Use Alibaba Cloud CLI to manage Security Center - Security Center

This topic describes how to use Alibaba Cloud Command Line Interface (CLI) to manage Security Center. To illustrate this process, we use Alibaba Cloud CLI to call the DescribeCloudCenterInstances API of Security Center to query user assets.

Background

Alibaba Cloud CLI is a general-purpose command-line tool developed based on APIs. It enables automated management and maintenance of Security Center. For more information, see What is Alibaba Cloud CLI?

Limit

Currently, Alibaba Cloud CLI does not support calling the Cloud Threat Detection and Response (CTDR) or Security Orchestration and Automation Response (SOAR) features of Security Center. If you need assistance with this functionality, submit a ticket.

Procedure

Step 1: Install Alibaba Cloud CLI

Ensure that you have installed Alibaba Cloud CLI on your system. Alibaba Cloud CLI offers installation packages for Windows, Linux, and macOS users.

You can also debug Alibaba Cloud CLI commands in Cloud Shell, where Alibaba Cloud CLI is pre-installed and receives regular updates. For more information, see What is Cloud Shell?

Step 2: Configure Alibaba Cloud CLI

Important

We highly recommend that you create a RAM user and apply the Principle of Least Privilege when granting permissions to access APIs. An Alibaba Cloud account has the permissions to manage and access the APIs of all Alibaba Cloud services, which can lead to security risks. For the permission policies supported by Security Center, see System policies for Security Center and Custom policies for Security Center.

Before using Alibaba Cloud CLI, you need to configure your identity credentials and region ID. Alibaba Cloud CLI supports various types of identity credentials. For more information, see Credential types.

To configure AccessKey credentials with the AccessKey ID of a RAM user, follow these steps:

Create a RAM user and an AccessKey pair. For more information, see Create a RAM user and Create an AccessKey pair.
Grant permissions to the RAM user. In this example, grant the RAM user read-only access to Security Center using AliyunYundunSASReadOnlyAccess policy. For more information, see Grant permissions to a RAM user.
Identify the region ID. Alibaba Cloud CLI uses the specified region to call APIs. To check available regions for Security Center, see Endpoints.
Note
When using Alibaba Cloud CLI, you can specify a region with the --region option to override the default region information set in your identity credential configuration and environment variable settings. For more information, see Command line options for API calls.
Configure AccessKey credentials with the AccessKey ID of the RAM user, and name the configuration file AkProfile. For more information, see Configuration examples.

Step 3: Generate CLI command examples

Access DescribeCloudCenterInstances Debugging Address.
In the Parameters section, input the request parameters and click the CLI Example tab to view the generated CLI command.
Copy the CLI command or execute it directly in Cloud Shell:
- Click Run Command to launch Cloud Shell, which allows you to expedite command debugging.
- Click Copy to copy the CLI command to your clipboard. You can then use this command in your local shell, or for scripting purposes.
Note
When you paste the CLI command into your local shell for debugging, ensure that the parameter format is correct. For more information on the command parameter formats of Alibaba Cloud CLI, see Parameter formats.
Additionally, note that the --region option is included by default in the sample command generated in the OpenAPI Explorer. When you copy this command to your shell, Alibaba Cloud CLI ignores the region information in the default identity credential configurations and environment variable settings, and preferentially runs the command in the specified region. You can either delete or retain this option based on your business requirements.

Step 4: Call the APIs of Security Center

Example 1: Query the Security Center API operations that can be called by Alibaba Cloud CLI

Use the --help option to list the Security Center API operations available in the Alibaba Cloud CLI. For more information, see List of operations by function.

Run the following command:
```
aliyun sas --help
```
View the result.

Example 2: Query user assets

This example demonstrates how to use Alibaba Cloud CLI to call the DescribeCloudCenterInstances API of Security Center to query at-risk assets for Elastic Compute Service (ECS).

Run the following command:

aliyun sas DescribeCloudCenterInstances --Criteria '[{"name":"riskStatus","value":"YES"}]' --MachineTypes ecs

View the result.

