Add the cloud services on which you want to perform configuration checks - Security Center

You can use the configuration assessment feature only after you add the cloud services that you want to check to Security Center. The feature supports Alibaba Cloud services and third-party cloud services. The feature detects risks and vulnerabilities in the configurations of cloud services and provides suggestions and guidelines on how to handle the detected risks and vulnerabilities. You can use the feature to improve the security and reliability of your cloud services.

Prerequisites

The required permissions to use the configuration assessment feature are obtained. The feature is purchased based on the pay-as-you-go billing method or a sufficient quota for the feature is purchased. For more information, see Purchase and authorization.

View supported cloud services

The configuration assessment feature supports Alibaba Cloud services and third-party cloud services. You can view supported Alibaba Cloud services, supported third-party cloud service providers, and supported third-party cloud services in the Security Center console.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose Risk Governance > Configuration Assessment.
On the Configuration Assessment page, click the Configuration Check tab.
On the Configuration Check tab, select Cloud Service from the filter condition drop-down list and click Alibaba Cloud or a third-party cloud service provider, such as Tencent Cloud or AWS, to view the supported cloud services.

Add Alibaba Cloud services

Security Center automatically synchronizes Alibaba Cloud services that belong to the same Alibaba Cloud account as Security Center. No manual operations are required in this scenario.
If you want to check the configurations of Alibaba Cloud services that belong to different Alibaba Cloud accounts, you must add the accounts to Security Center by using the multi-account management feature. For more information, see Use the multi-account management feature.

You can manually synchronize cloud services from the current Alibaba Cloud account, different Alibaba Cloud accounts, and third-party cloud accounts that are added to Security Center.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose Assets > Cloud Product.
Click Synchronize Assets.

Add third-party cloud services

The configuration assessment feature supports only the third-party cloud services that are provided by Tencent Cloud, Amazon Web Services (AWS), and Microsoft Azure. You can add third-party cloud services to Security Center and use the configuration assessment feature to scan the services.

Step 1: Configure a third-party cloud account

Before you can add a third-party cloud service to Security Center, you must log on to the platform of the third-party cloud service provider, create a sub-account and an AccessKey pair for the account, and then grant the sub-account the permissions that are required for the configuration assessment feature.

Configure a sub-account on Tencent Cloud

Create a sub-account and an AccessKey pair for the account

Create a sub-account. For more information, see Creating Sub-User.

Grant the CloudResourceReadOnlyAccess and QcloudCamReadOnlyAccess permissions to the sub-account. For more information, see Authorization Management.

If you want to implement fine-grained access control for Security Center on Tencent Cloud assets, you can use custom policies.

Important

If Security Center introduces new check items to the configuration assessment feature, you must update the custom policies that are attached to the sub-account. This way, you can use the new check items to perform configuration checks. We recommend that you grant only the required permissions to the sub-account by using custom policies.

Create a custom policy based on policy syntax. In the following policy content, the value of action specifies the API operations that can be called. For more information, see Creating Custom Policies through Policy Syntax.

The following code shows the content of a policy. For more information, see Element Reference.

Policy content

{
	"version": "2.0",
	"statement": [{
			"effect": "allow",
			"action": [
				"cam:DescribeRoleList",
				"cam:DescribeSafeAuthFlagColl",
				"cam:GetPolicy",
				"cam:GetRole",
				"cam:GetRolePermissionBoundary",
				"cam:GetUser",
				"cam:GetUserPermissionBoundary",
				"cam:ListAccessKeys",
				"cam:ListAttachedRolePolicies",
				"cam:ListAttachedUserAllPolicies",
				"cam:ListCollaborators",
				"cam:ListUsers"
			],
			"resource": [
				"*"
			]
		},
		{
			"effect": "allow",
			"action": [
				"cbs:DescribeDiskAssociatedAutoSnapshotPolicy",
				"cbs:DescribeDisks",
				"cdb:DescribeAccountPrivileges",
				"cdb:DescribeAccounts",
				"cdb:DescribeAuditConfig",
				"cdb:DescribeBackupConfig",
				"cdb:DescribeDBFeatures",
				"cdb:DescribeDBInstances",
				"cdb:DescribeDBSecurityGroups"
			],
			"resource": [
				"*"
			]
		},
		{
			"effect": "allow",
			"action": [
				"clb:DescribeLoadBalancers",
				"clb:DescribeTargetHealth",
				"clb:DescribeTargets"
			],
			"resource": [
				"*"
			]
		},
		{
			"effect": "allow",
			"action": [
				"cvm:DescribeInstances"
			],
			"resource": [
				"*"
			]
		},
		{
			"effect": "allow",
			"action": [
				"cwp:DescribeAssetMachineDetail"
			],
			"resource": [
				"*"
			]
		},
		{
			"effect": "allow",
			"action": [
				"dcdb:DescribeDCDBInstances"
			],
			"resource": [
				"*"
			]
		},
		{
			"effect": "allow",
			"action": [
				"es:DescribeInstances"
			],
			"resource": [
				"*"
			]
		},
		{
			"effect": "allow",
			"action": [
				"mariadb:DescribeAccountPrivileges",
				"mariadb:DescribeAccounts",
				"mariadb:DescribeBackupTime",
				"mariadb:DescribeDBInstanceDetail",
				"mariadb:DescribeDBInstances",
				"mariadb:DescribeDBSecurityGroups"
			],
			"resource": [
				"*"
			]
		},
		{
			"effect": "allow",
			"action": [
				"postgres:DescribeBackupPlans",
				"postgres:DescribeDBInstanceSecurityGroups",
				"postgres:DescribeDBInstances"
			],
			"resource": [
				"*"
			]
		},
		{
			"effect": "allow",
			"action": [
				"redis:DescribeAutoBackupConfig",
				"redis:DescribeDBSecurityGroups",
				"redis:DescribeInstanceMonitorTopNCmd",
				"redis:DescribeInstances"
			],
			"resource": [
				"*"
			]
		},
		{
			"effect": "allow",
			"action": [
				"region:DescribeRegions"
			],
			"resource": [
				"*"
			]
		},
		{
			"effect": "allow",
			"action": [
				"ssl:DescribeCertificate",
				"ssl:DescribeCertificates"
			],
			"resource": [
				"*"
			]
		},
		{
			"effect": "allow",
			"action": [
				"tcr:DescribeInstances",
				"tcr:DescribeRepositories"
			],
			"resource": [
				"*"
			]
		},
		{
			"effect": "allow",
			"action": [
				"vpc:DescribeNetworkAcls",
				"vpc:DescribeSecurityGroupPolicies",
				"vpc:DescribeSecurityGroups",
				"vpc:DescribeSubnets"
			],
			"resource": [
				"*"
			]
		},
		{
			"effect": "allow",
			"action": [
				"mysql:DescribeDBInstances"
			],
			"resource": [
				"*"
			]
		}
	]
}

