connectors
Covered asset types
Expected check: eq []
{
securityGroups(
where: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
) {
...AssetFragment
}
}Firewalls with management ports not restricted from the internet
Connectors
Covered asset types
Expected check: eq []
{
firewalls(
where: {
rules_SOME: {
direction: "Inbound"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
) {
...AssetFragment
}
}
'Unattached disks' are encrypted
Connectors
Covered asset types
Expected check: eq []
disks(where: { status_NOT: "In_use", encrypted: false }) {...AssetFragment}'Virtual Machine's disk' are encrypted
Connectors
Covered asset types
Expected check: eq []
vms(where:{diskAttachments_SOME:{disk: {encrypted:false}}}) {...AssetFragment}Publicly Accessible AWS Buckets
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
cloudProvider: "aws"
publicAccessBlocked: false
OR: [
{
hasBucketACLGrant_SOME: {
OR: [
{ granteeURI: "http://acs.amazonaws.com/groups/global/AllUsers" }
{
granteeURI: "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
}
]
permission_IN: ["READ", "WRITE", "WRITE_ACP", "FULL_CONTROL"]
}
}
{
bucketPolicy: {
statements_SOME: {
effect: "Allow"
OR: [
{ actions_INCLUDES: "s3:GetObject" }
{ actions_INCLUDES: "s3:ListObjects" }
{ actions_INCLUDES: "s3:ListObjectsV2" }
{ actions_INCLUDES: "s3:PutObject" }
{ actions_INCLUDES: "s3:PutObjectAcl" }
{ actions_INCLUDES: "s3:CreateMultipartUpload" }
{ actions_INCLUDES: "s3:UploadPart" }
{ actions_INCLUDES: "s3:DeleteObject" }
{ actions_INCLUDES: "s3:DeleteObjects" }
{ actions_INCLUDES: "s3:*" }
{ actions_INCLUDES: "*" }
]
principals_INCLUDES: "AWS|*"
}
}
}
]
}
) {...AssetFragment}
}
Publicly Readable Azure Blob Containers
Connectors
Covered asset types
Expected check: eq []
{
blobContainers(
where: {
cloudProvider: "azure"
publicAccessBlocked: false
publicAccess_IN: ["Blob", "Container"]
}
) {...AssetFragment}
}
Publicly Accessible Google Cloud Buckets
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
cloudProvider: "gcp"
publicAccessBlocked: false
iamBindings_SOME: {
OR: [
{ members_INCLUDES: "allUsers" }
{ members_INCLUDES: "allAuthenticatedUsers" }
]
role: {
OR: [
{ permissions_INCLUDES: "storage.objects.get" }
{ permissions_INCLUDES: "storage.objects.list" }
{ permissions_INCLUDES: "storage.objects.create" }
{ permissions_INCLUDES: "storage.objects.delete" }
{ permissions_INCLUDES: "storage.objects.update" }
{ permissions_INCLUDES: "storage.objects.*" }
{ permissions_INCLUDES: "storage.objects.setIamPolicy" }
{
permissions_INCLUDES: "storage.multipartUploads.create"
}
{ permissions_INCLUDES: "storage.multipartUploads.*" }
]
}
}
}
) {...AssetFragment}
}
Publicly Accessible Alibaba Buckets
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
cloudProvider: "alibaba"
publicAccessBlocked: false
OR: [
{ acl_IN: ["public-read", "public-read-write"] }
{
bucketPolicy: {
statements_SOME: {
effect: "Allow"
OR: [
{ actions_INCLUDES: "oss:GetObject" }
{ actions_INCLUDES: "oss:PutObject" }
{ actions_INCLUDES: "oss:PutObjectAcl" }
{ actions_INCLUDES: "oss:ListObjects" }
{ actions_INCLUDES: "oss:GetObjectVersion" }
{ actions_INCLUDES: "oss:*" }
{ actions_INCLUDES: "*" }
]
principals_INCLUDES: "*"
}
}
}
]
}
) {...AssetFragment}
}
Logging is enabled for OSS buckets
Connectors
Covered asset types
Expected check: eq []
buckets(where:{ loggingEnabled: false }){...AssetFragment}Server-side encryption is set to 'Encrypt with Service Key'
Connectors
Covered asset types
Expected check: eq []
buckets(where: { OR:[{encryptionKeyIDFromProvider: "" },{encryptionKeyIDFromProvider: null }, {encryptionKey:null}]}){...AssetFragment}Server-side encryption is set to 'Encrypt with BYOK'
Connectors
Covered asset types
Expected check: eq []
buckets(where: { OR:[{encryptionKeyIDFromProvider: "" },{encryptionKeyIDFromProvider: null }, {encryptionKey:{managementType:"ProviderManaged"}}]}){...AssetFragment}RDS instances require all incoming connections to use SSL
Connectors
Covered asset types
Expected check: eq []
AlibabaRDS2{...AssetFragment}RDS instances are not open to the world
Connectors
Expected check: eq []
dbInstances(where: { netInfo_SOME: { ipAddress: "0.0.0.0" } }) {...AssetFragment}'TDE' is set to 'Enabled' for applicable database instances
Connectors
Covered asset types
Expected check: eq []
dbInstances(where: { tdeStatus_NOT: "Enabled" }) {...AssetFragment}
