The configuration errors of cloud services can cause risks such as vulnerabilities, performance bottlenecks, data leaks, and hacker attacks. The risks seriously affect the reliability of the cloud services. We recommend that you perform regular scans to check the configurations of cloud services and handle the risk items that are detected at the earliest opportunity. This helps improve the security, performance, and reliability of the cloud services and ensure service continuity and data security.
Prerequisites
Security Center is authorized to access your cloud resources. The Cloud Security Posture Management (CSPM) feature is purchased based on the pay-as-you-go billing method or a sufficient quota for the feature is purchased. For more information, see Authorization and purchase.
The cloud services that you want to check are added to Security Center. For more information, see Add cloud services.
Step 1: (Optional) Modify the configurations of a check item
Security Center allows you to modify the configurations of specific check items, such as Hotlink Protection Configurations, Ensure users not logged on for 90 days or longer are disabled for console logon, and Password Validity Check. You can modify the configurations of check items based on your business requirements to increase the accuracy of check results.
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
Click the Configuration Check tab and click the name of a check item.
In the details panel of the check item, click Parameter Configuration.
ImportantIn the details panel of a check item, if the Parameter Configuration button is displayed, the configurations of the check item can be modified. If the button is not displayed, the configurations of the check item cannot be modified.
In the Parameter Configuration panel, select a parameter from the drop-down list in the Modifiable Parameter column, configure the parameter in the Edit Parameter column, and then click OK.
You can click Add Modifiable Parameter to add and modify a parameter of the check item.
The modification immediately takes effect. You can view the check result of the modified check item in the next configuration check.
Step 2: Run a configuration check
The CSPM feature supports full scans and scans by policy.
Full scan
If you want to immediately check whether risks exist in the configurations of your cloud services, perform the following operations to run a full scan:
In the left-side navigation pane, choose .
Click the Configuration Check tab, click Immediate Scan in the Actions section, and then select Full Scan.
A full scan requires a period of time to complete.
Scan by policy
If you want to check whether risks exist in the configurations of specific cloud services, you must run periodic configuration checks or add specific check items for specific cloud service instances to the whitelist by creating the corresponding policies. To create the policies, perform the following operations:
In the left-side navigation pane, choose .
In the upper-right corner of the Cloud Security Posture Management page, click Check Policy Settings.
In the Policy Management panel, configure a scan policy and a whitelist policy.
Scan Policy
Configure items such as the check items used by a configuration check and the check cycle.
On the Scan Policy tab, turn on Automatically Enable Cloud Security Posture Management.
Configure the Detection Cycle and Detection Time parameters, select the required check items, and then click OK.
After you select check items, the quota that is estimated to be consumed by a scan policy is displayed above the check item list. The estimated quota is for reference only because data may be created or released during a scan.
Whitelist Policy
Exclude specific check items that are not required for configuration checks by cloud service instance or check item. Before you run a scan policy, you can specify check items and cloud service instances to create a whitelist policy. The configurations of a whitelist policy immediately take effect after you create the policy.
On the Whitelist Policy tab, click Create Whitelist Policy.
In the panel that appears, configure the Cloud Service Provider, Cloud Service, Check Item, and Policy Effective Scope parameters and click OK.
If you set the Policy Effective Scope parameter to All Instances, the whitelist policy takes effect by check item. In subsequent configuration checks on new cloud service instances by policy, the check item that you specify for the whitelist policy is not used and is not displayed in the risk item list.
If you set the Policy Effective Scope parameter to Specific Instances, the whitelist policy takes effect by cloud service instance. In subsequent configuration checks on new cloud service instances by policy, the check item that you specify for the whitelist policy is used.
NoteCheck items that are added to the whitelist are automatically displayed in the list on the Whitelist Policy tab. You can find a check item on the Whitelist Policy tab and click Edit in the Actions column to modify the Policy Effective Scope parameter or click Delete in the Actions column to delete a whitelist policy.
After you configure a policy for the CSPM feature, Security Center runs configuration checks based on the time range that you specify in the policy. You can also select Scan By Policy to immediately check your cloud services.
On the Cloud Security Posture Management page, click the Configuration Check tab.
In the Actions section, click Immediate Scan and select Scan By Policy.
Security Center immediately scans the configurations of cloud services based on the policy that you configure.
Step 3: View check results
Find the risk item that you want to view and click Details in the Actions column. In the details panel, view information in the Check Item Description, Solution, Help, and Impact sections.
Step 4: Handle the detected configuration risks
In the Impact section of the details panel of a risk item, you can perform the following operations in the Actions column to handle the detected risks based on your business requirements.
Operation
Description
Fix the risk item
You can fix the risks detected in the configurations of the cloud service based on the information in the Solution and Help sections.
ImportantSecurity Center provides the quick fix feature for more than 100 check items. You can manually configure the fixing parameters in the Security Center console to directly fix the detected risks for cloud service instances.
