How does Security Center protect assets across accounts? - Security Center

The multi-account management feature allows you to manage multiple members in the resource directory of your enterprise in a centralized manner. You can configure protection settings for the members and view the risks that are detected in the resources of the members in real time. This topic describes how to use the multi-account management feature.

Background information

An increasing number of enterprises are migrating their business to the cloud. After enterprises purchase a large number of cloud resources, the management of resources, projects, personnel, and permissions can become complicated. Single accounts cannot be used to meet the requirements. In this case, a multi-account system is required to migrate business to the cloud. Enterprise users have requirements for centralized management of cloud resources across multiple accounts. The cloud resources include security, compliance audit, network, and O&M products.

Security Center can be integrated with Resource Directory of Resource Management as a trusted service. You can use a resource directory to manage multiple Alibaba Cloud accounts in a centralized and structured manner. For example, you can implement data operations and monitoring on the resources within each Alibaba Cloud account and perform quick operations and management on the resources across the accounts.

Limits

All editions of Security Center support this feature. For more information about the features that are supported by each edition, see Functions and features.

Prerequisites

A resource directory must be enabled. For more information, see Enable a resource directory.
You must create a new member in the resource directory or invite an existing Alibaba Cloud account to join. For more details, see Create a member and Invite an Alibaba Cloud account to join a resource directory.
To include an Alibaba Cloud account in the threat analysis monitoring scope, ensure that the account has purchased log data for the threat analysis and response feature. For more information, see Overview.

Procedure

Step 1: Add a delegated administrator account

The management account of a resource directory allows you to designate a member within the directory as a delegated administrator account for a trusted service. Once specified, this member can access information about the resource directory in the trusted service, including its structure and members. Additionally, the delegated administrator can manage business activities within the resource directory.

Note

You can add up to 10 delegated administrator accounts for both Security Center and Security Center - Threat Analysis.

Log on to the Resource Management console using the management account of your resource directory.
In the left-side navigation pane, choose Resource Directory > Trusted Services.
On the Trusted Services page, find Security Center or Security Center - Threat Analysis and click Manage in the Actions column.
In the Delegated Administrator Accounts section of the page that appears, click Add.
In the Add Delegated Administrator Account panel, specify a member as a delegated administrator account of Security Center and click OK.
After you specify the delegated administrator account, the delegated administrator account can perform management operations on all members of the resource directory.

Step 2: Add members

The multi-account management feature allows you to add members of the following types: accounts monitored by Security Center and accounts monitored by threat analysis.

Accounts monitored by Security Center: To monitor the security status of assets across multiple Alibaba Cloud accounts and configure protection settings other than threat analysis, you can add these accounts as members of the account monitored by Security Center. These settings include alerting, vulnerability detection, and Cloud Security Posture Management (CSPM).
Accounts monitored by threat analysis: If you want to manage security information and events of multiple cloud services that belong to different Alibaba Cloud accounts, you can add the accounts as members of the account monitored by threat analysis. The services include Cloud Firewall and Web Application Firewall.

Add a member of the account monitored by Security Center

You can invite existing Alibaba Cloud accounts to join your resource directory as members in the Security Center console. This way, you can manage assets within the accounts by using a single account in a centralized manner. You can monitor the security status of the assets and configure protection settings other than threat analysis for the members, such as settings for alerting, vulnerability check, baseline check, and configuration assessment.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose System Configuration > Multi-account Management.
If this is your first time using the multi-account management feature, click Enable Management in Security Center.
After you enable the feature, the AliyunServiceRoleForSasRd service-linked role is automatically created for the members in your resource directory. For more information about service-linked roles, see Service-linked roles for Security Center.
Add a member.
1. Navigate to the Multi-account Management page, choose Configure > Account Monitored by Security Center. Then, click Account Management under the Total Monitored Accounts section.
2. In the Multi-account Management Settings > Resource Directory Node > Members in Selected Node list, select the accounts you want to manage. The selected accounts will appear in the Managed Accounts area.
  Note
  The members in the drop-down list are the same regardless of whether you use the management account of your resource directory or a delegated administrator account.
  If the CTDR feature is enabled, removing a member account from the managed accounts of Security Center will also remove it from threat analysis.
3. Enable Automatic Management of New Accounts.
  After enabling, click Configure Policy, select the target resource directory node, and click OK.
  Note
  - New accounts added to the selected node will be automatically managed.
  - If the CTDR feature is enabled, new accounts monitored by threat analysis are synchronized with the Security Center. Similarly, if accounts are removed from the Security Center, they will also be removed from management in both services.
4. Click OK.
  You can view the added member in the member list on the Multi-account Management page.
Configure protection settings for the member.
1. On the Account Monitored by Security Center tab, find the member in the member list and click Settings in the Actions column.
2. In the Settings panel, configure the parameters in the Client Management step and then click Next.
  You can configure settings such as host protection, container protection, and agent settings. For more information, see Feature Settings.
3. Configure the parameters in the Vulnerability management step and click Next.
  You can enable or disable automatic scan for each type of vulnerability, and enable vulnerability scan for specific servers. You can also configure the scan cycle and scan method and specify the number of days after which a detected vulnerability is automatically deleted. For more information, see Scan for vulnerabilities.
4. Configure the parameters in the Baseline inspection step.
  The baseline check feature allows you to configure baseline check policies for the member. You can use baseline check policies to check whether risks exist in the baseline configurations of the assets that belong to the member. For more information, see Create baseline check policies and run baseline checks based on the policies.
After you complete the configurations, click Determine.
Security Center enables features for the member and performs vulnerability scans on the assets that belong to the member based on the configurations.

