All Products
Search
Document Center

Security Center:Add a third-party asset to Security Center

Last Updated:Jul 03, 2024

You can add assets that are from third-party cloud service providers to Security Center for centralized protection and management. The third-party cloud service providers include Tencent Cloud, Huawei Cloud, Amazon Web Services (AWS), and Microsoft Azure. This topic describes how to add a third-party asset to Security Center.

Adding methods

Security Center provides two methods for you to add third-party assets to Security Center. The two methods collect different data. You can select a method based on the data that you want to collect.

Method

Description

Data to collect

Manually install the Security Center agent on a third-party asset

If you use this method to add a third-party asset, the External host tag is added to the asset, and Security Center cannot identify the service provider of the asset.

IP address information, hostname, operating system type, and the number of CPU cores

Add a third-party asset by using the AccessKey pair of a third-party account

If you use this method, Security Center can identify the service provider of the asset and display the service provider of the asset on the Host page.

Important

If you use this method to add a third-party asset to Security Center, you must install the Security Center agent on the asset before you can use the protection capabilities of Security Center.

IP address information, hostname, operating system type, number of CPU cores, information about virtual private clouds (VPCs) of the third-party cloud, status of the asset, region of the asset, and service provider of the asset

Add a third-party asset by using the AccessKey pair of a third-party account

Security Center obtains the read permissions on third-party assets and synchronizes the information about the assets by using the AccessKey pair of an account that is created for the third-party cloud service provider to add the assets. This way, you can protect and manage your cloud assets by using Security Center in a centralized manner.

Add assets of Tencent Cloud, Huawei Cloud, and AWS to Security Center

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

  2. In the left-side navigation pane, choose System Configuration > Feature Settings.

  3. On the Multi-cloud Configuration Management > Multi-cloud Assets tab, click Grant Permission and select Tencent Cloud, Huawei Cloud, or AWS from the drop-down list.

  4. In the Add Assets Outside Cloud panel, create a sub-account for the cloud service provider as prompted and add third-party cloud servers to Security Center.

    1. Log on to the platform of the third-party cloud service provider and create an AccessKey pair for the sub-account.

      You can select Quick Configuration or Manual Configuration.

      • Manual Configuration: Create a sub-account for the cloud service provider and authorize Security Center to use the AccessKey pair of the sub-account. We recommend that you use this method.

        You must grant the sub-account the permissions that are required by Security Center. Otherwise, Security Center cannot protect your third-party assets.

        Permissions required for the sub-account

        Asset type

        Tencent Cloud

        Huawei Cloud

        AWS

        Host Assets

        QcloudCVMReadOnlyAccess

        ECSReadOnlyAccess

        AmazonEC2ReadOnlyAccess

        Cloud product configuration check

        • CloudResourceReadOnlyAccess

        • QcloudCamReadOnlyAccess

        Not supported

        ReadOnlyAccess

        Threat Analysis

        For more information, see Handle security events.

        Not supported

      • Quick Configuration: After you authorize Security Center to use the AccessKey pair of a master account, Security Center automatically creates the AccessKey pair for a sub-account.

    2. In the Submit AccessKey Pair step, enter the obtained AccessKey pair, select the type of assets that you want to add, and then click Next.

      • Host Assets: Grant Security Center the read permissions on cloud servers within the third-party account.

      • Cloud product configuration check: Grant Security Center the read permissions on all cloud assets within the third-party account. If you want to use the configuration assessment feature to scan third-party assets, select this option.

      • Threat Analysis: Grant Security Center the read permissions on all cloud assets and write permissions on some cloud assets within the third-party account. If you want to use the threat analysis feature to manage the logs of third-party cloud assets in a centralized manner and interact with third-party cloud assets to handle alerts, select this option.

      Note

      The types of assets that you can add to Security Center vary based on the cloud service provider. The types that are displayed on the page shall prevail.

    3. In the Log Audit Settings step, specify the region where the third-party assets are deployed and the data synchronization frequency, and then click OK.

      Parameter

      Description

      Select Region

      Select the region where the assets within the third-party account are deployed. Security Center can synchronize the data within the third-party account to the data management center that you select in the top navigation bar of the Security Center console. The data management centers are China and Outside China.

      Region Management

      If you select this option, Security Center automatically synchronizes the data of the newly created assets in the specified region within the third-party account to the current data management center.

      If you do not select this option, newly created servers in the specified region are not automatically added to the current data management center.

      Host Asset Synchronization Frequency

      Select the interval at which Security Center automatically synchronizes the data of third-party cloud servers. If you select Disable, the data is not synchronized.

      Cloud Service Synchronization Frequency

      The interval at which Security Center automatically synchronizes the data of third-party cloud assets. If you select Disable, the data is not synchronized.

      Note

      This parameter is required only if you set the Permission description parameter to Cloud product configuration check.

