- Suggestions on system architecture optimization
Reduce data leakage channels and master the overall security situation through reports
ECS that stores key content does not open public IP
An SLB is added in front of the ECS for additional protection
The database server RDS does not have an Internet IP enabled
Remote management adopts fortress machine transfer
Open "Cloud Security Center + cloud monitoring" and view the report regularly
- Optimization suggestions for system architecture - remote management
Use VPN + fortress machine to remotely manage ECS server
VPN + fortress machine becomes the only operation and maintenance channel
Implementation of operation and maintenance real name system for fortress machine
Whole process audit of remote operation and maintenance
Meet the requirements of laws and regulations such as grade protection
- Network layer optimization suggestions
Focus on yundun security report: basic DDoS protection
Configure the DDoS cleaning threshold according to the actual business situation
When the attack exceeds 5g, start "advanced anti DDoS IP"
Guarantee major events and enable "security housekeeper service"
Host optimization suggestions
- Optimization suggestions for ECS layer
Start the firewall function of the operating system: iptables, windows firewall
When opening ports, the principle of minimization is adopted
Add whitelist IP to management port
Close the useless ports in ECs
Open the "cloud security center" and "content security" to view the test report regularly
If there is no operation and maintenance team, you can select "agent maintenance of cloud market" and "security housekeeper"
Optimization suggestions for application layer and data layer
Follow the software development safety life cycle (SDL)
"Safety assessment" and "safety test" are the basis
Regularly check the reports of "cloud security center" and "cloud monitoring"
Group business systems, enable ram accounts, and minimize permissions
Aucun commentaire:
Enregistrer un commentaire