Add support for Alibaba Cloud

[x4v13r64]

The python SDK is relatively mature: https://pypi.org/project/aliyun-python-sdk-core/ https://github.com/aliyun/aliyun-openapi-python-sdk

Configure profiles: https://www.alibabacloud.com/help/doc-detail/43039.htm?spm=a2c63.p38356.879954.4.50f84f5cZ4ms46

TODO - look at the below references and identify issues to implement:

• https://www.alibabacloud.com/blog/11-security-recommendations-for-production-instances-on-alibaba-cloud_594743
• https://www.alibabacloud.com/help/faq-detail/56346.htm?spm=a2c63.q38357.a3.1.22d854ffIvveEi
• https://partners-intl.aliyun.com/help/doc-detail/51170.htm
• https://partners-intl.aliyun.com/help/doc-detail/51171.htm?spm=a2c63.p38356.b99.350.4ba34fdawYb9pj
• https://partners-intl.aliyun.com/help/doc-detail/53141.htm?spm=a2c63.p38356.b99.351.4ba34fdawYb9pj
• https://partners-intl.aliyun.com/help/doc-detail/51404.htm?spm=a2c63.p38356.b99.352.4ba34fdawYb9pj

[x4v13r64]

Identity and Access Management

• [ ] Root account used recently BLOCKED API doesn't return root user info
• [ ] Root account lacking MFA BLOCKED API doesn't return root user info
• [x] User with console access lacking multi-factor authentication (MFA)
• [x] User with multiple API keys
• [ ] User's console password unused for over 90 days
  • Ensure credentials unused for 90 days or greater are disabled
• [ ] Access keys older then 90 days
  • Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.
• [ ] RAM policy attached to user
  • RAM policies should only be attached to groups or grants
• [ ] Secure password policy

ActionTrail

• [x] ActionTrail not enabled
  • ActionTrail is a service that enables governance, compliance, operational auditing, and risk auditing of Alibaba Cloud accounts. With ActionTrail, you can log, continuously monitor, and retain account activity related to actions across the Alibaba infrastructure.

Object Storage Service (OSS)

BLOCKED the current version of the library (0.0.4) doesn't support much

• [ ] OSS bucket allows for full anonymous access
• [ ] OSS bucket allows for arbitrary file listing
• [ ] OSS bucket allows for arbitrary file upload and exposure
• [ ] OSS bucket allows for blind uploads
• [ ] OSS bucket allows arbitrary read/writes of objects
• [ ] OSS bucket reveals ACP/ACL
• [ ] Logging not enabled for OSS buckets

VPC

[security groups. ACLs, etc.]

ECS

• [x] Instance with a public IP
• [x] Instance without deletion protection
• [ ] User data secrets

Load Balancer

• [ ] TLSv1.2 on Server Load Balancer
  • A better TLS security can be applied to your exposed only with right TLS policy in place which in large would be able to mitigate the following vulnerability from your exposed endpoint.
  • SLB tls_cipher_policy_1_2 provides good compatibility and high security and support only cipher suites like and it's required compliance for PCI-DSS,HIPPA and related standard.

RDS

(find a couple of issues)

KMS

• [x] Lack of key rotation