2.1 Host Security Operations

Key Takeaways

  • Security Center is the primary Alibaba Cloud service for host risk detection, vulnerability scanning, baseline checks, webshell/malware detection, and threat signals on ECS and hybrid (off-cloud) servers via the lightweight agent.
  • Baseline check, attack path analysis, and full risk remediation require Advanced edition or higher (or the CSPM add-on); Basic edition only does free cloud-service configuration checks.
  • Bastionhost centralizes privileged SSH, RDP, and database access with session recording and command audit, so administrators never connect directly to production hosts.
  • ActionTrail records console, API, SDK, and CLI management-plane events for governance, forensics, and multi-account audit trails; Cloud Config evaluates resource configuration drift against rules.
Last updated: June 2026

Host Security Operations

The Alibaba Cloud Certified Associate: Cloud Security Engineer exam (code CSA-C01, the credential that replaced the retired ACA Cloud Security exam on May 13, 2025) is a 50-question, 90-minute multiple-choice test with a passing score of 70 out of 100. Host-security questions rarely ask for definitions. Instead they describe a symptom on an Elastic Compute Service (ECS) server and ask which service to use. The trick is to classify what is being observed: host behavior, administrator sessions, API activity, or resource configuration.

Security Center: the host protection anchor

Security Center (formerly Server Guard) is Alibaba Cloud's host and workload protection platform. A lightweight agent installed on ECS and on off-cloud (hybrid) servers reports back to the console. It detects missing patches, vulnerable middleware, Common Vulnerabilities and Exposures (CVE) findings, weak baselines, suspicious processes, webshells, malware, brute-force logins, and unusual outbound connections. When a scenario mentions agents, CVEs, baseline checks, webshells, or an attack timeline on a server, Security Center is almost always the answer.

Editions matter on the exam. The free Basic edition only performs cloud-service configuration checks. Baseline check, attack-path analysis, and full one-click risk remediation require the Advanced, Enterprise, or Ultimate edition (or the CSPM value-added service). Only the Enterprise edition supports custom baseline policies.

Bastionhost, ActionTrail, and Cloud Config

Bastionhost does not scan the operating system. It brokers privileged access to servers, databases, and network devices. The production pattern the exam rewards: remove direct public SSH/RDP from ECS, restrict the security group so port 22/3389 only accepts traffic from the Bastionhost, force all administrators through it, and retain session recordings plus command audit logs for accountability.

ActionTrail records management-plane events across the console, API, SDK, and CLI. It answers who did what, when, from which IP, against which resource. For long retention or SOC search, trails can be delivered to Simple Log Service (SLS) or Object Storage Service (OSS).

Cloud Config continuously evaluates resource configuration against rules, catching drift such as a public OSS bucket, a security group open to 0.0.0.0/0 on port 22, or a disk that lost encryption. Across multiple accounts, Cloud Config aggregators give a centralized compliance view.

Scenario signalBest serviceWhy it fits
CVE, baseline, malware, webshell, suspicious processSecurity CenterAgent-based host protection and investigation
Admin SSH/RDP/database access with session replayBastionhostCentralized, audited privileged access
Who called an API, when, from which IPActionTrailManagement-plane event record
Public bucket or open security-group driftCloud ConfigRule-based configuration compliance

Common exam traps

  • Bastionhost is not a vulnerability scanner. If the question is about CVEs or webshells, do not pick Bastionhost just because servers are involved.
  • ActionTrail logs the management plane, not the OS. It will not show a process running inside an ECS instance; that is Security Center.
  • Cloud Config detects drift, it does not block it at creation time. Preventive controls come from RAM policies and security groups; Cloud Config is detective.
  • Free Basic Security Center will not run a baseline check — a scenario demanding baseline scans implies a paid edition. Watch for this in budget-constrained questions.

Worked scenario: an ECS brute-force alert

Suppose Security Center raises an alert that a Linux ECS instance received thousands of failed SSH logins from a single foreign IP, then one success. The exam wants a layered response, not a single tool:

  1. Contain — in Security Center, isolate the host or use the agent to block the malicious IP; ActionTrail tells you whether the attacker also touched the management plane with stolen credentials.
  2. Investigate — review Security Center's alert timeline for follow-on activity (new processes, webshell, persistence).
  3. Eradicate — patch the exposed service, rotate any leaked keys, and run a baseline check to confirm hardening.
  4. Prevent recurrence — move SSH behind Bastionhost, tighten the security group so port 22 only accepts the Bastionhost source, and add a Cloud Config rule that flags any security group reopening 0.0.0.0/0 on port 22.

This maps cleanly to the detect → contain → eradicate → recover incident lifecycle, and each step uses the service the exam expects.

Agent and hybrid coverage

A frequent distractor is the claim that Security Center only protects ECS. In reality the agent also installs on non-Alibaba servers (on-premises or other clouds), giving a single console for hybrid fleets. If the agent is offline, findings go stale — so "agent not reporting" is itself a risk Security Center surfaces. Remember that ActionTrail, Cloud Config, and Bastionhost are management-plane or access-plane controls and need no host agent, whereas Security Center's deep host telemetry depends on the agent being installed and healthy.

How the four services fit together

Think of the four controls as covering four distinct planes, and the exam will reward you for not confusing them:

  • Workload/host plane — Security Center watches what happens inside the operating system.
  • Access plane — Bastionhost governs how humans reach the host.
  • Audit plane — ActionTrail records what identities did against Alibaba Cloud APIs.
  • Configuration plane — Cloud Config checks how resources are set up and detects drift.

A mature environment runs all four. For example, Bastionhost forces administrators through an audited gateway; Security Center confirms the host stays clean afterward; ActionTrail proves no one bypassed the gateway by calling the API directly; and Cloud Config verifies the security group still blocks public SSH. Each service answers a question the others cannot.

A last common trap pairs the wrong evidence with the wrong question. "Prove an administrator's exact keystrokes during a maintenance window" is Bastionhost session replay, not ActionTrail (which logs API calls, not in-session shell commands). "Prove a RAM user created a public bucket via the SDK" is ActionTrail. "Continuously flag any bucket that becomes public" is Cloud Config. Match the plane to the verb in the question and these items become quick wins.

Test Your Knowledge

A production ECS fleet has missing OS patches, several weak baseline settings, and one host with a suspected webshell. Which Alibaba Cloud service is the best first place to triage these findings?

A
B
C
D
Test Your Knowledge

A company wants all Linux administration to pass through a controlled jump point with command audit and session replay, while direct public SSH to ECS is removed. What should it deploy and pair with restrictive security group rules?

A
B
C
D
Test Your Knowledge

An auditor needs to know which IAM principal deleted a security group, from what IP, and at what time. Which service provides this evidence?

A
B
C
D