Security Center provides the configuration assessment feature. This feature can help you check whether risks exist in the configurations of your Alibaba Cloud services. This topic describes how to use the configuration assessment feature.

Run a configuration check on cloud services

The configuration assessment feature allows you to manually run configuration checks and enable automatic checks on your cloud services. For more information about the check items that are supported by each edition of Security Center, see Check items.

  1. Log on to the Security Center console.In the left-side navigation pane, choose Risk Management > Config Assessment.
  2. On the Cloud Platform Configuration Assessment page, run a configuration check.
    • Manual check

      If you want to immediately check whether risks exist in the configurations of your cloud services, you can click Scan now on the Cloud Platform Configuration Assessment page. The system checks all your cloud services.

    • Automatic check

      You can configure automatic checks. Then, Security Center runs configuration checks based on the detection cycle and time that you specify.

      1. In the upper-right corner of the Cloud Platform Configuration Assessment page, click Settings.
      2. In the Settings panel, configure the Detection Cycle, Detection Time, and Risk Check Item parameters. Then, click OK.
    Note
    • The default value of the Detection Cycle parameter is a random day from Monday to Sunday. You can configure this parameter based on your business requirements.
    • Wait until the configuration check on all cloud services is complete.

View check results

  1. Log on to the Security Center console.In the left-side navigation pane, choose Risk Management > Config Assessment.
  2. On the Cloud Platform Configuration Assessment page, view the results of the configuration check on your cloud services.
    • View the overall information
      The section in the upper part of the Cloud Platform Configuration Assessment page displays the overall information. You can view the pass rates of CIEM, Cloud Service Risk, and Compliance Risk check items below Pass Rate. You can move the pointer over the lines below Pass Rate to view the numbers of high-risk items, medium-risk items, low-risk items, and passed check items.
      Note Lines in different colors indicate different severity levels. The following list describes the mappings between the colors and the severity levels:
      • High-risk item: red. The risk item poses major threats to your assets. We recommend that you handle the risk item at the earliest opportunity.
      • Medium-risk item: orange. The risk item causes damage to your assets. You can handle the risk item at your convenience.
      • Low-risk item: gray. The risk item causes less damage to your assets. You can handle the risk item at your convenience.
    • View risk items
      • You can click a check item type in the All Check Items section. In the list of check items, view the risk items of the selected check item type.
      • You can also use the filters above the list to search for the risk items that you want to view. The filter conditions include the severity level and status of risk items.
    • View the details of a risk item

      Find a risk item and click the name of the risk item or Details in the Operate column. In the details panel of the risk item, you can view the following information: Check Item Description, Solution, Reference, and Risks.

Handle the detected configuration risks of your cloud services

  1. Log on to the Security Center console.In the left-side navigation pane, choose Risk Management > Config Assessment.
  2. On the Cloud Platform Configuration Assessment page, handle the detected configuration risks of your cloud services.
    You can perform the following operations based on your business requirements:
    • Fix risk items

      Find a risk item and click the name of the risk item or Details in the Operate column. In the Risks section of the details panel that appears, click the instance ID of the cloud service on which risks are detected, the ID of an account, or the name of a policy to go to the console of the cloud service. Then, fix the risk item based on the information provided in the Solution and Reference sections of the details panel.

    • Verify fixes
      • If you have modified the configuration of an instance based on the information provided in the details panel of a risk item that affects the instance, you can find the instance and click Verify in the Operate column to check whether the new configuration contains risks.
      • If the configuration does not contain risks, the instance is removed from the list in the Risks section. Then, the status of the risk item changes to Passed.
      • If you want to verify the fixes of multiple risk items, select the risk items and click Verify below the check item list. In the message that appears, click OK.
    • Add a risk item to the whitelist
      Important After you add a risk item to the whitelist, the risks that are detected for the risk item are no longer reported in subsequent configuration checks. We recommend that you add risk items to the whitelist only after you confirm that the risk items pose no threats.

      If you identify a risk item as a false positive, you can find the risk item in the check item list on the Cloud Platform Configuration Assessment page and click Whitelist in the Operate column to add the risk item to the whitelist. The status of the risk item changes to Whitelist. Risk items that are in the Whitelist state are not counted in the total number of risk items.

      You can remove a risk item from the whitelist on the Cloud Platform Configuration Assessment page.

