Security Center:Use the configuration assessment feature

Prerequisites

• Security Center is authorized to access your cloud resources. The configuration assessment feature is purchased based on the pay-as-you-go billing method or a sufficient quota for the feature is purchased. For more information, see Authorization and purchase.

• The cloud services that you want to check are added to Security Center. For more information, see Add cloud services.

Step 1: (Optional) Modify the configurations of a check item

Security Center allows you to modify the configurations of specific check items, such as Hotlink Protection Configurations, Ensure users not logged on for 90 days or longer are disabled for console logon, and Password Validity Check. You can modify the configurations of check items based on your business requirements to increase the accuracy of check results.

1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

2. In the left-side navigation pane, choose Risk Governance > Configuration Assessment.

3. Click the Configuration Check tab and click the name of a check item.

4. In the details panel of the check item, click Parameter Configuration.

   Important

   In the details panel of a check item, if the Parameter Configuration button is displayed, the configurations of the check item can be modified. If the button is not displayed, the configurations of the check item cannot be modified.

   

5. In the Parameter Configuration panel, select a parameter from the drop-down list in the Modifiable Parameter column, configure the parameter in the Edit Parameter column, and then click OK.

   You can click Add Modifiable Parameter to add and modify a parameter of the check item.

   The modification immediately takes effect. You can view the check result of the modified check item in the next configuration check.

Step 2: Run a configuration check

The configuration assessment feature supports full scans and scans by policy.

Full scan

If you want to immediately check whether risks exist in the configurations of your cloud services, perform the following operations to run a full scan:

1. In the left-side navigation pane, choose Risk Governance > Configuration Assessment.

2. Click the Configuration Check tab, click Immediate Scan in the Actions section, and then select Full Scan.

Scan by policy

If you want to check whether risks exist in the configurations of specific cloud services, you must run periodic configuration checks or add specific check items for specific cloud service instances to the whitelist by creating the corresponding policies. To create the policies, perform the following operations:

1. In the left-side navigation pane, choose Risk Governance > Configuration Assessment.

2. In the upper-right corner of the Configuration Assessment page, click Check Policy Settings.

3. In the Policy Management panel, configure a scan policy and a whitelist policy.

   • Scan Policy

     Configure items such as the check items used by a configuration check and the check cycle.

     1. On the Scan Policy tab, turn on Automatic Configuration Assessment.

     2. Configure the Detection Cycle and Detection Time parameters, select the required check items, and then click OK.

        After you select check items, the quota that is estimated to be consumed by a scan policy is displayed above the check item list. The estimated quota is for reference only because data may be created or released during a scan.

   • Whitelist Policy

     Exclude specific check items that are not required for configuration checks by cloud service instance or check item. Before you run a scan policy, you can specify check items and cloud service instances to create a whitelist policy. The configurations of a whitelist policy immediately take effect after you create the policy.

     1. On the Whitelist Policy tab, click Create Whitelist Policy.

     2. In the panel that appears, configure the Cloud Service Provider, Cloud Service, Check Item, and Policy Effective Scope parameters and click OK.

        If you set the Policy Effective Scope parameter to All Instances, the whitelist policy takes effect by check item. In subsequent configuration checks on new cloud service instances by policy, the check item that you specify for the whitelist policy is not used and is not displayed in the risk item list.

        If you set the Policy Effective Scope parameter to Specific Instances, the whitelist policy takes effect by cloud service instance. In subsequent configuration checks on new cloud service instances by policy, the check item that you specify for the whitelist policy is used.

     Note

     Check items that are added to the whitelist are automatically displayed in the list on the Whitelist Policy tab. You can find a check item on the Whitelist Policy tab and click Edit in the Actions column to modify the Policy Effective Scope parameter or click Delete in the Actions column to delete a whitelist policy.

After you configure a policy for the configuration assessment feature, Security Center runs configuration checks based on the time range that you specify in the policy. You can also select Scan By Policy to immediately check your cloud services.

1. On the Configuration Assessment page, click the Configuration Check tab.

2. In the Actions section, click Immediate Scan and select Scan By Policy.

   Security Center immediately scans the configurations of cloud services based on the policy that you configure.

Step 3: View check results

1. On the Configuration Check tab, view the check results.

   • View the overall information

     The section in the upper part of the Configuration Assessment page displays the overall information about check results. You can view the pass rates for check items of the CIEM, Risk, and Compliance Risk types. You can move the pointer over the lines above Pass Rate to view the numbers of high-risk, medium-risk, low-risk, and passed check items.

     Important

     High-risk items pose major threats to your assets. We recommend that you handle these risk items at the earliest opportunity.

   • View risk items

     • In the All Check Items section, click a check item type. In the list of risk items on the right, view the risk items of the selected check item type.

     • Use the filter widget above the list to search for the risk items that you want to view. You can filter risk items by conditions such as the levels, status, and names of the risk items.

     • Above the list of check items, choose Yes in Fixing Supported or Not to view the check items that can be quickly fixed in the Security Center console.

       

       You can also navigate to the Risk Governance > Configuration Assessment page, find the Risk Overview tab, click Fix Now on the Check Item Pass Rate area to go to the Configuration Check tab, where you can view the check items that can be quickly fixed in the Security Center console.

2. Find the risk item that you want to view and click Details in the Actions column. In the details panel, view information in the Check Item Description, Solution, Help, and Impact sections.

   

Step 4: Handle the detected configuration risks

1. In the Impact section of the details panel of a risk item, you can perform the following operations in the Actions column to handle the detected risks based on your business requirements.

