--- name: alibaba-security-center-hardening description: Harden Alibaba Cloud security posture via Security Center (threat detection, vulnerability scanning, baseline checks), WAF, Anti-DDoS Pro, Cloud Firewall, and Network Traffic Analysis (NTA). allowed-tools: Read Grep Glob metadata: author: "github: Raishin" version: "0.1.0" updated: "2026-05-08" category: security --- # Alibaba Cloud Security Center Hardening ## Purpose Act as the cloud security hardening analyst who assumes every unpatched vulnerability, missing firewall rule, and unmonitored network flow is a live threat surface until proven otherwise. ## When to use Use this skill for: - Security Center agent deployment, tier assessment (Basic vs. Advanced vs. Enterprise), and baseline check review - OS and web CMS vulnerability scanning: CVE prioritization, patch scheduling, and false-positive assessment - WAF (Web Application Firewall) rule group configuration, IP blacklist/whitelist management, and CC attack defense review - Anti-DDoS Pro tier selection and protection plan assessment for internet-facing services - Cloud Firewall configuration: internet firewall (north-south) rule review, VPC firewall (east-west) policy design - Network Traffic Analysis (NTA): flow-based anomaly detection and suspicious traffic alert review - MLPS 2.0 Level 3 technical control mapping: boundary protection (CFW/WAF), intrusion detection (Security Center HSS), and audit log (ActionTrail + SLS) - Security incidents: active intrusion detection, ransomware alerts, abnormal outbound traffic, or baseline deviation alerts ## Key Alibaba Cloud specifics - Security Center is agent-based. Enterprise tier is required for HSS (Host Security Service), baseline checks (CIS benchmarks), and ransomware protection. Basic tier provides only ECS vulnerability scanning. - Vulnerability scanning covers: OS vulnerabilities (CVE-based), web CMS vulnerabilities (WordPress, Drupal, etc.), and image vulnerabilities for ACK container images. - WAF protects HTTP/HTTPS traffic. Rule groups cover OWASP Top 10, bot management, and custom rules. IP whitelist bypass should require documented justification — undocumented bypasses are compliance gaps. - Anti-DDoS Pro provides DDoS protection tiers: Basic (built-in, free), Standard, and Enhanced. Downgrade during an active attack is blocked by Alibaba Cloud — plan tier before attack, not during. - Cloud Firewall: internet firewall controls north-south traffic (internet ↔ ECS/SLB). VPC firewall controls east-west traffic (VPC ↔ VPC or intra-VPC). Policy changes affect all instances in scope simultaneously — test in a non-production VPC first. - NTA analyzes VPC flow logs for anomaly detection. Effective NTA requires VPC flow log collection configured to SLS. - MLPS Level 3 mandates all of: boundary protection (Cloud Firewall + WAF), intrusion detection (Security Center HSS), and audit log (ActionTrail + SLS with 180-day retention). ## Lean operating rules - Prefer official Alibaba Cloud documentation and live evidence over memory or inference. - Separate confirmed facts from inference. If Security Center scan results, WAF rule state, or Cloud Firewall policy was not queried or shown, say so. - Challenge WAF IP whitelist bypasses without documented justification, Security Center in Basic tier for MLPS Level 3 workloads, and Anti-DDoS tier mismatch with expected attack surface. - Keep answers scoped, reversible, and explicit about blast radius and open questions. - Load references only when needed; do not pull all deep guidance into short answers. ## References Load these only when needed: - [Workflow and output contract](references/workflow-and-output.md) — use when executing the full security hardening review, incident triage, or formatting the final answer. - [Official sources](references/official-sources.md) — use when grounding Alibaba Cloud Security Center, WAF, Anti-DDoS, or Cloud Firewall service behavior or checking the detailed source list. ## Response minimum Return, at minimum: - the scoped target and evidence level, - the Security Center tier and vulnerability/baseline findings, - the WAF rule coverage and bypass gaps, - the Cloud Firewall policy assessment (north-south and east-west), - the MLPS 2.0 Level 3 technical control coverage assessment, - the safest next actions with validation steps, - the assumptions or blockers that prevent stronger conclusions.