You can use the Cloud Security Posture Management (CSPM) feature only after you add the cloud services that you want to check to Security Center. The feature supports Alibaba Cloud services and third-party cloud services. The feature detects risks and vulnerabilities in the configurations of cloud services and provides suggestions and guidelines on how to handle the detected risks and vulnerabilities. You can use the feature to improve the security and reliability of your cloud services.
Prerequisites
The required permissions to use the CSPM feature are obtained. The feature is purchased based on the pay-as-you-go billing method or a sufficient quota for the feature is purchased. For more information, see Purchase and authorization.
View supported cloud services
The CSPM feature supports Alibaba Cloud services and third-party cloud services. You can view supported Alibaba Cloud services, supported third-party cloud service providers, and supported third-party cloud services in the Security Center console.
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
On the Cloud Security Posture Management page, click the Configuration Check tab.
On the Configuration Check tab, select Cloud Service from the filter condition drop-down list and click Alibaba Cloud or a third-party cloud service provider, such as Tencent Cloud or AWS, to view the supported cloud services.
Add Alibaba Cloud services
Security Center automatically synchronizes Alibaba Cloud services that belong to the same Alibaba Cloud account as Security Center. No manual operations are required in this scenario.
If you want to check the configurations of Alibaba Cloud services that belong to different Alibaba Cloud accounts, you must add the accounts to Security Center by using the multi-account management feature. For more information, see Use the multi-account management feature.
You can manually synchronize cloud services from the current Alibaba Cloud account, different Alibaba Cloud accounts, and third-party cloud accounts that are added to Security Center.
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
Click Synchronize Assets.
Add third-party cloud services
The CSPM feature supports only the third-party cloud services that are provided by Tencent Cloud, Amazon Web Services (AWS), and Microsoft Azure. You can add third-party cloud services to Security Center and use the CSPM feature to scan the services.
Step 1: Configure a third-party cloud account
Before you can add a third-party cloud service to Security Center, you must log on to the platform of the third-party cloud service provider, create a sub-account and an AccessKey pair for the account, and then grant the sub-account the permissions that are required for the CSPM feature.
Configure a sub-account on Tencent Cloud
Configure a sub-account on AWS
Configure a sub-account on Azure
Step 2: Add the AccessKey pair of the third-party cloud account to Security Center
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
On the
tab, click Grant Permission. Then, select Tencent Cloud, AWS, or Azure from the drop-down list.In the Edit Multi-cloud Configuration panel, select Manual Configuration. Then, select Cloud Security Posture Management below Permission Description and click Next. Security Center is granted the read permissions on all cloud services within the third-party cloud account.
In the Submit AccessKey Pair step, enter the AccessKey pair of the third-party cloud account, select the region of the account, and then click Next.
If you select Tencent Cloud or AWS, you can add audit logs.
If you want to add audit logs, configure the audit log settings in the Log Audit Settings step and click Next. If you do not want to add audit logs, click Skip.
When you add the sub-account of Tencent Cloud, enter the obtained Kafka topic name, Kafka public endpoint, and logset ID of the log topic in sequence.
When you add the sub-account of AWS, enter the obtained region ID and name of the SQS queue in sequence.
In the Policy Configuration step, configure the region where the third-party assets are deployed and the data synchronization frequency, and then click OK.
Parameter
Description
Region
The region of the assets that you want to add to Security Center.
Region Management
If you select this option, assets in subsequently supported regions are automatically added to Security Center.
Cloud Service Synchronization Frequency
The interval at which Security Center automatically synchronizes the data of third-party cloud services. If you select Disable, the data is not synchronized.
AK Service Status Check
The interval at which Security Center automatically checks the validity of the AccessKey pair of the third-party cloud account. If you select Disable, Security Center does not check the validity of the AccessKey pair.
Click Synchronize Assets to synchronize the assets within the third-party cloud account to Security Center.
References
For more information about the details and billing methods of the CSPM feature, see Overview.
For more information about how to perform configuration checks and handle the detected risk items, see Use the CSPM feature.
For more information about how to call an API operation to perform configuration checks, see SubmitCheck.