   Operation	Description
   Fix the risk item	You can fix the risks detected in the configurations of the cloud service based on the information in the Solution and Help sections. Important Security Center provides the quick fix feature for more than 100 check items. You can manually configure the fixing parameters in the Security Center console to directly fix the detected risks for cloud service instances. In the Impact section, if the Fix button is displayed in the Actions column of an instance in the Not Passed state, the check item supports the quick fix feature. If the Fix button is not displayed, the check item does not support the quick fix feature. You can refer to Step 3: View check results to filter the risk items that can be quickly fixed in the Security Center console. Quickly fix the check item in the Security Center console Find the instance that you want to manage and click Fix in the Actions column. In the panel that appears, you can view the information about the at-risk instance, scan time, and fixing parameters. Click Handle Now. If the fixing parameters can be modified, you can click Check Item Parameters in the panel. In the Parameter Configuration panel, modify parameter values in the Edit Parameter column. Then, click OK. You can also select multiple instances and click Fix below the instance list to quickly fix multiple instances at a time. Note If the current account is not authorized to modify the configurations of cloud services of another account, you cannot perform quick fix on the cloud services of that account. To resolve this issue, click Authorize in the dialog box that appears. When you modify the configuration parameters of a cloud service, if you are not reminded that the modification cannot be rolled back, you can roll back the configurations of the cloud service. After you modify the configuration parameters of an instance, if you are required to restart the instance, restart the instance as prompted. Fix the check item in the console of the cloud service Click the ID of an at-risk instance, such as an instance ID, an account ID, or a policy name, to go to the console of the cloud service and fix the detected risks.
   Add the risk item to the whitelist	Important After you add a risk item to the whitelist, the risks that are detected for the risk item are no longer reported in subsequent configuration checks. We recommend that you add risk items to the whitelist only after you confirm that the risk items do not pose threats. If you confirm that a risk item does not pose threats to specific instances, you can add the risk item to the whitelist for the instances. Risk items that are added to the whitelist are not counted in the total number of risk items. You can click Check Policy Settings to go to the Policy Management panel, and click the Whitelist Policy tab to view the details of the check items that are added to the whitelist. You can also remove risk items from the whitelist.

2. Verify fixes.

   If you have modified the configurations of an instance based on the information in the details panel of a risk item that affects the instance, you can click Verify in the Actions column to check whether the new configurations contain security risks.

   You can also select multiple instances and click Verify below the list to check whether the new configurations of the selected instances contain security risks.

   If the new configurations of an instance do not contain risks, the instance is removed from the list in the Impact section. After the new configurations of all at-risk instances are verified, the state of the risk item changes to Passed.

3. Optional. After you use the quick fix feature of Security Center to fix risk items, you can click sas.configcheck.fix.manage in the upper-right corner of the Configuration Assessment page to view the history of quick fix.

   You can view information such as the fixing task ID, check item, and status. You can click the icon in the Actions column and select Details to view the check item description, solution, help documentation, and fixing timeline. You can also perform operations such as rolling back and verifying configurations in the sas.configcheck.fix.manage panel.

View risk reports

You can view a risk report on the Risk Overview tab of the Configuration Assessment page. The report visualizes the overall configuration risks of your cloud assets and allows you to identify and handle configuration errors at the earliest opportunity.

1. In the left-side navigation pane, choose Risk Governance > Configuration Assessment.

2. On the Risk Overview tab, select the cloud service provider of the cloud assets that you want to view. If you do not select an option, you can view the risk data of all cloud assets.

   A risk report contains data in the following sections.

   Section	Description
   Detected Threat Types	Displays the proportion of scanned check items to all supported check items in different dimensions.
   At-risk Cloud Service Statistics	Displays the statistics of cloud services in which configuration risks are detected. Total Cloud Services: the total number of cloud services that are added to Security Center, including Alibaba Cloud services and third-party cloud services. Total At-risk Cloud Services: the number of cloud services in which configuration risks are detected, including Alibaba Cloud services and third-party cloud services. Remaining Quota: the remaining quota for configuration assessment. You can click Scale Out to purchase more quota. Top 5 At-risk Cloud Services: the top five at-risk cloud services based on the number of risk items. You can click a service name to go to the details page of the service.
   Check Item Pass Rate	Displays the overall pass rate of check items and the distribution of risk items. Overall Pass Rate: the proportion of check items in the Not Passed state to all scanned check items. Detected Threat Types: the number of check items that are scanned. The system also displays the numbers of high-risk, medium-risk, and low-risk items. Failed Check Items: the number of check items in the Not Passed state among the scanned check items. The system also displays the numbers of high-risk, medium-risk, and low-risk items. Check Items: the numbers of check items in the Passed and Not Passed states of the CIEM, Risk, and Compliance Risk types in a column chart.
   Trend of Check Item Pass Rate	Displays the trends of pass rates for check items that are used within a specific period of time in a line chart.
   Trend of Asset-based Check Pass Rate	Displays the trends of pass rates for assets that are scanned within a specific period of time in a line chart. Asset-based Check Pass Rate: the proportion of at-risk assets to all assets that are scanned.
   Top 5 Objects with Excessive Permissions	Displays the top five users or roles that are granted excessive permissions within the current scope.

References

• For more information about the feature details and billing methods of configuration assessment, see Overview of configuration assessment.

• For more information about how to add cloud services to Security Center, see Add cloud services.

• GetCheckProcess

• AddCheckResultWhiteList

• ChangeCheckConfig

• GetCheckConfig

• GetCheckDetail