{
  "Success": true,
  "PageInfo": {
    "Count": 10,
    "CurrentPage": 1,
    "PageSize": 20,
    "TotalCount": 10,
    "NextToken": "B604532DEF982B875E8360A6EFA3B***"
  },
  "RequestId": "7D6FD965-745C-5580-A3E8-83FEC3BE1FE8",
  "Instances": [
    {
      "AlarmStatus": "NO",
      "AssetType": "0",
      "AssetTypeName": "Elastic Compute Service",
      "AuthVersionName": "Basic edition",
      "Bind": false,
      "ClientStatus": "online",
      "Cores": 4,
      "CpuInfo": "Intel(R) Xeon(R) Platinum 8269CY CPU @ 2.50GHz",
      "ExposedStatus": 0,
      "Flag": 0,
      "FlagName": "ALIYUN",
      "GroupId": 1355****,
      "GroupTrace": "Ungrouped",
      "HcStatus": "YES",
      "HealthCheckCount": 0,
      "Importance": 1,
      "InstanceId": "i-bp1b84nxki0g2cyg****",
      "InstanceName": "example",
      "InternetIp": "",
      "IntranetIp": "172.16.****",
      "Ip": "172.16.****",
      "IpListString": "172.16.****",
      "Kernel": "5.10.134-16.3.al8.x86_64",
      "LastLoginTimestamp": 1729840886000,
      "MacListString": "00:16:3e:**:**:**",
      "Mem": 16384,
      "Os": "linux",
      "OsName": "Alibaba Cloud Linux 3.2104 LTS 64-bit",
      "Region": "cn-hangzhou-dg-a01",
      "RegionId": "cn-hangzhou",
      "RegionName": "China (Hangzhou)",
      "RiskCount": "{\"account\":0,\"agentlessAll\":0,\"agentlessBaseline\":0,\"agentlessMalicious\":0,\"agentlessSensitiveFile\":0,\"agentlessVulCve\":0,\"agentlessVulSca\":0,\"agentlessVulSys\":0,\"appNum\":0,\"asapVulCount\":0,\"baselineHigh\":0,\"baselineLow\":0,\"baselineMedium\":0,\"baselineNum\":1,\"cmsNum\":0,\"containerAsap\":0,\"containerLater\":0,\"containerNntf\":0,\"containerRemind\":0,\"containerSerious\":0,\"containerSuspicious\":0,\"cveNum\":4,\"emgNum\":0,\"health\":0,\"imageBaselineHigh\":0,\"imageBaselineLow\":0,\"imageBaselineMedium\":0,\"imageBaselineNum\":0,\"imageMaliciousFileRemind\":0,\"imageMaliciousFileSerious\":0,\"imageMaliciousFileSuspicious\":0,\"imageVulAsap\":0,\"imageVulLater\":0,\"imageVulNntf\":0,\"laterVulCount\":1,\"newSuspicious\":0,\"nntfVulCount\":3,\"remindNum\":0,\"scaNum\":0,\"seriousNum\":0,\"suspNum\":0,\"suspicious\":0,\"sysNum\":0,\"trojan\":0,\"uuid\":\"11c50347-4745-4a7a-b8dd-405f276201ff\",\"vul\":4,\"weakPWNum\":0}",
      "RiskStatus": "YES",
      "SafeEventCount": 0,
      "Status": "Running",
      "Uuid": "11c50347-4745-4a7a-b8dd-405f****",
      "Vendor": 0,
      "VendorName": "ALIYUN",
      "VpcInstanceId": "vpc-bp132a80775r3d7kz****",
      "VulCount": 4,
      "VulStatus": "YES"
    }
  ]
}

Note

If you receive an error after calling the API operations of Security Center, you need to verify the accuracy of the request parameters and their associated values based on the error message.

You can also document the RequestID or the SDK error message returned by the API call for self-diagnosis using the Alibaba Cloud OpenAPI Diagnostic Platform.