Check items

The following table describes the check items that are supported by each edition of Security Center.
Note The following symbols are used to indicate whether a check item is supported:
  • ×: The check item is not supported.
  • √: The check item is supported.

The severity levels in the following table are defined in Security Center.

Identity permission management (CIEM)

Best security practice Check item Check item type Risk level Basic and Anti-virus Advanced Enterprise and Ultimate
IDAAS IDAAS password complexity Password Policy Important × × √
IDAAS history password detection Password Policy Important × × √
IDAAS enables secondary authentication Certification management Important × × √
IDAAS regular password change Password Policy Medium × × √
IDAAS Forgot Password Password Policy Medium × × √
Validity period of IDAAS login Certification management Medium × × √
Alibaba cloud RAM best security practices Root Account AK disabled AK Security Important × √ √
RAM Users MFA Configuration authentication management Important √ √ √
Root account enable MFA authentication management Important √ √ √
Separation of personnel and program users Identity management Medium × × √
Password_validity Password Policy Medium × × √
Ram restricted IP access Access_Control Low × × √
RAM_CheckAccesskeyAuth AK Security Important × × √
Password_complexity Password Policy Important × × √
Session security settings authentication management Important × × √
Create Ram User Identity management Important × × √
Create only one AK AK Security Important × × √
AK regular rotation AK Security Medium × × √
Password reuse restrictions Password Policy Medium × × √
Idle RAM AK cleaning AK Security Low × × √
Idle user cleaning Identity management Low × × √
RAM Privilege Management RAM-Super Administrator Authorization Grants Management Important × √ √
RAM - Cloud product administrator authorization Grants Management Medium × √ √
User-CheckRamRiskApi Grants Management Important × × √
Role-CheckRamRiskApi Grants Management Important × × √
User-CheckEcsRiskApi Grants Management Important × × √
Role-CheckEcsRiskApi Grants Management Important × × √
Role-CheckOssRiskApi Grants Management Important × × √
Role-CheckRdsRiskApi Grants Management Important × × √
User-CheckRdsRiskApi Grants Management Important × × √
User-CheckOssRiskApi Grants Management Important × × √

Cloud product configuration management (Cloud Service Risk)

