All Products
Search

This Product

    Security Center:Overview

    Document Center

    Security Center:Overview

    Last Updated:Aug 22, 2024

    To prevent cloud services from being attacked due to configuration errors and misoperations, Security Center provides the configuration assessment feature. You can use the feature to check whether risks and errors exist in the configurations of your cloud services from multiple dimensions. This helps reduce risks that are caused by configuration errors and improve the security of your cloud services. This topic describes the basic information and billing of the configuration assessment feature.

    Feature overview

    Check the configurations of cloud services

    Security Center allows you to check whether risks and errors exist in the configurations of your cloud services from the following dimensions: cloud infrastructure entitlements management (CIEM), security risk management, and compliance risk management. The check results are classified and displayed by risk level to help you understand the configuration risks of your cloud services.

    Dimensions

    The following table describes the dimensions from which you can check the configurations of your cloud services.

    Check dimension

    Description

    CIEM

    CIEM is a service that integrates cloud security assessment and authorization management to manage the permissions to use and access cloud platforms.

    Security Center manages identities and permissions on cloud platforms based on CIEM. You can check whether issues exist, such as excessive permissions and password expiration. This helps identify and resolve issues related to permission management at the earliest opportunity and improve the security and reliability of cloud platforms.

    Security risk management

    Best security practices are security measures and solutions that are accumulated by cloud service providers over the years to maximize the security of your data and business.

    Security Center checks the security configurations, code vulnerabilities, and logging configurations of business systems and identifies potential configuration errors on cloud platforms based on the best security practices of different cloud service providers. This helps maximize the security of your data and business.

    Compliance risk management

    The internationally agreed best practices for security are security standards for defending IT systems and data against cyberattacks.

    Security Center checks and manages the compliance risks of cloud platforms in a comprehensive manner and identifies weak configurations that do not meet the security standards. This helps handle the weak configurations at the earliest opportunity and maximize the security of your data and business.

    Supported cloud services

    Security Center allows you to add cloud services provided by Alibaba Cloud and third-party cloud service providers such as Tencent Cloud and Amazon Web Services (AWS). You can view the supported cloud services in the Security Center console. For more information, see Add cloud services.

    Fix configuration risks in cloud services

    Security Center provides optimization suggestions and solutions for each risk item to help you better manage cloud resources and ensure business security.

    Security Center provides the quick fixing feature for more than 50 check items. You can directly fix configuration risks for cloud service instances in the Security Center console. Each time a risk of an instance is fixed, it consumes one of the remaining quota for the configuration assessment.

    Billing

    Billing rules

    You are charged for the configuration assessment feature based on the quota for each configuration check performed on each cloud service instance. Billing formula: Configuration assessment fee = Unit price × Quota.

    • Unit price: Unit prices are different based on different billing methods. For more information, see Billing method.

    • Quota: The total number of scans, verifications, and successful fixes for each check item performed on each cloud service instance.

      Quota = scan counts + verification counts + successful fix counts.

      A cloud service instance refers to the instance of a specific application or network device, such as an Object Storage Service (OSS) bucket or an Elastic Compute Service (ECS) security group.

      View the number of cloud service instances

      You can choose Assets > Cloud Product in the left-side navigation pane of the Security Center console and view the number of cloud service instances within your Alibaba Cloud account.

      image.png

      After you enable the configuration assessment feature, the system calculates the number of scan times each time you run a configuration check. Formula: Total number of scan times of a configuration check = Total number of scanned instances × Number of selected check items.

      For example, you have added a total of 10 cloud services, and each cloud service has 15 instances. You run a configuration check in which a total of five check items are selected. In this example, each of the five check items is used to scan each instance and the number of scan times is 750. The value is calculated by using the following formula: 10 × 15 × 5 = 750.

    Billing method

    The configuration assessment feature supports the subscription and pay-as-you-go billing methods. A free version of the feature is also provided. The free version supports only specific check items, whereas the paid version supports all check items.

    Important

    • You cannot purchase the configuration assessment feature based on the pay-as-you-go and subscription billing methods at the same time within your Alibaba Cloud account.

      For example, if you purchase the configuration assessment feature based on the subscription billing method, you must wait until the subscription to the feature ends or disable the feature before you can purchase the feature based on the pay-as-you-go billing method. For more information, see the Switch from subscription to pay-as-you-go section of this topic.

    • After you purchase the configuration assessment feature based on the pay-as-you-go or subscription billing method, you can use all check items, including the free and billable check items. In this case, take note of the following items when you run a configuration check:

      • You are not charged for the free check items that only involve scans and verifications, which do not consume the quota for configuration assessment that you purchase. You are charged for the free check items that involve successful fixes of risks, which consume the quota.

      • You are charged for the billable check items based on the number of times that each check item is used to scan each cloud service instance.

    Free usage

    You can use specific check items to scan and verify cloud service instances for an unlimited number of times free of charge. If you need to fix the risks, you should purchase the configuration assessment feature based on the pay-as-you-go or subscription billing method.

    Note

    You can choose Risk Governance > Configuration Assessment in the left-side navigation pane of the Security Center console to view the supported free check items.

