Security Center supports provisioning e-Surfing Cloud accounts to centralize asset management across cloud providers. Once provisioned, Security Center performs unified threat monitoring, event detection, and policy enforcement across your multi-cloud environment.
This guide uses a dedicated sub-account AccessKey — the recommended approach for production environments because it limits permissions to exactly what Security Center needs and keeps the integration auditable.
Prerequisites
Before you begin, ensure that you have:
An active e-Surfing Cloud account with IAM administrator access
An Alibaba Cloud account with access to Security Center
Step 1: Create authorization credentials in e-Surfing Cloud
Create a dedicated user group and user in the e-Surfing Cloud Identity and Access Management (IAM) console, then generate an AccessKey pair for Security Center to use.
1.1 Log in to the IAM console
Log in to the e-Surfing Cloud console.
In the upper-right corner, click Account and select Account Center from the drop-down list.
On the Account Center page, click Identity and Access Management in the navigation bar to open the IAM console.
1.2 Create a dedicated user group
In the IAM console, select User Groups from the left navigation pane.
On the User Groups page, click Create User Group in the upper-right corner.
In the dialog box, set the following:
User Group Name: Enter a descriptive name, such as
AliyunSAS-Integration.User Group Description: Describe the purpose of the group to make it easier to manage later.
1.3 Grant policies to the user group
Return to the user group list. In the Actions column for the group you created, click Grant.
On the Select Policy tab, select the access policies for the Security Center features you plan to use.
The following table lists the policies required for each feature:
| Feature | Policy | Authorization scope |
|---|---|---|
| Cloud Security Posture Management (CSPM) | ecs viewer — observer permissions for the host service | Resource Pool |
| Cloud Security Posture Management (CSPM) | ctiam viewer — observer permissions for identity authentication | Global |
Because ecs viewer and ctiam viewer have different authorization scopes, you must grant them in two separate operations. You can only grant policies with the same scope in a single operation.
On the Set Minimum Authorization Scope tab, set the authorization scope for each policy.
The default scope is Global Resources. Evaluate the appropriate scope before saving.
The supported scopes for each policy are:
ecs viewer: Specified Resource Pools, Global Resources, or Specified Enterprise Projectsctiam viewer: Global Resources or Specified Enterprise Projects
To add threat detection support for more e-Surfing Cloud products, grant the corresponding policies listed in Appendix: e-Surfing Cloud product access policies.
1.4 Create a user and add them to the group
In the IAM console, click Users in the left navigation pane.
On the Users page, click Create User in the upper-right corner.
On the Configure User Basic Information tab, fill in the following fields, then click Next:
Username: Enter a descriptive name, such as
AliyunSAS-User.Phone Number: Required.
Access Method: Select OpenAPI access.
Set Password: Select Auto-generate password.
To also allow console login, select Console as an additional access method.
On the Add to User Group tab, select the group you created and click Add to move it to the Selected User Groups list.
Click Next.
1.5 Create and save the AccessKey pair
Return to the user list, find the user you just created, and click View in the Actions column.
On the user details page, click the Security Settings tab. In the AccessKey section, click Create AccessKey.
After the key is created, a dialog box displays the AccessKey ID and SecurityKey.
Save the AccessKey pair immediately. The key information is not shown again after you close the dialog box.
Step 2: Complete the provisioning in Security Center
2.1 Navigate to the authorization page
Log in to the Security Center console.Log on to the Security Center console.
In the left navigation pane, choose System Settings > Feature Settings. In the upper-left corner, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
On the Multi-cloud Configuration Management > Multi-cloud Assets tab, click Grant Permission and select e-Surfing Cloud.
2.2 Configure provisioning credentials
In the Add Assets Outside Cloud panel, under Select the modules to authorize, select the Security Center modules to enable, then click Next.
Currently, only CSPM is supported.
On the Submit AccessKey Pair page, enter the credential information from Step 1:
Enter Sub-account Secret ID: The AccessKey ID you created.
Enter Sub-account Secret Key: The SecurityKey you created.
Domain (Select Chinese Edition for China and International Edition for others): Select the domain that matches the region of your e-Surfing Cloud account.
Click Next. Security Center automatically validates the credentials and permissions.
If validation fails, see Credential check fails after entering the AccessKey pair.
