All Products
Search
Document Center

:Overview

Last Updated:Feb 23, 2024

To prevent cloud services from being attacked due to configuration errors and misoperations, Security Center provides the configuration assessment feature. You can use the feature to check whether risks and errors exist in the configurations of your cloud services from multiple dimensions. This helps reduce risks that are caused by configuration errors and improve the security of your cloud services. This topic describes the basic information and billing of the configuration assessment feature.

Feature description

Security Center allows you to check whether risks and errors exist in the configurations of your cloud services from the following dimensions: cloud infrastructure entitlements management (CIEM), security risk management, and compliance risk management. The check results are classified and displayed by risk level to help you understand the configuration risks of your cloud services. Security Center also provides optimization suggestions for and solutions to each risk item to help you better manage cloud resources and ensure the security of the running environment of your cloud services.

The following table describes the dimensions from which you can check the configurations of your cloud services.

Check dimension

Description

CIEM

CIEM is a service that integrates cloud security assessment and authorization management to manage the permissions to use and access cloud platforms.

Security Center manages identities and permissions on cloud platforms based on CIEM. You can check whether issues exist, such as excessive authorization and password expiration. This helps identify and resolve issues related to permission management at the earliest opportunity and improve the security and reliability of cloud platforms.

Security risk management

Best security practices are security measures and solutions that are accumulated by cloud service providers over the years to maximize the security of your data and business.

Security Center checks the security configurations, code vulnerabilities, and logging configurations of business systems and identifies potential configuration errors on cloud platforms based on the best security practices of different cloud service providers. This helps maximize the security of your data and business.

Compliance risk management

Center for Internet Security (CIS) benchmarks are internationally recognized as security standards for defending IT systems and data against cyberattacks.

Security Center checks and manages the compliance risks of cloud platforms in a comprehensive manner and identifies weak configurations that do not meet CIS benchmarks. This helps handle the weak configurations at the earliest opportunity and maximize the security of your data and business.

Billing

Billing formula

You are charged for the configuration assessment feature based on the number of times that each check item is used to scan each cloud service instance. Billing formula: Configuration assessment fee = Unit price × Quota for configuration assessment × Subscription duration.

  • Unit price: USD 0.02 time-month for each check item on each cloud service instance. The minimum quota that you can purchase is 1,000.

  • Quota for configuration assessment: the number of times that each check item is used to scan each cloud service instance.

    • A cloud service instance refers to the instance of a specific application or network device, such as an Object Storage Service (OSS) bucket or an Elastic Compute Service (ECS) security group.

      View the number of cloud service instances

      You can view the number of cloud service instances within your Alibaba Cloud account on the Assets > Cloud Product page in the Security Center console.

      image.png

    • We recommend that you purchase a quota that is 20 times the number of cloud service instances. If the quota is insufficient, you must re-scan the instances. For example, if you have a total of 10 cloud services and each cloud service has 15 instances, we recommend that you purchase a quota of 3,000. The value is calculated by using the following formula: 10 × 15 × 20 = 3,000.

  • Subscription duration: the duration of your subscription to Security Center.

Deduction rule

After you enable the configuration assessment feature, the quota is consumed each time you run a configuration check. Quota consumed by a configuration check = Total number of scanned instances × Number of selected check items.

For example, you have a total of 10 cloud services, and each cloud service has 15 instances. You run a configuration check task in which a total of 5 check items are selected. In this example, the consumed quota is 750. The value is calculated by using the following formula: 10 × 15 × 5 = 750.

Note

If the quota is insufficient to offset the fee of a configuration check task, the check items that cannot be covered by the quota are not used to scan instances in the task. You can view the scan results to check the running details of the task.

Free usage

  • If you have not enabled the configuration assessment feature or purchased a quota for the configuration assessment feature, you can use more than 20 check items that are provided by the feature free of charge. You can go to the Risk Governance > Configuration Assessment page in the Security Center console to view and use the check items.

  • The following list describes the numbers of check items that you can use free of charge in different editions of Security Center. If you enable the configuration assessment feature before July 07, 2023, you can use the check items free of charge until your Security Center expires. If you renew the subscription before your Security Center expires, you can continue to use the check items free of charge.