Best security practice Check item Check item type Risk level Basic and Anti-virus Advanced Enterprise and Ultimate
Alibaba cloud MSE best security practices MSE-Public Network Authentication Access Control Low × × √
Alibaba cloud NAS best security practices NAS - enable log management Log Audit Low × × √
NAS - Classic Network Configuration Access Control Low × × √
NAS Backup Settings Access Control Low × × √
Alibaba cloud OSS best security practices OSS Bucket Version Control Disaster Recovery Backup Medium × √ √
OSS Authorization Policy Access Control Important × √ √
OSS Bucket Immobilizer Configuration Access Control Low × √ √
OSS Bucket server encryption Data Security Low × √ √
OSS - Cross-Region Replication Configuration Disaster Recovery Backup Low √ √ √
OSS - Logging Configuration Log Audit Medium √ √ √
OSS Bucket Permission Settings Access Control Important √ √ √
OSS Sensitive File Disclosure Data Security Low × × √
Encrypt the manifest file under OSS public permission Log Audit Low × × √
Disable logs under OSS public permissions Access Control Low × × √
Alibaba cloud SLB best security practices ALB high risk port exposure Access Control Important √ √ √
CLB white list configuration check Access Control Important √ √ √
CLB - Certificate Expiration Monitoring alarms Medium √ √ √
CLB - Health Status Monitoring alarms Low √ √ √
ALB white list configuration check Access Control Important √ √ √
CLB- High Risk Port Exposure Access Control Important √ √ √
ALB - Certificate Expiration Monitoring alarms Medium √ √ √
ALB_HealthStatus Monitoring alarms Low √ √ √
Alibaba cloud PostgreSQL best security practices PostgreSQL Backup Settings Disaster Recovery Backup Medium × × √
PostgreSQL - Cloud Disk Encryption Data Security Medium × × √
PostgreSQL SSL certificate Data Security Medium × × √
PostgreSQL - Whitelist Configuration Access Control Important √ √ √
Alibaba cloud redis best security practices Redis Audit Log Configuration Log Audit Low × × √
Redis Access Advanced Anti DDoS Access Control Medium × × √
Redis - Whitelist Configuration Access Control Important √ √ √
Redis - enable TDE encryption Data security Medium × × √
Redis use ordinary users Identity_Authentication Medium × × √
Redis - Disable high risk commands Access Control Medium × × √
Redis VPC password free mode application white list Access Control Medium × × √
Redis - set timeout time of client connection Access Control Medium × × √
Redis SSL Enabled Data security Medium × √ √
Redis Backup Settings Disaster Recovery Backup Medium × √ √
Redis - close VPC secret free access Identity_Authentication Low × × √
Alibaba cloud ACK best security practices ACK - Forbid Binding EIP Network Configuration Low × × √
ACK - Network Plugin Configuration Network Configuration Low × × √
ACK - Network Policy Configuration Network Configuration Low × × √
Alibaba cloud RDS best security practices RDS-Ordinary User Login Authentication Medium × × √
RDS Enable Database Backup Disaster Recovery Backup Medium √ √ √
RDS - TDE Configuration Data Security Low × × √
RDS - SSL Configuration Data Security Low × × √
RDS - SQL Audit Data Security Low × × √
RDS - Cross Region Backup Disaster Recovery Backup Low × √ √
RDS white list configuration Access Control Important √ √ √
RDS - Port Configuration service configuration Low √ √ √
RDS-Instance Release Protection Configuration service configuration Low × × √
RDS - Cloud Disk Encryption Data Security Low × × √
Alibaba cloud PolarDB best security practices PolarDB SQL Insight Log Audit Medium × √ √
PolarDB Backup Settings Data Security Medium × √ √
PolarDB - Whitelist Configuration Access Control Important √ √ √
Alibaba cloud best security practices Cloud Effect Codeup Code Security Security protection Important √ √ √
Cloud Security - WAF Back-to-origin Configuration Security protection Important √ √ √
Action Trail - Logging Configuration Log audit Medium √ √ √
Cloud Security - High Anti-Back Source Configuration Security protection Important √ √ √
Container Registry - Repository Visibility Settings Data Security Important × √ √
SSL certificate validity check Data Security Important √ √ √
CDN real-time log push Log audit Medium × √ √
Alibaba cloud ECS best security practices ECS - Security Groups Setting Access Control Important × √ √
ECS - Automatic Snapshot Policy Data Security Medium √ √ √
ECS storage encryption Data Security Low √ √ √
Cloud Monitoring - Host Plug in Status Monitoring Alarms Medium × √ √
ECS Key Pair Login Authentication Important √ √ √
Yundun - Host Security Protection Security Important √ √ √
Alibaba cloud MongoDB best security practices MongoDB SSL ON Data Security Medium × √ √
Mongodb - enable TDE encryption Data Security Medium × × √
Mongodb - close secret free access Identity Authentication Low × × √
MongoDB Log Audit Log Audit Medium × √ √
MongoDB Backup Settings Data Security Medium × √ √
Mongodb - Whitelist Configuration Access Control Important √ √ √

Compliance (Compliance Risk)

Best security practice Check item Check item type Risk level Basic, Anti-virus, and Advanced Enterprise and Ultimate
CIS Alibaba Cloud Foundation Benchmark Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 Virtual Machines Important × √
Ensure RAM password policy require at least one symbol Identity and Access Management Important × √
Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 Virtual Machines Important × √
Ensure RAM policies are attached only to groups or roles Identity and Access Management Medium × √
Ensure RAM password policy requires minimum length of 14 or greater Identity and Access Management Important × √
Ensure RAM password policy expires passwords within 90 days or less Identity and Access Management Important × √
Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour Identity and Access Management Important × √
Ensure RAM password policy prevents password reuse Identity and Access Management Important × √
Ensure RAM password policy requires at least one uppercase letter Identity and Access Management Important × √
Ensure RAM password policy requires at least one lowercase letter Identity and Access Management Important × √
Ensure RAM password policy require at least one number Identity and Access Management Important × √
Ensure legacy networks does not exist Networking Medium × √
Ensure CloudMonitor is set to Enabled on Kubernetes Engine Clusters Kubernetes Engine Low × √
Ensure that notification is enabled on all high risk items Security Center Low × √
Ensure that 'Auditing' Retention is 'greater than 6 months' Relational Database Services Low × √
Ensure that 'Unattached disks' are encrypted Virtual Machines Low × √