Attach the custom policy that you create to the sub-account to allow Security Center to access Tencent Cloud assets within the sub-account. For more information, see Authorization Management.

Create an AccessKey pair for the sub-account. For more information, see Access Key.

Configure audit log settings

If you want to add the logs of system activities or operations from third-party cloud services to Security Center, configure a log service on the platform of the third-party cloud service provider and grant Security Center the read permissions on the log service.

Important

If you configure audit log settings, the Kafka and logset that you specify are used for configuration checks of cloud services based on the check items of the Cloud Infrastructure Entitlements Management (CIEM) type. If you do not configure audit log settings, you cannot check the configurations of cloud services by using the check items of the CIEM type.

Log on to the Cloud Log Service (CLS) console of Tencent Cloud and create a log topic. For more information, see Managing Log Topic.
Important
We recommend that you select the same region for CLS and the cloud services that you want to add.
Log on to the CloudAudit console of Tencent Cloud and create a tracking set to deliver logs. For more information, see Shipping Log with Tracking Set.
To create a tracking set, configure the following parameters:
- Manage Event Type: Select All.
- Resource Type: Select All Resource Types.
- Shipping Location: Select Ship the event to CLS and specify the created log topic as the topic of the logs to deliver. Then, select Complement Events in Last Three Months (90 Days).
Create a custom policy and attach the policy to the sub-account that you want to add to Security Center.
Use the following code to create the custom policy:
```
{
    "statement": [
        {
            "action": [
                "cls:OpenKafkaConsumer"
            ],
            "effect": "allow",
            "resource": [
                "qcs::cls:${Region ID of CLS}:uin/${Master Account ID}:topic/${CLS Topic ID}",
                "qcs::cls:${Region ID of CLS}:uin/${Master Account ID}:logset/${CLS Logset ID}"
            ]
        }
    ],
    "version": "2.0"
}
```
You must replace the variables in the preceding code with the actual information about your log topic. To obtain the information, go to the basic information page of your log topic.
- ${CLS Topic ID}: Enter the value of the Log Topic ID parameter.
- ${CLS Logset ID}: Enter the value of the Logset ID parameter.
- ${Region ID of CLS}: Enter the region ID that corresponds to the value of the Region parameter.
- ${Master Account ID}: Enter the ID of the master account. You can click the profile picture in the upper-right corner to obtain the ID.
Obtain the Kafka topic name, Kafka public endpoint, and logset ID for your log topic. These details are required when you add the sub-account to Security Center.
- Go to the basic information page of your log topic and obtain the value of the Logset ID parameter.
- Go to the Kafka consumption page and obtain the Kafka topic name and Kafka public endpoint. For more information, see Consumption over Kafka.

Configure a sub-account on AWS

Create a sub-account and an AccessKey pair for the account

Log on to the IAM Identity Center console and create an Identity and Access Management (IAM) user. For more information, see Add users.
Grant the ReadOnlyAccess permission to the IAM user. For more information, see Adding permissions to a user (console).

Configure audit log settings

Important

If you configure audit log settings, the Amazon Simple Queue Service (SQS) queue that you specify is used in configuration checks of cloud services based on the check items of the CIEM type. If you do not configure audit log settings, you cannot check the configurations of cloud services by using the check items of the CIEM type.

