Asset Center discovers and inventories all domain name assets associated with your Alibaba Cloud account — including forgotten subdomains and non-Alibaba Cloud domains — and assesses each domain's risk level based on attack status and threat intelligence. Use it to identify unprotected high-risk domains and add them to WAF before they become entry points for attackers.
Prerequisites
Before you begin, ensure that you have:
A Web Application Firewall (WAF) 3.0 instance
An Alibaba Cloud account (RAM users cannot download the asset list)
How it works
Asset Center pulls configurations from Alibaba Cloud services — including Domains, SSL Certificates Service, and Alibaba Cloud DNS — and uses big data-enabled correlation analysis to identify domain names both on and off Alibaba Cloud.
For each discovered domain, Asset Center calculates a security score using threat intelligence and Alibaba Cloud's default attack detection capability, then assigns a risk level: high-risk, medium-risk, or low-risk. For assets added to WAF, asset fingerprints are identified through passive traffic analysis and active fingerprint scanning. Active scanning runs every two weeks and is enabled by default.
Asset Center detects domain names from Alibaba Cloud and third-party providers, including domains that resolve to non-Alibaba Cloud servers and domains used in on-premises data centers.
Step 1: Enable Asset Center
Log in to the WAF 3.0 console. From the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for your WAF instance.
In the left navigation pane, click Asset Center.
On the Asset Center page, click Enable Now.
You only need to grant these permissions once. If you have already done so, skip this step.
Enabling Asset Center for the first time automatically creates the AliyunServiceRoleForWAF service-linked role. This role grants your WAF instance access to associated Alibaba Cloud services — ECS, SLB, Alibaba Cloud DNS, Alibaba Cloud CDN, Digital Certificate Management Service, and SLS. To view the role, go to the Resource Access Management (RAM) console. For details, see View a RAM role.
After the role is created, WAF automatically scans your account for domain name assets and displays them on the Asset Center page.
Step 2: Add assets
If a primary domain name you want to monitor does not appear in the asset list, add it manually.
On the Overview tab of the Asset Center page, click Add Asset.
In the Add Asset dialog box, enter the domain name and verify ownership using one of the following methods:
DNS record verification (recommended): Add the TXT record provided by WAF at your DNS provider.
File verification: Upload the verification file provided by WAF to the root directory of your origin server. This requires operational permission on the origin server and a security group policy that allows access from all IP addresses so WAF can verify the file from the internet.
Click Add.
Manually added assets appear in Asset Center the next day (T+1).
Step 3: View assets
On the Asset Center page, the Overview tab shows all discovered domain name assets.
Area 1 — Domain name asset summary
Displays the total number of primary domain names, the total number of subdomains and their day-over-day change, and the count of unprotected subdomains broken down by risk level (high-risk, medium-risk, low-risk).
Area 2 — Domain name asset details
WAF groups discovered domains by primary domain name. For each primary domain, the list shows:
| Column | Description |
|---|---|
| Second-level domain name | The primary domain name bound to the website |
| IP address | The IP address or CNAME of the website server |
| Protected subdomains | Number of subdomains protected by WAF |
| Unprotected subdomains | Number of unprotected subdomains, categorized by risk level |
To explore subdomains under a primary domain, click the 
icon to expand the row. You can filter by configuration status and risk level. Each subdomain shows:
| Column | Description |
|---|---|
| Subdomain | The subdomain bound to the website |
| IP address | The IP address or CNAME of the website server |
| Fingerprint | Website server fingerprint, identified through passive traffic analysis and active fingerprint scanning. Use the toggle in the upper-right corner of the asset list to enable or disable active fingerprint scanning. |
| Severity | Risk level based on attack trends over the last 30 days and threat intelligence data |
| Status | Whether the domain is protected by WAF: Not Added or Added |
To add an unprotected domain to WAF, click Add in the Actions column. For details, see Add a domain name to WAF using a CNAME record.
To search for a specific primary domain, enter a keyword in the search box above the asset list. Fuzzy search is supported.
The Details option in the Actions column — which shows threat information for a subdomain — is available only for WAF Enterprise and Ultimate edition instances.
Step 4: Export assets
On the Overview tab, select the primary domain names to export, then click the
download icon in the upper-right corner to generate the export file.Go to the Export Record tab in Asset Center and click Download to save the file.
The exported file is stored temporarily on Alibaba Cloud and deleted automatically after three days. Download it within this window.
Only the Alibaba Cloud account owner can download the asset list. RAM users cannot perform this action.