Check cloud service configuration security and server baseline security - Security Center

Cloud Security Posture Management (CSPM) continuously monitors your cloud environment to detect and fix security risks—misconfigurations in cloud services, vulnerabilities in server configurations, and exploitable attack paths between resources. Use CSPM to reduce your exposure before incidents occur, meet compliance requirements, and understand how a compromised resource could be used to reach other assets.

Use cases

Scenario	What it solves	Feature to use
Security hardening across cloud assets	Cloud services and servers accumulate misconfigurations that are hard to detect manually.	Cloud service configuration check + Baseline check
Compliance auditing	Meeting standards such as Multi-Level Protection Scheme (MLPS) 2.0 or CIS requires continuous, automated evidence collection. Baseline check includes built-in compliance check packages and supports custom policies for automated compliance auditing.	Baseline check
Attack path analysis	A single compromised resource can be a stepping stone to core assets if access paths are not mapped and controlled.	Attack path analysis

Core features

Cloud service configuration check

Cloud service configuration check scans your cloud asset configurations to identify security vulnerabilities and compliance gaps caused by misconfigurations—for example, overly permissive ECS security group rules or publicly accessible OSS Buckets.

The following figure shows the workflow. For details, see Cloud service configuration check.

Baseline check

Baseline check scans the host operating system for issues such as weak passwords, insecure configurations, and missing critical patches. Checks are based on industry standards and security best practices to help you maintain compliance.

The following figure shows the workflow. For details, see Baseline check.

Attack path analysis

Attack path analysis maps access relationships between cloud services—for example, an ECS instance that can control an OSS Bucket through a RAM Role—and presents the full attack chain as a visual topology graph. This lets you identify unnecessary access permissions and potential weak points before they can be exploited. For example: Publicly accessible ECS → Bound to a high-privilege RAM Role → Can control all core OSS Buckets.

The following figure shows the workflow. For details, see Attack path analysis.

Billing

Key concepts

Quota: The unit of measurement for paid CSPM operations. Each billable operation (scan, verify, or fix) on an asset instance consumes one quota unit. For example, scanning 15 instances across 10 cloud services with 5 check items consumes 10 × 15 × 5 = 750 quota units.
Instance: A specific cloud resource, such as an OSS Bucket or an ECS security group.
Check items: Check items fall into two categories:
- Free check items: Available under Cloud service configuration check. Scans and verifications are unlimited. Only successful remediation consumes quota.
- Paid check items: Require a paid edition or the CSPM value-added service. The cost is either included in the edition fee or consumes quota, depending on your billing model.

Important

If you authorized CSPM (formerly Cloud service configuration check) before July 7, 2023, you retain access to the free check items that correspond to your original Security Center edition: 80+ for Anti-virus Edition, 90+ for Advanced Edition, and 250+ for Enterprise/Ultimate Edition. This applies both before your subscription expires and upon renewal.

For complete billing details, see Billing overview.

Billing models

CSPM supports two billing models. Before purchasing, you can explore basic detection capabilities with the Basic Edition or apply for a 7-day free trial to evaluate the full Enterprise Edition feature set.

The Basic Edition supports detection and verification of free check items for Cloud service configuration check only. Risk remediation, Baseline check, and Attack path analysis are not available.

	Subscription	Pay-as-you-go
Best for	Long-term security needs; predictable costs	Flexible, short-term, or dynamically scaling scenarios
How to activate	Purchase Advanced, Enterprise, or Ultimate Edition; or add the CSPM value-added service	Purchase the CSPM postpaid feature

Subscription

Advanced, Enterprise, or Ultimate Edition

Important

Anti-virus Edition and value-added plan users who have not purchased the CSPM value-added service can detect and verify free Cloud service configuration check items only. Risk remediation, Baseline check, and Attack path analysis are not supported.