    • Basic and Anti-virus: more than 20

    • Advanced: more than 40

    • Enterprise and Ultimate: more than 200

    Note

    To view more information about the supported check items, you can go to the Risk Governance > Configuration Assessment page in the Security Center console.

The number of check items provided by the configuration assessment feature can be increased. If you want to use more check items, you can purchase a quota for configuration assessment. For more information, see Purchase and authorization. After you purchase a quota for configuration assessment, the historical check results are retained. You can view all check items and select check items based on your business requirements when you run a configuration check.

Important

After you purchase a quota for configuration assessment, you are charged based on the number of times that each check item is used to scan each cloud service instance when you run a configuration check. You can no longer use check items free of charge.

Purchase and authorization

The first time you use the configuration assessment feature, you must purchase a quota for the feature and authorize Security Center to access cloud resources. The configuration assessment feature supports the subscription and pay-as-you-go billing methods.

Note

You cannot purchase the configuration assessment feature based on the pay-as-you-go and subscription billing methods at the same time within your Alibaba Cloud account. For example, if you purchase the configuration assessment feature based on the subscription billing method, you must wait until the subscription to the feature ends or disable the feature before you can purchase the feature based on the pay-as-you-go billing method. For more information, see Upgrade and downgrade Security Center.

Purchase the configuration assessment feature based on the pay-as-you-go billing method

  1. Log on to the Security Center console. In the top navigation bar, select the region in which your asset resides. You can select China or Outside China.

  2. In the left-side navigation pane, choose Risk Governance > Configuration Assessment.

  3. On the Configuration Assessment page, click Authorize Now. The first time you use the configuration assessment feature, you must perform this operation.

    After the authorization is complete, a service-linked role named AliyunServiceRoleForSasCspm is created for Security Center to access the resources of cloud services within the current account. Then, you can use the configuration assessment feature to check the following configurations of your cloud services: identity authentication, network access control, data security, log audit, and basic protection. This helps you reinforce security configurations and reduce risks that are caused by configuration errors in your cloud services. For more information about the AliyunServiceRoleForSasCspm service-linked role, see Service-linked roles for Security Center.

  4. On the Configuration Assessment page, click Activate Now.

  5. In the dialog box that appears, read and select I have read and agree to Security Center (Pay-as-you-go) Terms of Service. and click Activate Now.

After you purchase the configuration assessment feature, you can view the quota that is consumed by configuration checks on the Configuration Assessment > Configuration Check tab. For more information about the bills of the configuration assessment feature, see Billing Details.

To disable the pay-as-you-go billing method for the configuration assessment feature, find Used Quota and click Suspended.

Purchase the configuration assessment feature based on the subscription billing method

  1. Go to the Security Center buy page and purchase a quota for Configuration Assessment. For more information, see Purchase Security Center.

  2. Complete authorization. The first time you use the configuration assessment feature, you must perform this operation.

    1. Log on to the Security Center console. In the top navigation bar, select the region in which your asset resides. You can select China or Outside China.

    2. In the left-side navigation pane, choose Risk Governance > Configuration Assessment.

    3. On the Configuration Assessment page, click Authorize Now.

      After the authorization is complete, a service-linked role named AliyunServiceRoleForSasCspm is created for Security Center to access the resources of cloud services within the current account. Then, you can use the configuration assessment feature to check the following configurations of your cloud services: identity authentication, network access control, data security, log audit, and basic protection. This helps you reinforce security configurations and reduce risks that are caused by configuration errors in your cloud services. For more information about the AliyunServiceRoleForSasCspm service-linked role, see Service-linked roles for Security Center.

After you purchase the configuration assessment feature, you can view the remaining quota that can be consumed by configuration checks on the Configuration Assessment > Configuration Check tab. If the remaining quota is insufficient, you can click Scale Out to purchase an additional quota.

References

  • For more information about how to purchase a quota for configuration assessment and add cloud services to Security Center, see Add cloud services.

  • For more information about how to perform configuration checks on cloud services and handle risk items, see Use the configuration assessment feature.