Complete STS and SSO authorization for Managed Security Service - Managed Security Service

Before you can use Managed Security Service, you must grant it authorization through Security Token Service (STS) and single sign-on (SSO). This authorization allows Managed Security Service to access your cloud resources and provide operational services. This topic describes how to grant these permissions to Managed Security Service.

STS authorization

Service-linked role for Managed Security Service

Alibaba Cloud Security Token Service (STS) is a service that manages temporary access permissions. You must create the AliyunServiceRoleForMssp service-linked role to grant Managed Security Service access to your resources, such as Elastic Computing Service (ECS), Security Center, Object Storage Service (OSS), and ApsaraDB RDS. This access is required for Managed Security Service to provide operational services.

Important

If you purchased Managed Security Service and are logging on to the Managed Security Service console for the first time, the system prompts you to create the AliyunServiceRoleForMssp service-linked role. In this case, you do not need to perform this step.
If the Service Authorization dialog box does not appear after you log on to the Managed Security Service console, it means the service is already authorized. You can confirm this by logging on to the RAM console and checking for the AliyunServiceRoleForMssp role on the Identities > Roles page.

Log on to the Managed Security Service console.
In the Service Authorization dialog box, click Authorize and Activate.

Service-linked role for ESA security hosting

If you need Managed Security Service to manage security for your Edge Security Acceleration (ESA) service, you must create the AliyunServiceRoleForESAMssp service-linked role. This role grants Managed Security Service access to your ESA and Simple Log Service (SLS) resources. This access is required for Managed Security Service to provide operational services.

Log on to the Managed Security Service console.
In the upper-right corner of the Overview page, click Create ESA MSS ServiceLinkRole.
In the Service Authorization dialog box, click Authorize and Activate.

SSO authorization

You can create a RAM role that uses an identity provider (IdP) as the trusted entity. This enables role-based single sign-on (SSO) between your corporate IdP and Alibaba Cloud. This setup allows Managed Security Service to retrieve complete data for risk assessment and security hardening of your cloud resources.

Prerequisites

You have the XML certificate required for Managed Security Service authorization.

Important

If you do not have the XML certificate, contact the delivery manager assigned to you when you purchased Managed Security Service.

Procedure

Log on to the RAM console with your Alibaba Cloud account.
Create a SAML IdP.
1. In the left-side navigation pane, choose Integrations > SSO.
2. On the Role-based SSO tab, click the SAML tab and click Create identity provider.
3. On the Create Identity Provider page, enter an Identity Provider Name (such as aliyun-mssp) and a Description.
4. In the Metadata File section, click Upload metadata file to upload the XML authorization certificate for Managed Security Service.
5. Click Create identity provider.

Create a RAM role that uses the IdP you created in the previous step (aliyun-mssp) as the trusted entity.

In the left-side navigation pane, choose Identities > Roles.
On the Roles page, click Create Role.
In the upper-right corner of the Create Role page, click Switch to Policy Editor.
In the visual editor, specify the aliyun-mssp IdP that you created in Step 2. Create a SAML IdP.

Specify conditions in the editor.

The following table lists the supported service-level condition keys.

Condition key	Description	Required	Example
`saml:recipient`	The recipient of the SAML assertion. Alibaba Cloud checks the recipient of the SAML assertion based on the value of this condition.	Yes	Set the value to `https://signin.alibabacloud.com/saml-role/sso`.

Click OK. In the Create Role dialog box, enter a Role Name, such as aliyun-mssp, and click OK.

Grant permissions to the aliyun-mssp RAM role that you created in the previous step.
1. On the completion page of the role creation wizard, click Grant Permission. Alternatively, in the navigation pane on the left, choose Identities > Roles. Then, find the aliyun-mssp RAM role and click Grant Permission in the Actions column.
2. In the Grant Permission panel, grant the aliyun-mssp RAM role the following permissions. For more information, see Grant permissions to a RAM role.
  - ReadOnlyAccess: Collects and verifies data for the security configuration features of cloud products such as ECS, OSS, RDS, and SLS.
  - AliyunYundunFullAccess: Collects and verifies data for the security configuration features of cloud security products such as Security Center, Cloud Firewall (CFW), and Web Application Firewall (WAF). This permission is also used to deploy inspection configuration rules on cloud security products and perform immediate remediation and blocking during emergencies.
  - AliyunSupportFullAccess: Manages tickets for product inquiries.
  - AliyunCloudMonitorFullAccess: Manages CloudMonitor permissions for website monitoring configurations.
  - AliyunECSFullAccess (Optional): Required for some emergency response and maintenance operations on hosts, such as creating image snapshots, modifying security group policies, and applying patches.

Revoke service authorization

If you no longer use Managed Security Service, you must revoke the service authorization by removing the permissions from the roles and then deleting the roles.

Remove permissions from the role. For more information, see Revoke permissions from a RAM role.
Delete the role. For more information, see Delete a RAM role.