      AK Service Status Check

      The interval at which Security Center automatically checks the validity of the AccessKey pair of the third-party account. If you select Disable, Security Center does not check the validity.

    4. Click Synchronize Assets to synchronize the data of assets within the third-party account to Security Center.

      • If you use the AccessKey pair of a master account, the data of the assets within all sub-accounts of the master account is automatically synchronized to Security Center.

      • If you use the AccessKey pair of a sub-account, the data of the assets within the sub-account is automatically synchronized to Security Center.

Add Microsoft Azure assets to Security Center

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

  2. In the left-side navigation pane, choose System Configuration > Feature Settings.

  3. On the Multi-cloud Configuration Management > Multi-cloud Assets tab, click Grant Permission, and select Azure from the drop-down list.

  4. In the Add Assets Outside Cloud panel, create a sub-account for the cloud service provider as prompted and add third-party cloud servers to Security Center.

    1. Create a sub-account for the third-party cloud service provider.

      You must log on to the platform of the third-party cloud service provider and run a command to create a Microsoft Azure sub-account as prompted. You must obtain the following information from the command output: appId, displayName, name, password, and tenant.

      Important

      You must grant the read-only permissions on Microsoft.Compute permissions resources to the sub-account that you created.

    2. In the Submit AccessKey Pair step, configure the Enter an AppID, Enter a password, tenant, SubscriptionId, and Domain parameters, select the type of assets that you want to add to Security Center, and then click Next.

      You can add assets only of the Host Assets type to Security Center. This indicates that Security Center has the read permissions on cloud servers within the sub-account of the third-party cloud service provider.

    3. In the Log Audit Settings step, specify the region where the third-party assets are deployed and the data synchronization frequency, and then click OK.

      Parameter

      Description

      Select Region

      Select the region where the assets within the third-party account are deployed. Security Center can synchronize the data within the third-party account to the data management center that you select in the top navigation bar of the Security Center console. The data management centers are China and Outside China.

      Region Management

      If you select this option, Security Center automatically synchronizes the data of the newly created assets in the specified region within the third-party account to the current data management center.

      If you do not select this option, newly created servers in the specified region are not automatically added to the current data management center.

      Host Asset Synchronization Frequency

      Select the interval at which Security Center automatically synchronizes the data of third-party cloud servers. If you select Disable, the data is not synchronized.

      Cloud Service Synchronization Frequency

      The interval at which Security Center automatically synchronizes the data of third-party cloud assets. If you select Disable, the data is not synchronized.

      Note

      This parameter is required only if you set the Permission description parameter to Cloud product configuration check.

      AK Service Status Check

      The interval at which Security Center automatically checks the validity of the AccessKey pair of the third-party account. If you select Disable, Security Center does not check the validity.

    4. Click Synchronize Assets to synchronize the data of assets within the third-party account to Security Center.

      • If you use the AccessKey pair of a master account, the data of the assets within all sub-accounts of the master account is automatically synchronized to Security Center.

      • If you use the AccessKey pair of a sub-account, the data of the assets within the sub-account is automatically synchronized to Security Center.

Verify results

After you add third-party assets to Security Center, you can view the assets on the Assets page.

  • View assets that are added based on the Host Assets type

    You can go to the Assets > Host page to view the third-party cloud servers that are added to Security Center. For more information, see Server assets.

  • View assets that are added based on the Cloud product configuration check type

    You can go to the Assets > Cloud Product page to view the third-party assets that are added to Security Center based on the Cloud product configuration check type.

    You can find an asset and click View in the Actions column to view the basic information about the asset and the configuration check results of the asset. For more information, see View information about cloud services and Overview of configuration assessment.

    image.png

What to do next

If you use the AccessKey pair of the sub-account that is authorized to manage the assets to add third-party assets to Security Center, you must install the Security Center agent on the assets. This way, you can use the protection capabilities of Security Center. For more information about how to install the agent, see Install the Security Center agent.

More operations

After you add third-party assets to Security Center, Security Center automatically generates a policy for the service provider of the added assets. You can view, modify, or delete the policy of third-party assets on the Multi-cloud Configuration Management > Multi-cloud Assets tab.

image.png

  • You can click the image.png icon to the right of a policy to view the permission information and service status of the policy.

    The Service Status parameter of a policy is displayed as Normal only when the value of the Service Status parameter is Normal for all permissions specified in the policy. If the service status of a permission is abnormal, move the pointer over the image.png icon in the Service Status column to view the cause.

  • You can click Modify in the Actions column of a policy or a permission to modify the information about the policy, such as the AccessKey secret, asset type, and region.

  • You can enable, disable, or delete policies or permissions based on your business requirements.

    After you disable or delete policies or permissions, Security Center no longer synchronizes assets of the cloud service provider based on the policy or permission.