2.3 Configure a synchronization policy
Set the following options:
Select region: Choose the e-Surfing Cloud regions whose assets you want to provision.
Synchronized asset data is stored in the data center corresponding to the Security Center region you selected in the upper-left corner: - Chinese Mainland — China (Mainland) data center - Outside Chinese Mainland — Singapore data center
Region Management (recommended): When enabled, assets in new regions under this e-Surfing Cloud account are automatically synchronized — no manual addition needed.
AK Service Status Check: Set the interval at which Security Center checks the validity of the AccessKey. Select Shutdown to disable the check.
After configuring all options, click Synchronize Assets. Security Center automatically syncs the assets under the e-Surfing Cloud account.
Step 3: View provisioned assets
In the Security Center console, go to Assets > Cloud Product. In the All Alibaba Cloud Services navigation pane, click e-Surfing Cloud to view the provisioned assets.
For details on managing cloud product assets, see View cloud product information.
Ongoing maintenance
Rotate the AccessKey
Rotate the AccessKey pair regularly to maintain account security:
In the e-Surfing Cloud IAM console, create a new AccessKey pair for the dedicated IAM user.
In Security Center, go to System Settings > Feature Settings > Multi-cloud Configuration Management > Multi-cloud Assets. Find the e-Surfing Cloud account, click Edit, and update the AccessKey ID and SecurityKey with the new credentials.
Verify that the new key successfully syncs assets, then return to the e-Surfing Cloud IAM console and delete the old AccessKey pair.
Add support for more e-Surfing Cloud products
To provision assets for a new e-Surfing Cloud product — for example, a newly purchased Distributed Cache Service for Redis:
In the e-Surfing Cloud IAM console, grant the corresponding access policy to the dedicated user group (for example,
Distributed Cache Redis Viewer). For the full list of policies, see Appendix: e-Surfing Cloud product access policies.Security Center automatically discovers the newly authorized assets during the next synchronization. To sync immediately, go to System Settings > Feature Settings > Multi-cloud Configuration Management > Multi-cloud Assets and click Sync Latest Assets.
Delete the connection
If you no longer need to manage an e-Surfing Cloud account through Security Center:
On the Multi-cloud Configuration Management page, find the e-Surfing Cloud account and click Delete.
Security Center stops monitoring and scanning all assets under that account, and the related asset information is removed.
For security, also delete or disable the dedicated IAM user in the e-Surfing Cloud IAM console.
Appendix: e-Surfing Cloud product access policies
The list of supported e-Surfing Cloud products is continuously updated. For the current list, refer to the Security Center console.
| Policy name | Description |
|---|---|
KAFKA viewer | Default viewer policy for the distributed Message Service for Kafka CTIAM product |
Distributed Cache Redis Viewer | Read-only permissions for Distributed Cache Service for Redis instances |
zos viewer | Observer permissions for Object Storage Service |
RocketMQ-MQ2 viewer | Read-only access permissions for the distributed Message Service for RocketMQ-MQ2 |
elb admin | Administrator permissions for Server Load Balancer |
ebs viewer | Observer permissions for Elastic Block Storage. Important Set the minimum authorization scope to Specified Enterprise Projects. |
ecs user | User permissions for the host service |
FAQ
Some provisioned e-Surfing Cloud resources are missing from Security Center
Check these three things in order:
Region selection: Confirm that the region where the missing resource is located is selected in the provisioning configuration.
Synchronization latency: After initial provisioning or a configuration change, asset sync can take some time. Wait for the sync to complete.
Insufficient permissions: Verify that the AccessKey pair has the read-only permissions required to query the affected resource type.
Credential check fails after entering the AccessKey pair
The check fails for one of three reasons:
Permission issue: The AccessKey pair lacks the required permissions. Return to Step 1.3 and add the missing access policies.
Account issue: The AccessKey pair has expired. Confirm that the AccessKey pair is valid and has not expired.
Region mismatch: The selected domain does not match the region of your e-Surfing Cloud account. Go back to the Domain field, switch to the other available domain, and resubmit.
Cannot select a policy when adding an e-Surfing Cloud access policy
This is a limitation of e-Surfing Cloud: a single authorization operation can only include policies with the same scope — either Resource Pool-level or Global-level. Grant the two policy types in separate operations.