Help Center/ SecMaster/ User Guide/ Risk Prevention/ Security Policies/ Overview
Updated on 2025-08-11 GMT+08:00
View PDF
Share

Overview

You can use SecMaster to manage and maintain tasks across accounts with ease, making it simple to implement protection of different services, including WAF, CFW, VPC security groups and IAM. You can view all policies centrally, manage policies for seven defense lines manually, and query manual and automatic block records quickly.

  • Viewing and Configuring Defense Policies: describes how to view and configure defense policies. There are seven defense lines: physical, identity, server, maintenance, data, application, and network defense lines. Table 1 describes the seven layers of defense and the corresponding asset types that can be protected.
    Table 1 Seven layers of defense and types of protected assets

    Defense Layer Type

    Protection Solution

    Description

    Protected Asset Type

    Physical security

    --

    The cloud service provider is responsible for physical environment security.

    --

    Network security

    DDoS Mitigation

    This solution mitigates DDoS attacks in milliseconds to ensure continuity of your global services based on machine learning, protection policy tuning, and precise identification of DDoS attacks.

    Elastic Load Balance (ELB) and Elastic IP (EIP)

    Cloud Firewall (CFW)

    Cloud Firewall (CFW) protects Internet borders on the cloud and at VPC borders. It can detect and defend against intrusions in real time, control traffic in a unified manner, analyze traffic and visualize results, audit logs, and trace traffic sources. You can scale CFW resources as needed.

    Virtual Private Cloud (VPC)

    Application security

    Web Application Firewall (WAF)

    WAF can check and protect website service traffic from multiple dimensions. WAF can intelligently identify malicious request features and defend against unknown threats based on deep machine learning.

    Websites and IP addresses

    Server security

    Host Security Service (HSS)

    HSS is designed to protect server workloads in hybrid clouds and multi-cloud data centers. It protects servers and containers and prevents web pages from malicious modifications.

    Elastic Cloud Server (ECS) and Cloud Container Engine (CCE)

    The defense layers for the identity, data, and O&M security will be available soon.

Limitations and Constraints

  • Currently, the emergency policies include only the blacklist policies of CFW, WAF, VPC security groups and IAM.
  • In a workspace you have, you can add up to 300 emergency policies that support block aging, and a maximum of 2,500 emergency policies in total. Limits on blocked objects you can add are as follows:
    • For a policy to be delivered to CFW, each time a maximum of 500 IP addresses can be added as blocked objects by each account.
    • For a policy to be delivered to WAF, each time a maximum of 500 IP addresses can be added as blocked objects by each account.
    • For a policy to be delivered to VPC, every minute a maximum of 500 IP addresses can be added once as blocked objects by each account.
    • For a policy to be delivered to IAM, each time a maximum of 500 IAM users can be added as blocked objects by each account.
  • If an IP address or IP address range or an IAM user is added to the blacklist, CFW, WAF, VPC, and IAM will block requests from that IP address or user without checking whether the requests are malicious.
  • To ensure system stability, a maximum of five emergency policy tasks can be executed at the same time. If there are already five ongoing tasks, no more emergency policies can be added, retried, or edited.

Basic Concepts

  • Operation connections are asset connections associated with emergency policy processes. An asset connection contains a domain name and authentication parameters used by the plug-in node in workflows. SecMaster use the domain names to access other cloud services or third-party services. For more details, see Managing an Operation Connection.
Parent topic: Security Policies