Log on to the Amazon SQS console and create an SQS queue. For more information, see Creating an Amazon SQS standard queue and sending a message or Creating an Amazon SQS FIFO queue and sending a message.
Log on to the Amazon Simple Storage Service (Amazon S3) console and select an existing S3 bucket or create an S3 bucket. For more information, see Step 1: Create your first S3 bucket.
Important
Make sure that the S3 bucket and SQS queue reside in the same region.
Enable CloudTrail event logging for the S3 bucket and related objects. For more information, see Enabling CloudTrail event logging for S3 buckets and objects.
Important
When you create a CloudTrail trail, do not set the Log file SSE-KMS encryption parameter to Enabled.
Log on to the Amazon S3 console and enable event notifications for the S3 bucket. For more information, see Enabling and configuring event notifications using the Amazon S3 console.
- Event types: Select Send.
- Destination: Select SQS Queue and enter the Amazon Resource Name (ARN) of the SQS queue.

Create a custom policy that grants read and write permissions on the S3 bucket to the SQS queue. For more information, see Creating IAM policies.

Use the following code to create the custom policy:

{
  "Version": "2012-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__owner_statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::${Account ID}:root"
      },
      "Action": "SQS:*",
      "Resource": "${System-provided SQS Queue ARN}"
    },
    {
            "Sid": "example-statement-ID",
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": [
                "SQS:SendMessage"
            ],
            "Resource": "${System-provided SQS Queue ARN}",
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:s3:*:*:${S3 Bucket Name}"
                }
            }
        }
  ]
}

You can obtain the ID of the sub-account and the ARN of the SQS queue in the default policy of the SQS queue. Replace ${Account ID} and ${System-provided SQS ARN} in the preceding code with the obtained information.
You can obtain the name of the S3 bucket on the details page of the bucket. Replace ${S3 Bucket Name} in the preceding code with the obtained information.

Attach the custom policy to the IAM user. For more information, see Adding permissions to a user (console).
Go to the details page of the SQS queue and obtain the name and region ID of the SQS queue. These details are required when you add the IAM user to Security Center.

Configure a sub-account on Azure

Install the Azure CLI on your operating system. For more information, visit How to install the Azure CLI.
If your operating system is Linux Ubuntu, run the following code to update repository information and install the azure-cli package:
```
sudo apt-get update
sudo apt-get install azure-cli
```
Use the Azure CLI to log on to Azure. Run the following command and enter the logon information of the required Azure account.
- User of Microsoft Azure operated by 21Vianet
  Switch the current Azure environment to China by running the following command to set cloud of Azure to AzureChinaCloud:
```
az cloud set -n AzureChinaCloud
az login
```
- User of Microsoft Azure not operated by 21Vianet
```
az login
```
Run the following command to query AccessKey pair information.
Replace [your-account-ID] with a custom username for which you want to create an AccessKey pair. Replace ID1, ID2, and ID3 with the IDs of the Azure subscriptions that you want to add to Security Center.
```
az ad sp create-for-rbac \
--name [your-account-ID] \
--role Reader \
--scopes /subscriptions/[ID1, ID2, ID3]
```
The following figure shows the AccessKey pair information.

Step 2: Add the AccessKey pair of the third-party cloud account to Security Center

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose System Configuration > Feature Settings.
On the Multi-cloud Configuration Management > Multi-cloud Assets tab, click Grant Permission. Then, select Tencent Cloud, AWS, or Azure from the drop-down list.
In the Edit Multi-cloud Configuration panel, select Manual Configuration. Then, select Configuration Assessment below Permission Description and click Next. Security Center is granted the read permissions on all cloud services within the third-party cloud account.
In the Submit AccessKey Pair step, enter the AccessKey pair of the third-party cloud account, select the region of the account, and then click Next.
If you select Tencent Cloud or AWS, you can add audit logs.
If you want to add audit logs, configure the audit log settings in the Log Audit Settings step and click Next. If you do not want to add audit logs, click Skip.
- When you add the sub-account of Tencent Cloud, enter the obtained Kafka topic name, Kafka public endpoint, and logset ID of the log topic in sequence.
- When you add the sub-account of AWS, enter the obtained region ID and name of the SQS queue in sequence.

In the Policy Configuration step, configure the region where the third-party assets are deployed and the data synchronization frequency, and then click OK.

Parameter	Description
Region	The region of the assets that you want to add to Security Center.
Region Management	If you select this option, assets in subsequently supported regions are automatically added to Security Center.
Cloud Service Synchronization Frequency	The interval at which Security Center automatically synchronizes the data of third-party cloud services. If you select Disable, the data is not synchronized.
AK Service Status Check	The interval at which Security Center automatically checks the validity of the AccessKey pair of the third-party cloud account. If you select Disable, Security Center does not check the validity of the AccessKey pair.

Click Synchronize Assets to synchronize the assets within the third-party cloud account to Security Center.

References

For more information about the details and billing methods of the configuration assessment feature, see Overview of configuration assessment.
For more information about how to perform configuration checks and handle the detected risk items, see Use the configuration assessment feature.
For more information about how to call an API operation to perform configuration checks, see SubmitCheck.