All Products
Search

This Product

    Managed Security Service:Authorize MSSP to access cloud resources

    Document Center

    Managed Security Service:Authorize MSSP to access cloud resources

    Last Updated:Aug 01, 2024

    Before you use Managed Security Service (MSSP), you must use Security Token Service (STS) and single sign-on (SSO) to grant MSSP the permissions to access other cloud resources. This way, MSSP can provide operations services. This topic describes how to grant permissions to MSSP.

    STS authorization

    STS allows you to manage temporary credentials for your Alibaba Cloud resources. You must create the AliyunServiceRoleForMssp service-linked role to authorize MSSP to access other cloud resources, such as Elastic Compute Service (ECS), Security Center, Object Storage Service (OSS), and ApsaraDB RDS. This way, MSSP can provide operations services.

    Note

    • The first time you log on to the MSSP console to purchase MSSP, you are prompted to create the AliyunServiceRoleForMssp service-linked role. You can skip this step.

    • If the Service Authorization dialog box does not appear when you log on to the MSSP console, the authorization is successful. You can log on to the Resource Access Management (RAM) console and choose Identities > Roles to check whether the AliyunServiceRoleForMssp service-linked role exists.

    1. Log on to the MSSP console.

    2. In the Service Authorization dialog box, click Authorize and Activate.

    SSO authorization

    You must create a RAM role whose trusted entity is an identity provider (IdP). The RAM role is used to implement role-based SSO between Alibaba Cloud and a trusted IdP. This way, MSSP can query the complete data on risk assessments and the security hardening of other cloud resources.

    Prerequisites

    The XML certificate required for MSSP authorization is obtained.

    Important

    If you do not have an XML certificate, contact the responsible delivery manager when you purchased MSSP.

    Procedure

    1. Log on to the RAM console by using an Alibaba Cloud account.

    2. Create a SAML IdP.

      1. In the left-side navigation pane, choose Integrations > SSO.

      2. On the Role-based SSO tab, click the SAML tab and then click Add IdP.

      3. On the Create IdP page, enter aliyun-mssp in the IdP Name field and then enter a description in the Remarks text box.

      4. In the Metadata Field field, click Upload File to upload the XML certificate.

      5. Click OK.

    3. Create a role of the SAML IdP type.

      1. In the left-side navigation pane, choose Identities > Roles.

      2. On the Roles page, click Create Role.

      3. On the Create Role page, select IdP in the Select Trusted Entity section and click Next.

      4. Configure the role and click OK. The following section describes the role parameters:

        • RAM Role Name: Enter aliyun-mssp.

        • Note: Enter the description of the role.

        • IdP Type: Select SAML.

        • Select IdP: Select the aliyun-mssp IdP that you created in Step 2 Create a SAML IdP.

        • Conditions: The condition keyword is fixed as saml:recipient and cannot be modified.

      5. Click OK.

    4. Grant permissions to the role.

      1. On the page that appears, click Add Permissions to RAM Role. Alternatively, in the left-side navigation pane, choose Identities > Roles. On the page that appears, find the role aliyun-mssp and click Grant Permission in the Actions column.

      2. In the Grant Permission panel, grant the following permissions to the aliyun-mssp role. For more information, see Grant permissions to a RAM role.

        • ReadOnlyAccess: collects and verifies the security configuration data of cloud products, such as ECS, OSS, RDS, and Simple Log Service.

        • AliyunYundunFullAccess: collects and verifies the security configuration data of cloud security products, such as Security Center, Cloud Firewall, and Web Application Firewall (WAF). This permission is also used to apply inspection rules to cloud security services and in scenarios in which emergency mitigation and blocking is required.

        • AliyunSupportFullAccess: tracks the progress of products consultation tickets.

        • AliyunCloudMonitorFullAccess: manages CloudMonitor to configure website monitoring.

        • AliyunECSFullAccess (optional): allows specific host emergency responses and hosted O&M operations, such as image snapshots, security group policy modification, and vulnerability fixing.

    Revoke service permissions

    If you no longer use MSSP, you must revoke the permissions from the RAM role and delete the role.

    1. For more information about how to revoke permissions from a RAM role, see Revoke permissions from a RAM role.

    2. For more information about how to delete a RAM role, see Delete a RAM role.