4 Best Practices for Using Prisma Cloud with Alibaba Cloud

Aug 27, 2024
4 minutes
... views

Prisma Cloud by Palo Alto Networks supports Alibaba Cloud
with industry-leading cloud-native security for global customers.

Prisma Cloud seamlessly integrates with your Alibaba Cloud environment in minutes, collecting and analyzing vast amounts of configuration data, user activity and network traffic to deliver precise, actionable insights to cloud and security teams.

With our cloud-native application protection platform (CNAPP), you can accelerate operations and secure Alibaba Cloud adoption, including support for the CIS Alibaba Cloud Foundations Benchmark.

Let’s look at 4 best practices when using Alibaba Cloud with Prisma Cloud.

1. Scan Images in Your Alibaba Cloud Container Registry for Vulnerabilities

Prisma Cloud will scan your Alibaba Cloud Container Registry for vulnerabilities. You can verify that Prisma Cloud is scanning the images in your Alibaba Cloud repository by navigating to Monitor > Vulnerabilities > Images > Registries.

If you have larger registries, you can optimize your scan configuration to maximize your throughput and minimize your scan time so that the number of Prisma Cloud scans increases with the registry size. You may also locate Prisma Cloud scanners to run in the same region as the registry to improve your network latency.

2. Restrict Internet Traffic to SSH Port in Alibaba Cloud Security Groups

Allowing inbound public internet traffic to the SSH (Secure Shell) port (22) in Alibaba Cloud Security Groups exposes your environment to significant risks, including unauthorized access, data breaches and potential exploitation by malicious actors. As a best practice, restrict Security Groups to allow only necessary and authorized network traffic. Additionally, limiting exposure to SSH port 22 helps reduce the likelihood of brute-force attacks, further enhancing the security of your cloud infrastructure. Implementing these measures is essential for maintaining an optimal security posture in your Alibaba Cloud environment.

To configure Security Group rules to allow SSH access only from specific trusted IP addresses, add the following code to your Terraform file during build time:

resource "alicloud_security_group_rule" "allow_all_vncserver" {

  type = "ingress"

  ip_protocol = "tcp"

  nic_type = "internet"

  policy = "accept"

  port_range = "5900/5900"

  security_group_id = alicloud_security_group.default.id

  cidr_ip = "0.0.0.0/0"

}

3. Enable Alibaba Cloud Disk Encryption

A best practice to mitigate risk is to enable disk encryption in Alibaba Cloud. Disabled disk encryption on Alibaba Cloud exposes your sensitive data to significant risks, including unauthorized access and potential data breaches. If an unauthorized party gains access to an unencrypted disk with sensitive information, they can easily compromise your data confidentiality and integrity.

Enabling disk encryption protects the data on the original disk and any snapshots created from these encrypted disks, as well as new disks generated from the snapshots. Using automated encryption ensures a consistent and rigorous layer of security across your entire storage infrastructure on Alibaba Cloud.

To enable disk encryption in Alibaba Cloud, add the following code to your Terraform file during build time:

resource "alicloud_disk" "pass" {

  # cn-beijing

  description = "Hello ecs disk."

  category = "cloud_efficiency"

  size = "30"

  encrypted = true

  kms_key_id = "2a6767f0-a16c-1234-5678-13bf*****"

  tags = {

  Name = "TerraformTest"

  }

}

4. Enable Alibaba Cloud Action Trail Logging for All Events and Regions

Enable the ActionTrail log service to comprehensively track and monitor every action within your Alibaba Cloud account, including all API calls and account activities. By activating this logging service for all events you gain valuable insights into user behavior and system operations, which can be critical for detecting security threats or instances of unauthorized access.

ActionTrail also plays a vital role in auditing, providing a detailed record of activities that can be used for compliance reporting and forensic investigations. Implementing this service is a proactive measure to enhance the security and accountability of your cloud environment.

To enable Alibaba Cloud ActionTrail Log Services, add the following code to your Terraform file during build time:

resource "alicloud_actiontrail_trail" "pass" {

  trail_name = "action-trail"

  oss_write_role_arn = "acs:ram::1182725xxxxxxxxxxx"

  oss_bucket_name = "bucket_name"

  event_rw = "All"

  trail_region = "All"

}

Secure Your OCI Workloads and Resources with Prisma Cloud

Palo Alto Networks is a trusted Alibaba Cloud Partner and an Alibaba Cloud Marketplace seller. The Prisma Cloud platform offers Code to CloudTM security and seamless compliance for Alibaba Cloud, as well as for other major cloud service providers.

To learn more, download our Alibaba Cloud datasheet or start a free 30-day trial today.

 


Subscribe to Cloud Native Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.