Alibaba Cloud -- Security¶
Identity and access management, network security, data protection, and compliance considerations for Alibaba Cloud (Aliyun).
Identity & Access¶
RAM (Resource Access Management)¶
RAM is Alibaba Cloud's IAM service. It supports users, groups, roles, and fine-grained policies attached at the account level.
| Concept | Description |
|---|---|
| RAM User | Long-lived identity with console login and/or AccessKey pair. One Alibaba Cloud account can create up to 1,000 RAM users. |
| RAM Group | Collection of RAM users; policies attached to a group apply to all members. |
| RAM Role | Virtual identity assumed by trusted entities (RAM users, Alibaba Cloud services, or external IdPs). Uses temporary STS tokens. |
| RAM Policy | JSON document defining allowed/denied actions, resources, and conditions. System policies are managed by Alibaba Cloud; custom policies are user-defined. |
STS (Security Token Service)¶
STS issues temporary credentials (AccessKeyId, AccessKeySecret, SecurityToken) with a configurable TTL (900-3600 seconds). Prefer STS tokens over long-lived AccessKey pairs for application workloads.
# Assume a RAM role and get temporary credentials
aliyun sts AssumeRole \
--RoleArn acs:ram::1234567890:role/deploy-role \
--RoleSessionName ci-deploy-session \
--DurationSeconds 3600
SSO Federation¶
Alibaba Cloud supports two SSO modes:
- User-based SSO: Maps external IdP users to RAM users via SAML 2.0. Each IdP user has a corresponding RAM user in the Alibaba Cloud account.
- Role-based SSO: Maps external IdP users to RAM roles. No RAM users needed; the IdP assertion determines which RAM role to assume. This is the recommended approach for enterprise environments.
Configuration steps for role-based SSO:
- Create an IdP entity in RAM (
aliyun ims CreateSAMLProvider --SAMLProviderName okta-idp --SAMLMetadataDocument file://metadata.xml) - Create a RAM role trusted by the IdP
- Configure the IdP (Okta, Azure AD, etc.) to send SAML assertions with the role ARN
Multi-account SSO
For organizations using Resource Directory, configure SSO at the management account level and use role-based SSO to assume roles in member accounts. This avoids creating RAM users in every member account.
Network Security¶
Security Groups¶
Security groups are stateful, instance-level firewalls. Rules are evaluated in priority order (1-100, lower number = higher priority). Each VPC can have up to 500 security groups.
Best practices:
- One security group per application tier (web, app, db)
- Reference security group IDs in rules instead of IP ranges where possible
- Default-deny: security groups deny all inbound traffic by default
- Limit outbound to known destinations for sensitive workloads
Network ACLs¶
Network ACLs are stateless, subnet-level packet filters. They supplement security groups for defense-in-depth. Rules are evaluated in numeric order; the first match wins.
Cloud Firewall¶
Cloud Firewall provides three inspection boundaries:
| Mode | Scope | Use Case |
|---|---|---|
| Internet Border | North-south traffic on EIPs, SLBs, NAT Gateways | Block external attacks, IPS/IDS |
| VPC Border | East-west traffic between VPCs via CEN | Inter-VPC isolation and inspection |
| Internal Firewall | East-west traffic between ECS within a VPC | Micro-segmentation by instance tags |
Cloud Firewall integrates with Alibaba Cloud Threat Intelligence for real-time IP reputation scoring and automatic blocking of known malicious sources.
Anti-DDoS¶
| Product | Protection Level | Scope |
|---|---|---|
| Anti-DDoS Basic | 5 Gbps (free) | Auto-enabled on all Alibaba Cloud resources |
| Anti-DDoS Pro | Up to 1.5 Tbps | Resources inside mainland China |
| Anti-DDoS Premium | Unlimited (anycast) | Global resources; hides origin IP |
WAF (Web Application Firewall)¶
WAF sits in front of SLB/ALB to inspect HTTP/HTTPS traffic. It provides OWASP Top 10 protection, bot management, CC attack defense, and custom rules. WAF operates in reverse-proxy mode -- DNS points to the WAF CNAME, which forwards clean traffic to the origin.
Data Protection¶
KMS (Key Management Service)¶
KMS provides centralized key management for encryption at rest. Keys can be customer-managed (CMK) or Alibaba Cloud-managed (default service keys).
| Feature | Detail |
|---|---|
| CMK types | Symmetric (AES-256, SM4), Asymmetric (RSA, EC, SM2) |
| Hardware protection | HSM-backed keys available (FIPS 140-2 Level 3) |
| Key rotation | Automatic rotation with configurable interval |
| Envelope encryption | Generate data keys locally, encrypt with CMK |
Services that integrate natively with KMS: OSS (server-side encryption), RDS (TDE), ECS (disk encryption), SLS (log encryption), ActionTrail (log encryption).
TDE (Transparent Data Encryption)¶
RDS and PolarDB support TDE to encrypt data files at rest without application changes. TDE uses KMS-managed keys. Enable via:
aliyun rds ModifyDBInstanceTDE \
--DBInstanceId rm-bp1xxxxxxxxxxxxxxxxx \
--TDEStatus Enabled \
--EncryptionKey cmk-xxxxxxxxxxxxxxxxx
ActionTrail Audit Logging¶
ActionTrail records all API calls made to Alibaba Cloud services. Logs include the caller identity, timestamp, source IP, request parameters, and response.
# Create a trail that delivers logs to an OSS bucket and SLS project
aliyun actiontrail CreateTrail \
--Name org-audit-trail \
--OssBucketName audit-logs-bucket \
--OssKeyPrefix actiontrail \
--SlsProjectArn acs:log:cn-hangzhou:1234567890:project/audit-logs \
--IsOrganizationTrail true
Enable organization trail
For multi-account setups, always create an organization trail
(--IsOrganizationTrail true) from the management account. This
captures API calls from all member accounts in Resource Directory.
Compliance¶
China Cybersecurity Law¶
The Cybersecurity Law of the People's Republic of China (effective June 2017) requires:
- Data localization: Personal information and important data collected in China must be stored domestically. Cross-border transfer requires a security assessment by the Cyberspace Administration of China (CAC).
- Network security obligations: Network operators must implement security protections, log retention (minimum 6 months), and incident response plans.
- Critical Information Infrastructure (CII): Operators of CII face additional requirements including annual security reviews and purchase of secure and trusted products.
MLPS 2.0 (Multi-Level Protection Scheme)¶
MLPS 2.0 (GB/T 22239-2019) is China's mandatory information security grading system. Alibaba Cloud provides compliance assistance for MLPS levels 2, 3, and 4:
| Level | Scope | Alibaba Cloud Support |
|---|---|---|
| Level 2 | General business systems | Security Center baseline checks, Cloud Firewall, ActionTrail |
| Level 3 | Important business systems | All Level 2 + HSM-backed KMS, WAF, Anti-DDoS Pro, Bastion Host |
| Level 4 | Critical national infrastructure | All Level 3 + dedicated compliance region, enhanced audit |
Data Residency¶
Alibaba Cloud operates separate consoles and infrastructure for mainland China (aliyun.com) and international regions (alibabacloud.com). Data in Chinese regions stays within China's borders by default. Cross-border replication (e.g., DTS, OSS CRR) must be explicitly configured and is subject to regulatory approval for personal data.
Available Certifications¶
Alibaba Cloud holds ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, PCI-DSS, CSA STAR, and region-specific certifications including China MLPS Level 3 and Singapore MTCS Level 3.