To prevent cloud services from being attacked due to configuration errors and misoperations, Security Center provides the configuration assessment feature. You can use the feature to check whether risks and errors exist in the configurations of your cloud services from multiple dimensions. This helps reduce risks that are caused by configuration errors and improve the security of your cloud services. This topic describes the basic information and billing of the configuration assessment feature.
Feature description
Security Center allows you to check whether risks and errors exist in the configurations of your cloud services from the following dimensions: cloud infrastructure entitlements management (CIEM), security risk management, and compliance risk management. The check results are classified and displayed by risk level to help you understand the configuration risks of your cloud services. Security Center also provides optimization suggestions for and solutions to each risk item to help you better manage cloud resources and ensure the security of the running environment of your cloud services.
The following table describes the dimensions from which you can check the configurations of your cloud services.
Check dimension | Description |
CIEM | CIEM is a service that integrates cloud security assessment and authorization management to manage the permissions to use and access cloud platforms. Security Center manages identities and permissions on cloud platforms based on CIEM. You can check whether issues exist, such as excessive authorization and password expiration. This helps identify and resolve issues related to permission management at the earliest opportunity and improve the security and reliability of cloud platforms. |
Security risk management | Best security practices are security measures and solutions that are accumulated by cloud service providers over the years to maximize the security of your data and business. Security Center checks the security configurations, code vulnerabilities, and logging configurations of business systems and identifies potential configuration errors on cloud platforms based on the best security practices of different cloud service providers. This helps maximize the security of your data and business. |
Compliance risk management | Center for Internet Security (CIS) benchmarks are internationally recognized as security standards for defending IT systems and data against cyberattacks. Security Center checks and manages the compliance risks of cloud platforms in a comprehensive manner and identifies weak configurations that do not meet CIS benchmarks. This helps handle the weak configurations at the earliest opportunity and maximize the security of your data and business. |
Billing
Billing formula
You are charged for the configuration assessment feature based on the number of times that each check item is used to scan each cloud service instance. Billing formula: Configuration assessment fee = Unit price × Quota for configuration assessment × Subscription duration.
Unit price: USD 0.02 time-month for each check item on each cloud service instance. The minimum quota that you can purchase is 1,000.
Quota for configuration assessment: the number of times that each check item is used to scan each cloud service instance.
A cloud service instance refers to the instance of a specific application or network device, such as an Object Storage Service (OSS) bucket or an Elastic Compute Service (ECS) security group.
We recommend that you purchase a quota that is 20 times the number of cloud service instances. If the quota is insufficient, you must re-scan the instances. For example, if you have a total of 10 cloud services and each cloud service has 15 instances, we recommend that you purchase a quota of 3,000. The value is calculated by using the following formula: 10 × 15 × 20 = 3,000.
Subscription duration: the duration of your subscription to Security Center.
Deduction rule
After you enable the configuration assessment feature, the quota is consumed each time you run a configuration check. Quota consumed by a configuration check = Total number of scanned instances × Number of selected check items.
For example, you have a total of 10 cloud services, and each cloud service has 15 instances. You run a configuration check task in which a total of 5 check items are selected. In this example, the consumed quota is 750. The value is calculated by using the following formula: 10 × 15 × 5 = 750.
If the quota is insufficient to offset the fee of a configuration check task, the check items that cannot be covered by the quota are not used to scan instances in the task. You can view the scan results to check the running details of the task.
Free usage
If you have not enabled the configuration assessment feature or purchased a quota for the configuration assessment feature, you can use more than 20 check items that are provided by the feature free of charge. You can go to the
page in the Security Center console to view and use the check items.The following list describes the numbers of check items that you can use free of charge in different editions of Security Center. If you enable the configuration assessment feature before July 07, 2023, you can use the check items free of charge until your Security Center expires. If you renew the subscription before your Security Center expires, you can continue to use the check items free of charge.
Basic and Anti-virus: more than 20
Advanced: more than 40
Enterprise and Ultimate: more than 200
NoteTo view more information about the supported check items, you can go to the
page in the Security Center console.
The number of check items provided by the configuration assessment feature can be increased. If you want to use more check items, you can purchase a quota for configuration assessment. For more information, see Purchase and authorization. After you purchase a quota for configuration assessment, the historical check results are retained. You can view all check items and select check items based on your business requirements when you run a configuration check.
After you purchase a quota for configuration assessment, you are charged based on the number of times that each check item is used to scan each cloud service instance when you run a configuration check. You can no longer use check items free of charge.
Purchase and authorization
The first time you use the configuration assessment feature, you must purchase a quota for the feature and authorize Security Center to access cloud resources. The configuration assessment feature supports the subscription and pay-as-you-go billing methods.
You cannot purchase the configuration assessment feature based on the pay-as-you-go and subscription billing methods at the same time within your Alibaba Cloud account. For example, if you purchase the configuration assessment feature based on the subscription billing method, you must wait until the subscription to the feature ends or disable the feature before you can purchase the feature based on the pay-as-you-go billing method. For more information, see Upgrade and downgrade Security Center.
Purchase the configuration assessment feature based on the pay-as-you-go billing method
Purchase the configuration assessment feature based on the subscription billing method
References
For more information about how to purchase a quota for configuration assessment and add cloud services to Security Center, see Add cloud services.
For more information about how to perform configuration checks on cloud services and handle risk items, see Use the configuration assessment feature.