All Products
Search
Document Center

Security Center:Centrally manage multiple accounts

Last Updated:Oct 15, 2024

Security Center provides the Cloud Threat Detection and Response (CTDR) feature. You can use this feature to centrally manage alerts and logs of multiple cloud services within different accounts in a multi-cloud environment. The feature helps you improve O&M efficiency. To centrally manage multiple accounts and resources within an enterprise, you can use the Resource Directory service of Resource Management and configure the multi-account management feature. This topic describes how to configure the multi-account structure for the CTDR feature.

Terms

Before you use the CTDR feature to centrally manage multiple accounts and resources within an enterprise, you must understand the related terms.

Term

Description

Service

management account

A management account is an Alibaba Cloud account that has passed enterprise real-name verification. After you use this Alibaba Cloud account to enable a resource directory, the account becomes the management account of the resource directory. The management account is the super administrator of the resource directory. It has all administrative permissions on the resource directory and the folders and members in the resource directory. Each resource directory has only one management account.

Resource Management

member

A member is a resource account that is created in a resource directory. A member is used to isolate the resources of a project or an application on Alibaba Cloud from other resources. You can invite existing Alibaba Cloud accounts to join your resource directory. After the owners of the Alibaba Cloud accounts accept the invitations, the accounts become the members of the resource directory. These members are cloud accounts.

delegated administrator account

You can use the management account of a resource directory to specify a member in the resource directory as a delegated administrator account of a trusted service. After a member is specified as a delegated administrator account of a trusted service, the member can be used to access information about the resource directory in the trusted service. The information includes the structure and members of the resource directory. The member can also be used to manage business within the resource directory.

global administrator account

If you log on to the Security Center console by using the global administrator account, you can switch to the global account view to configure log access policies for Alibaba Cloud accounts that are managed by the CTDR feature, configure threat detection rules, and handle security events.

Security Center

Multi-account structure

You can use the CTDR feature to centrally manage multiple Alibaba Cloud accounts and establish a multi-account structure. The examples in the following scenario and flowchart show how to establish a multi-account structure:

Scenario: Account A, Account B, Account C, Account D, and Account E belong to the same resource directory. Account A is the management account of the resource directory, and the other accounts are the members of the resource directory. Account A specifies Account B as the delegated administrator account of the trusted service named Security Center - Threat Analysis to centrally manage Account B, Account C, Account D, and Account E that perform operations supported by the CTDR feature. The operations include log access, threat detection configuration, and security event handling.

image

Step 1: Purchase the CTDR feature

Before you can add logs of an Alibaba Cloud account to the CTDR feature, you must purchase a volume of log data that can be added to the feature for the account. After you purchase the volume of log data for each Alibaba Cloud account, the accounts can be managed by the global administrator account in a centralized manner. For more information, see Purchase and enable the CTDR feature.

Important

If your Alibaba Cloud account is used to purchase the CTDR feature before the billing rules are changed, the members that belong to the same resource directory do not need to purchase the feature. For more information, see [Notice] Billing rules of Cloud Threat Detection and Response (CTDR) are changed.

Step 2: Establish a multi-account structure

The Alibaba Cloud accounts that can be added to a resource directory must belong to the same enterprise and pass enterprise real-name verification. You must enable a resource directory and specify the Alibaba Cloud account that is used to purchase the CTDR feature as the delegated administrator account.

  1. Log on to the Resource Management console by using the management account of your resource directory.

  2. The first time you use Resource Directory, choose Resource Directory > Overview in the left-side navigation pane and click Enable Resource Directory. Then, follow the on-screen instructions to enable a resource directory. For more information, see Enable a resource directory.

  3. Create a member or invite an Alibaba Cloud account to join the resource directory.

    • Create a member: In the left-side navigation pane, choose Resource Directory > Create Member Account to create a member. For more information, see Create a member.