Add a member of the account monitored by threat analysis

You can enable the threat analysis feature for multiple accounts on the Account Monitored by Threat Analysis tab. Then, you can configure alerts for multiple cloud services that belong to different accounts and handle alert events that are generated for the services.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose System Configuration > Multi-account Management.
If this is your first time using the multi-account management feature, click Enable Threat Analysis and Control.
After you enable the feature, the service-linked roles AliyunServiceRoleForSasRd and AliyunServiceRoleForSasCloudSiem are automatically created for member accounts within your resource directory. For details on service-linked roles, see Service-linked roles for Security Center.
Add a member.
1. Navigate to the Multi-account Management page, choose Configure > Account Monitored by Threat Analysis. Then, click Account Management under the Total Monitored Accounts section.
2. In the Multi-account Management Settings > Resource Directory Node > Members in Selected Node list, select the accounts you want to manage. The selected accounts will appear in the Managed Accounts area.
  Note
  The members in the drop-down list are the same regardless of whether you use the management account of your resource directory or a delegated administrator account.
  Removing a member account from the managed accounts of Security Center will also remove it from threat analysi, and vice versa.
3. Enable Automatic Management of New Accounts.
  Once enabled, click Configure Policy, and in the Configure Automatic Management Policy for New Accounts dialog box, select the target resource directory node, and click OK.
  Note
  - New accounts added to the selected node will be automatically managed.
  - If the CTDR feature is enabled, new accounts monitored by threat analysis are synchronized with the Security Center. Similarly, if accounts are removed from the Security Center, they will also be removed from management in both services.
Click OK.

Step 3: View the risks detected in the resources of a member

You can log on to the Security Center console by using the management account of your resource directory or a delegated administrator account to view the risks detected in the resources of a member and manage the member on the Overview tab of the Multi-account Control page.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose System Configuration > Multi-account Management.
On the Multi-account Management page, click the Overview tab to view information about each member, such as the security score, at-risk assets, alerts, vulnerabilities, baseline risks, and asset exposure statistics.

Step 4: View and manage member accounts

In the Security Center console, you can view and manage members of the account monitored by Security Center or threat analysis. For example, you can add, delete, or remove members.

Accounts monitored by Security Center

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose System Configuration > Multi-account Management.
On the Multi-account Management page, choose Configure > Account Monitored by Security Center. Then, view and manage information about a member.
- View the risk information about a member
  You can view the risk information about a member in the member list. The risk information includes Security Score, Alerts, Vulnerabilities, Baseline Check, Cloud Security Posture Management, and Attacks.
- Switch to the Security Center console of a member
  In the member list, click the name of a member to switch to the Security Center console of the member. You can also select a member from the drop-down list in the left-side navigation pane to switch to the Security Center console of the member or switch back to the Security Center console of the current logon account.
  After you switch to the Security Center console of a member, you can view the risks detected in the resources of the member and configure protection settings. However, you cannot perform the following operations:
  - Go to the buy page or the console of a different cloud service. For example, when you click Buy Now on the Overview page and select an edition, you cannot navigate to the buy page, and the The feature is not supported when the multi-account switching feature is enabled. message appears.
  - Use the log analysis feature. After you switch to the Security Center console of a member, the entry point to the log analysis feature is not displayed in the console.
  - Use the multi-account management feature. After you switch to the Security Center console of a member, the entry point to the multi-account management feature is not displayed in the console.
- Mark a member as followed
  To prioritize a member, select it from the account list and click Follow. This action will place the account at the forefront of the drop-down menu in the left-side navigation pane.
- Log on to the Resource Management console
  Log in to the Resource Management console using your management account. On the Resource Directory page, you can access all resource directory details, add new members, send invitations, and upgrade a resource account to a cloud account.
- Remove a member
  To remove an account, click Remove in the member account list.

Accounts monitored by threat analysis

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose System Configuration > Multi-account Management.
Navigate to the Multi-account Management page, select the Configure > Account Monitored by Threat Analysis tab. Then, click Account Management and, in the Multi-account Management Settings panel, access and administer the details of member accounts under threat analysis monitoring.
- View member information
  In the Managed Accounts, you can see details for members under threat analysis.
- Remove from threat analysis monitoring
  Unclick the Threat Analysis box to remove the target member. You can also click Remove from the Actions column corresponding to the target account to eliminate it from the Managed Accounts.
- Switch to the Security Center console of the member account
  Filter the member account list on the Account Monitored by Threat Analysis page by selecting Subscribe. This will display the member accounts that have been added. To access threat analysis and response for a specific account, navigate to the actions column of the desired account and click Access Threat Analysis and Response.