Feature	Supported check items	Supported operations	Quota consumption
Cloud service configuration check	Free check items (Ultimate Edition also supports KSMP check items)	Detection and verification; remediation not supported	Does not consume quota
Baseline check	Advanced: weak password check items only. Enterprise: all except container security. Ultimate: all.	Scan, verify, and remediate	Included in the edition fee; does not consume quota
Attack path analysis	—	Not supported	—

CSPM value-added service

Important

If you combine the CSPM value-added service with Advanced, Enterprise, or Ultimate Edition, your edition determines the supported check items and operations for Baseline check (see the table above). Cloud service configuration check and Attack path analysis are not affected by the edition. If you use Anti-virus Edition or a value-added plan, all three features follow the table below.

Feature	Supported check items	Supported operations	Quota consumption
Cloud service configuration check	All check items (free + paid)	Detection, verification, and remediation	Free check items: successful remediation only. Paid check items: scanning, verification, or successful remediation.
Baseline check	All check items	Detection, verification, and remediation	Scanning, verification, or successful remediation
Attack path analysis	—	Supported	Included with the paid CSPM service; does not consume quota

Pay-as-you-go

Important

If you only purchase the host and container protection postpaid feature, you can detect and verify free Cloud service configuration check items only. Risk remediation, Baseline check, and Attack path analysis are not supported.

Feature	Supported check items	Supported operations	Quota consumption
Cloud service configuration check	All check items (free + paid)	Detection, verification, and remediation	Free check items: successful remediation only. Paid check items: scanning, verification, or successful remediation.
Baseline check	All check items	Detection, verification, and remediation	Scanning, verification, or successful remediation
Attack path analysis	—	Supported	Included with the paid CSPM service; does not consume quota

Host and Container Security and CSPM Pay-as-you-go Service (Deprecated)

Check items:

Unprotected/Antivirus: All check items.
Host Protection: All check items except for container security check items.
Hosts and Container Protection: All check items.

Operations: Scanning, verification, and remediation.

Billing rules:

Unprotected/Antivirus: Quota is consumed for successful scans, verifications, or remediation.
Host Protection/Hosts and Container Protection: Included in the protection fee. Does not consume Quota.

Get started

Activate CSPM: Authorize and activate CSPM.
Set up Cloud service configuration check:
Set up Baseline check:
1. Install the Security Center agent (see Install the agent) and then manage your servers.
2. Configure and run baseline check policies.
3. View and handle baseline risks.
Use Attack path analysis: See Attack path analysis.

FAQ

Billing and quota

Can I switch from Subscription to Pay-as-you-go?

Direct switching is not supported. Wait for your subscription to expire or unsubscribe first, then activate Pay-as-you-go.

Important

Any unused quota from the subscription is forfeited after unsubscribing or expiration.

What happens when quota runs out?

The behavior depends on your billing model:

Subscription: The scan task stops early. Results are shown only for checks completed before quota was exhausted. To continue, upgrade your edition or purchase additional quota. See Upgrade.
Pay-as-you-go: There is no quota limit. The system bills based on actual usage, and all tasks run to completion.

Feature usage

How do I use CSPM for security hardening?

Activate the CSPM service and grant the required management permissions.
Add the cloud service instances you want to check (such as ECS, RDS).
Configure and run a check policy. After the scan completes, remediate risks based on the results and fix recommendations.

How does Security Center improve database security?

Security Center covers database security at two levels:

Cloud service configuration check: Checks external configuration risks of the database—for example, whether the access control whitelist is too permissive, or whether automatic backup and log audit features are enabled.
Baseline check: Checks internal security flaws on the server hosting the database—for example, whether database login accounts have weak passwords, or whether the server configuration follows security best practices.

Deactivate CSPM

How do I deactivate CSPM?

The steps depend on your billing model:

Basic Edition: No action needed. The Basic Edition provides limited detection capabilities and does not involve fees or quota consumption.
Subscription: In the order management center, downgrade your Security Center edition to one that does not include CSPM.
Pay-as-you-go: On the Overview page, go to the Pay-as-you-go area and disable CSPM.