This topic provides answers to some frequently asked questions about the Cloud Security Posture Management (CSPM) feature.
Why is CSPM important?
Cloud security posture management (CSPM) typically automates the remediation of misconfigurations and compliance issues.
Most attacks on cloud services result from neglect of configuration management, misconfigurations, or incorrect operations. For example, misconfigured permissions on Object Storage Service (OSS) buckets may cause sensitive data leaks, and AccessKey pair leaks due to inappropriate use of AccessKey pairs of Alibaba Cloud accounts can lead to risks.
The high level of automation and user self-service in the cloud underscores the importance of appropriate cloud configurations and compliance. The increasing diversity and quantity of cloud services and incomprehensive understanding of cloud infrastructure may result in persistent misconfigurations and compliance issues. Therefore, you must assess cloud security configurations to ensure appropriateness and compliance and fix risks in a comprehensive and automated manner.
You can use CSPM feature to check configurations of cloud services for risks from the following dimensions: Cloud Infrastructure Entitlement Management (CIEM), security risk management, and compliance risk management. The CSPM feature helps you reduce the risks caused by misconfigurations and improve the security of cloud services. For more information, see Overview.
How do I use Security Center to improve the configuration security of databases?
A database is a system used to manage and store the data resources of an enterprise. Databases store various valuable and sensitive information, which makes them the main target of attacks. Database security is essential to the normal running of workloads and enterprise development.
Security Center provides the CSPM and baseline check features to help you improve the security of your databases.
CSPM: This feature checks the security configurations of a database on a server for risks from multiple dimensions, such as network access control, data security, and log audit. If configuration risks are detected, the CSPM feature provides fixing solutions. For example, the CSPM feature can check the following items in a database: access control whitelists, configurations of the automatic backup and log audit features, and access control policies.
Baseline check: This feature checks the configurations of a database on a server for configuration and application risks. If risks are detected, the baseline check feature generates alerts and provides fixing suggestions. For example, the baseline check feature can check the account used to log on to a database for weak passwords and whether the configurations of a database are compliant with the Alibaba Cloud standards of best practices.
How do I use the CSPM feature to check the configurations of cloud services and reinforce the security of cloud services?
You can perform the following operations to check configurations of cloud services and fix configuration risks based on the fixing suggestions and solutions that are provided by Security Center:
Purchase the CSPM feature and complete authorization. For more information, see Purchase and authorization.
Add the cloud services whose configurations you want to check to Security Center. For more information, see Add cloud services.
Configure check policies, view the result of configuration checks, and handle the detected risk items. For more information, see Overview.
How do I disable the CSPM feature?
Basic edition: No action is needed. The Basic edition offers limited detection capabilities for CSPM without restricting the number of scans or verifications. However, it does not support the remediation feature.
For the Anti-virus, Advanced, Enterprise, and Ultimate editions:
Subscription Billing Method: You can disable the CSPM feature by performing an Order Downgrade. For detailed instructions, see Downgrade.
Pay-as-you-go Billing Method: Go to the page. Under the Configuration Check tab, click Suspended in the Used Quota section to disable the CSPM feature.