In the Impact section, if the Fix button is displayed in the Actions column of an instance in the Not Passed state, the check item supports the quick fix feature. If the Fix button is not displayed, the check item does not support the quick fix feature.
You can refer to Step 3: View check results to filter the risk items that can be quickly fixed in the Security Center console.
Quickly fix the check item in the Security Center console
Find the instance that you want to manage and click Fix in the Actions column. In the panel that appears, you can view the information about the at-risk instance, scan time, and fixing parameters. Click Handle Now. If the fixing parameters can be modified, you can click Check Item Parameters in the panel. In the Parameter Configuration panel, modify parameter values in the Edit Parameter column. Then, click OK.
You can also select multiple instances and click Fix below the instance list to quickly fix multiple instances at a time.
NoteIf the current account is not authorized to modify the configurations of cloud services of another account, you cannot perform quick fix on the cloud services of that account. To resolve this issue, click Authorize in the dialog box that appears.
When you modify the configuration parameters of a cloud service, if you are not reminded that the modification cannot be rolled back, you can roll back the configurations of the cloud service.
After you modify the configuration parameters of an instance, if you are required to restart the instance, restart the instance as prompted.
Fix the check item in the console of the cloud service
Click the ID of an at-risk instance, such as an instance ID, an account ID, or a policy name, to go to the console of the cloud service and fix the detected risks.
Add the risk item to the whitelist
ImportantAfter you add a risk item to the whitelist, the risks that are detected for the risk item are no longer reported in subsequent configuration checks. We recommend that you add risk items to the whitelist only after you confirm that the risk items do not pose threats.
If you confirm that a risk item does not pose threats to specific instances, you can add the risk item to the whitelist for the instances. Risk items that are added to the whitelist are not counted in the total number of risk items. You can click Check Policy Settings to go to the Policy Management panel, and click the Whitelist Policy tab to view the details of the check items that are added to the whitelist.
You can also remove risk items from the whitelist.
Verify fixes.
If you have modified the configurations of an instance based on the information in the details panel of a risk item that affects the instance, you can click Verify in the Actions column to check whether the new configurations contain security risks.
You can also select multiple instances and click Verify below the list to check whether the new configurations of the selected instances contain security risks.
If the new configurations of an instance do not contain risks, the instance is removed from the list in the Impact section. After the new configurations of all at-risk instances are verified, the state of the risk item changes to Passed.
Optional. After you use the quick fix feature of Security Center to fix risk items, you can click sas.configcheck.fix.manage in the upper-right corner of the CSPM page to view the history of quick fix.
You can view information such as the fixing task ID, check item, and status. You can click the icon in the Actions column and select Details to view the check item description, solution, help documentation, and fixing timeline. You can also perform operations such as rolling back and verifying configurations in the sas.configcheck.fix.manage panel.
View risk reports
You can view a risk report on the Risk Overview tab of the CSPM page. The report visualizes the overall configuration risks of your cloud assets and allows you to identify and handle configuration errors at the earliest opportunity.
In the left-side navigation pane, choose .
On the Risk Overview tab, select the cloud service provider of the cloud assets that you want to view. If you do not select an option, you can view the risk data of all cloud assets.
A risk report contains data in the following sections.
Section
Description
Detected Threat Types
Displays the proportion of scanned check items to all supported check items in different dimensions.
At-risk Cloud Service Statistics
Displays the statistics of cloud services in which configuration risks are detected.
Total Cloud Services: the total number of cloud services that are added to Security Center, including Alibaba Cloud services and third-party cloud services.
Total At-risk Cloud Services: the number of cloud services in which configuration risks are detected, including Alibaba Cloud services and third-party cloud services.
Remaining Quota: the remaining quota for CSPM. You can click Scale Out to purchase more quota.
Top 5 At-risk Cloud Services: the top five at-risk cloud services based on the number of risk items. You can click a service name to go to the details page of the service.
Check Item Pass Rate
Displays the overall pass rate of check items and the distribution of risk items.
Overall Pass Rate: the proportion of check items in the Not Passed state to all scanned check items.
Detected Threat Types: the number of check items that are scanned. The system also displays the numbers of high-risk, medium-risk, and low-risk items.
Failed Check Items: the number of check items in the Not Passed state among the scanned check items. The system also displays the numbers of high-risk, medium-risk, and low-risk items.
Check Items: the numbers of check items in the Passed and Not Passed states of the CIEM, Risk, and Compliance Risk types in a column chart.
Trend of Check Item Pass Rate
Displays the trends of pass rates for check items that are used within a specific period of time in a line chart.
Trend of Asset-based Check
Displays the trends of pass rates for assets that are scanned within a specific period of time in a line chart.
Asset-based Check: the proportion of at-risk assets to all assets that are scanned.
Top 5 Objects with Excessive Permissions
Displays the top five users or roles that are granted excessive permissions within the current scope.
References
For more information about the feature details and billing methods of CSPM, see Overview.
For more information about how to add cloud services to Security Center, see Add cloud services.