Security Center provides the Cloud Threat Detection and Response (CTDR) feature. You can use this feature to centrally manage alerts and logs of multiple cloud services within different accounts in a multi-cloud environment. The feature helps you improve O&M efficiency. To centrally manage multiple accounts and resources within an enterprise, you can use the Resource Directory service of Resource Management and configure the multi-account management feature. This topic describes how to configure the multi-account structure for the CTDR feature.
Terms
Before you use the CTDR feature to centrally manage multiple accounts and resources within an enterprise, you must understand the related terms.
Term | Description | Service |
management account | A management account is an Alibaba Cloud account that has passed enterprise real-name verification. After you use this Alibaba Cloud account to enable a resource directory, the account becomes the management account of the resource directory. The management account is the super administrator of the resource directory. It has all administrative permissions on the resource directory and the folders and members in the resource directory. Each resource directory has only one management account. | Resource Management |
member | A member is a resource account that is created in a resource directory. A member is used to isolate the resources of a project or an application on Alibaba Cloud from other resources. You can invite existing Alibaba Cloud accounts to join your resource directory. After the owners of the Alibaba Cloud accounts accept the invitations, the accounts become the members of the resource directory. These members are cloud accounts. | |
delegated administrator account | You can use the management account of a resource directory to specify a member in the resource directory as a delegated administrator account of a trusted service. After a member is specified as a delegated administrator account of a trusted service, the member can be used to access information about the resource directory in the trusted service. The information includes the structure and members of the resource directory. The member can also be used to manage business within the resource directory. | |
global administrator account | If you log on to the Security Center console by using the global administrator account, you can switch to the global account view to configure log access policies for Alibaba Cloud accounts that are managed by the CTDR feature, configure threat detection rules, and handle security events. | Security Center |
Multi-account structure
You can use the CTDR feature to centrally manage multiple Alibaba Cloud accounts and establish a multi-account structure. The examples in the following scenario and flowchart show how to establish a multi-account structure:
Scenario: Account A, Account B, Account C, Account D, and Account E belong to the same resource directory. Account A is the management account of the resource directory, and the other accounts are the members of the resource directory. Account A specifies Account B as the delegated administrator account of the trusted service named Security Center - Threat Analysis to centrally manage Account B, Account C, Account D, and Account E that perform operations supported by the CTDR feature. The operations include log access, threat detection configuration, and security event handling.
Step 1: Purchase the CTDR feature
Before you can add logs of an Alibaba Cloud account to the CTDR feature, you must purchase a volume of log data that can be added to the feature for the account. After you purchase the volume of log data for each Alibaba Cloud account, the accounts can be managed by the global administrator account in a centralized manner. For more information, see Purchase and enable the CTDR feature.
If your Alibaba Cloud account is used to purchase the CTDR feature before the billing rules are changed, the members that belong to the same resource directory do not need to purchase the feature. For more information, see [Notice] Billing rules of Cloud Threat Detection and Response (CTDR) are changed.
Step 2: Establish a multi-account structure
The Alibaba Cloud accounts that can be added to a resource directory must belong to the same enterprise and pass enterprise real-name verification. You must enable a resource directory and specify the Alibaba Cloud account that is used to purchase the CTDR feature as the delegated administrator account.
Log on to the Resource Management console by using the management account of your resource directory.
The first time you use Resource Directory, choose Enable a resource directory.
in the left-side navigation pane and click Enable Resource Directory. Then, follow the on-screen instructions to enable a resource directory. For more information, seeCreate a member or invite an Alibaba Cloud account to join the resource directory.
Create a member: In the left-side navigation pane, choose Create a member.
to create a member. For more information, seeInvite a member: Choose Invite an Alibaba Cloud account to join a resource directory.
to invite an Alibaba Cloud account to join the resource directory. For more information, see
Specify the Alibaba Cloud account that is used to purchase the CTDR feature as the delegated administrator account.
In the left-side navigation pane, choose Add a delegated administrator account.
. On the page that appears, click Manage in the Actions column of Security Center and Security Center - Threat Analysis. On the page that appears, specify the Alibaba Cloud account that is used to purchase the CTDR feature as the delegated administrator account of these trusted services. For more information, see
Step 3: Add accounts to the CTDR feature for management
Log on to the Security Center console by using the Alibaba Cloud account that is used to purchase the CTDR feature. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
The first time you use the multi-account management feature, click Enable Management in Security Center.
After you enable the multi-account management feature, the system automatically creates a service-linked role named AliyunServiceRoleForSasRd for the member. The delegated administrator account of Security Center can assume this role to access the Security Center console of the members in the resource directory. This way, you can protect resources for multiple members of your enterprise in a centralized manner and monitor the security status of the members in real time.
On the
tab, click the Account Monitored by Threat Analysis tab.If the Configure tab is not displayed, click the Account Monitored by Threat Analysis tab.
In the Total Monitored Accounts section, click Account Management.
In the Multi-account Management Settings panel, select your resource directory in the Resource Directory Node section and the Alibaba Cloud accounts that you want to add to the CTDR feature from the member list, and click OK.
If the AliyunServiceRoleForSasRd and AliyunServiceRoleForSasCloudSiem service-linked roles are not created for the selected member, the system automatically creates the roles for the member to enable related features when you select the member. For more information, see Service-linked roles for Security Center.
Step 4: Specify the global administrator account
The global administrator account can switch between the global account view and the current account view to use the CTDR feature. In the global account view, you can configure access policies for managed Alibaba Cloud accounts, configure threat detection rules, and handle security events. In the current account view, you can configure CTDR policies for the current account. You can perform the following operations to specify the Alibaba Cloud account that is used to purchase the CTDR feature as the global administrator account:
You can specify only one account as the global administrator account for the CTDR feature in each resource directory.
You cannot change the global administrator account after you specify the account. Proceed with caution.
In the Global Administrator Account section of the Account Monitored by Threat Analysis tab, click Settings.
In the Specify Global Administrator Account dialog box, select the required Alibaba Cloud account as the global administrator account and click OK.
The specified global administrator account must be a management account or a delegated administrator of the trusted service named Security Center - Threat Analysis in the Resource Management console and must be used to purchase the CTDR feature.
Step 5: Add cloud service logs to the CTDR feature
After you log on to the Security Center console by using the global administrator account, you can add the logs of cloud services that belong to the current logon account and managed accounts, and logs of cloud services that belong to third-party cloud accounts to the CTDR feature for centralized monitoring and analysis of alerts and log data.
For more information about how to add logs of Alibaba Cloud services, see Add logs of Alibaba Cloud services.
For more information about how to add logs of third-party cloud services, see Add logs of third-party cloud services.
Step 6: Use the CTDR feature
After you complete the preceding operations, you can perform operations supported by the CTDR feature. For example, you can use the event analysis and Security Orchestration Automation Response (SOAR) features. The global administrator account can switch between the global account view and the current account view to manage the current account and all managed accounts.
For more information about how to use the CTDR features, see the following topics:
Use detection rules: You can use predefined and custom detection rules.
Handle security events: You can handle security events to improve the security of your system.
Use SOAR: You can use SOAR to implement orchestration in different systems and services based on specific logic. SOAR supports automated orchestration and quick response during security O&M.
Manage logs: You can use the log management feature to store and query standardized logs of cloud services. The feature helps you precisely identify alerts and trace attack sources to improve the efficiency of response to potential threats and simplify log management across environments.
References
Security Center provides the multi-account management feature. For more information, see Use the multi-account management feature.
For more information about Resource Directory, see Resource Directory overview.