    • If you have not purchased the configuration assessment feature based on the pay-as-you-go or subscription billing method and have not purchased a quota for the feature, you can use more than 70 check items that are provided by the feature free of charge.

    • The number of check items that you can use free of charge varies based on the edition of Security Center. If you enable the configuration assessment feature before July 07, 2023, you can use the following number of check items free of charge until your subscription to Security Center expires. If you renew the subscription before Security Center expires, you can continue to use the check items free of charge.

      • Basic and Anti-virus: more than 70

      • Advanced: more than 90

      • Enterprise and Ultimate: more than 250

    More check items will be provided by the configuration assessment feature. If you want to use more check items, you can purchase the configuration assessment feature based on the pay-as-you-go or subscription billing method. For more information, see the Authorization and purchase section of this topic. After you purchase the feature, you can use all check items. The historical scan data is retained. You can view all check items and select check items for a configuration check.

    Subscription

    • Formula: Unit price × Quota for Configuration Assessment × Subscription duration (the subscription duration of Security Center).

      Quota for Configuration Assessment

      Price (USD/time)

      0~100,000

      0.0009

      100,001~500,000

      0.00069

      Greater than 500,000

      0.000625

    • Offset rule: You must purchase a quota for configuration assessment of at least 15,000 with increments of 55,000. Each time you run a configuration check, the remaining quota is consumed based on the number of scan, verification, and fix times.

      Note

      If the remaining quota is insufficient to offset the fee of a configuration check, the check items that cannot be covered by the quota are not used to scan, verify, and fix instances in the configuration check. You can view the scan results to check the details of the configuration check.

    Pay-as-you-go

    • Formula: Unit price × Quota for configuration assessment (the total number of scans, verifications, and successful fixes on the current day).

      You are charged based on the consumed quota for configuration assessment in the tiered pricing mode by calendar day.

      Consumed quota for configuration assessment

      Price (USD/time)

      0~100,000

      0.0009

      100,001~500,000

      0.0007

      Greater than 500,000

      0.00045

    • For more information about how to view the bills of the configuration assessment feature, see Billing details.

    Authorization and purchase

    When you use the configuration assessment feature for the first time, you must authorize Security Center to access cloud resources.

    1. Authorize Security Center to access cloud resources.

      1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

      2. In the left-side navigation pane, choose Risk Governance > Configuration Assessment.

      3. On the Configuration Assessment page, click Authorize Now. The first time you use the configuration assessment feature, you must perform this operation.

        After the authorization is complete, a service-linked role named AliyunServiceRoleForSasCspm is created for Security Center to access and modify the resources of cloud services within the current account. Then, you can use the configuration assessment feature to check the following configurations of your cloud services: identity authentication, network access control, data security, log audit, and basic protection. This helps you reinforce security configurations and reduce risks that are caused by configuration errors in your cloud services. For more information about the AliyunServiceRoleForSasCspm service-linked role, see Service-linked roles for Security Center.

    2. Select a billing method to purchase the feature.

      Pay-as-you-go

      1. After the authorization is complete, click Activate Now on the Configuration Assessment page.

      2. In the dialog box that appears, read and select Security Center (Pay-as-you-go) Terms of Service and click Activate Now.

      After you purchase the configuration assessment feature, you can view the quota that is consumed by configuration checks on the Configuration Assessment > Configuration Check tab.

      Disable the pay-as-you-go billing method

      To disable the pay-as-you-go billing method for the configuration assessment feature, find Used Quota and click Suspended.

      Note

      You can enable the subscription billing method only after you disable the pay-as-you-go billing method.

      Subscription

      Visit the Security Center buy page and configure the Quota for Configuration Assessment and Duration parameters. For more information, see Purchase Security Center.

      Note

      We recommend that you purchase a quota that is 20 times the number of cloud service instances. If the quota is insufficient, you must re-scan the instances. For example, if you have added a total of 10 cloud services and each cloud service has 15 instances, we recommend that you purchase a quota of 3,000. The value is calculated by using the following formula: 10 × 15 × 20 = 3,000.

      After you purchase the configuration assessment feature, you can view the remaining quota that can be consumed by configuration checks on the Configuration Assessment > Configuration Check tab.

      Upgrade, downgrade, or renew Security Center

      If you cannot run configuration checks because the remaining quota is insufficient or your subscription to Security Center expires, you can click Scale Out to purchase more quota or renew the subscription to Security Center on the Order Upgrade tab. You can also reduce the quota on the Order Downgrade tab based on your business requirements.

      Change the billing method from subscription to pay-as-you-go

      After you purchase a quota for configuration assessment based on the subscription billing method, you cannot directly change the billing method to pay-as-you-go. You can downgrade Security Center or request a refund for Security Center before you enable the feature based on the pay-as-you-go billing method.

    Use the feature

    1. Add cloud services: View the supported cloud services and add the cloud services whose configurations you want to check to Security Center. Alibaba Cloud services and third-party cloud services are supported.

    2. Use the configuration assessment feature: Configure a check policy, view check results, and handle the detected risk items.