    • Invite a member: Choose Resource Directory > Invite Member to invite an Alibaba Cloud account to join the resource directory. For more information, see Invite an Alibaba Cloud account to join a resource directory.

  4. Specify the Alibaba Cloud account that is used to purchase the CTDR feature as the delegated administrator account.

    In the left-side navigation pane, choose Resource Directory > Trusted Services. On the page that appears, click Manage in the Actions column of Security Center and Security Center - Threat Analysis. On the page that appears, specify the Alibaba Cloud account that is used to purchase the CTDR feature as the delegated administrator account of these trusted services. For more information, see Add a delegated administrator account.

    image

Step 3: Add accounts to the CTDR feature for management

  1. Log on to the Security Center console by using the Alibaba Cloud account that is used to purchase the CTDR feature. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

  2. In the left-side navigation pane, choose System Configuration > Multi-account Management.

  3. The first time you use the multi-account management feature, click Enable Management in Security Center.

    After you enable the multi-account management feature, the system automatically creates a service-linked role named AliyunServiceRoleForSasRd for the member. The delegated administrator account of Security Center can assume this role to access the Security Center console of the members in the resource directory. This way, you can protect resources for multiple members of your enterprise in a centralized manner and monitor the security status of the members in real time.

  4. On the Multi-account Management > Configure tab, click the Account Monitored by Threat Analysis tab.

    If the Configure tab is not displayed, click the Account Monitored by Threat Analysis tab.

  5. In the Total Monitored Accounts section, click Account Management.

  6. In the Multi-account Management Settings panel, select your resource directory in the Resource Directory Node section and the Alibaba Cloud accounts that you want to add to the CTDR feature from the member list, and click OK.

    If the AliyunServiceRoleForSasRd and AliyunServiceRoleForSasCloudSiem service-linked roles are not created for the selected member, the system automatically creates the roles for the member to enable related features when you select the member. For more information, see Service-linked roles for Security Center.

Step 4: Specify the global administrator account

The global administrator account can switch between the global account view and the current account view to use the CTDR feature. In the global account view, you can configure access policies for managed Alibaba Cloud accounts, configure threat detection rules, and handle security events. In the current account view, you can configure CTDR policies for the current account. You can perform the following operations to specify the Alibaba Cloud account that is used to purchase the CTDR feature as the global administrator account:

Important
  • You can specify only one account as the global administrator account for the CTDR feature in each resource directory.

  • You cannot change the global administrator account after you specify the account. Proceed with caution.

  1. In the Global Administrator Account section of the Account Monitored by Threat Analysis tab, click Settings.

  2. In the Specify Global Administrator Account dialog box, select the required Alibaba Cloud account as the global administrator account and click OK.

    The specified global administrator account must be a management account or a delegated administrator of the trusted service named Security Center - Threat Analysis in the Resource Management console and must be used to purchase the CTDR feature.

Step 5: Add cloud service logs to the CTDR feature

After you log on to the Security Center console by using the global administrator account, you can add the logs of cloud services that belong to the current logon account and managed accounts, and logs of cloud services that belong to third-party cloud accounts to the CTDR feature for centralized monitoring and analysis of alerts and log data.

Step 6: Use the CTDR feature

After you complete the preceding operations, you can perform operations supported by the CTDR feature. For example, you can use the event analysis and Security Orchestration Automation Response (SOAR) features. The global administrator account can switch between the global account view and the current account view to manage the current account and all managed accounts.

image

For more information about how to use the CTDR features, see the following topics:

  • Use detection rules: You can use predefined and custom detection rules.

  • Handle security events: You can handle security events to improve the security of your system.

  • Use SOAR: You can use SOAR to implement orchestration in different systems and services based on specific logic. SOAR supports automated orchestration and quick response during security O&M.

  • Manage logs: You can use the log management feature to store and query standardized logs of cloud services. The feature helps you precisely identify alerts and trace attack sources to improve the efficiency of response to potential threats and simplify log management across environments.

References