You can add assets that are from third-party cloud service providers to Security Center for centralized protection and management. The third-party cloud service providers include Tencent Cloud, Huawei Cloud, Amazon Web Services (AWS), and Microsoft Azure. This topic describes how to add a third-party asset to Security Center.
Adding methods
Security Center provides two methods for you to add third-party assets to Security Center. The two methods collect different data. You can select a method based on the data that you want to collect.
Method | Description | Data to collect |
Manually install the Security Center agent on a third-party asset | If you use this method to add a third-party asset, the External host tag is added to the asset, and Security Center cannot identify the service provider of the asset. | IP address information, hostname, operating system type, and the number of CPU cores |
Add a third-party asset by using the AccessKey pair of a third-party account | If you use this method, Security Center can identify the service provider of the asset and display the service provider of the asset on the Host page. Important If you use this method to add a third-party asset to Security Center, you must install the Security Center agent on the asset before you can use the protection capabilities of Security Center. | IP address information, hostname, operating system type, number of CPU cores, information about virtual private clouds (VPCs) of the third-party cloud, status of the asset, region of the asset, and service provider of the asset |
Add a third-party asset by using the AccessKey pair of a third-party account
Security Center obtains the read permissions on third-party assets and synchronizes the information about the assets by using the AccessKey pair of an account that is created for the third-party cloud service provider to add the assets. This way, you can protect and manage your cloud assets by using Security Center in a centralized manner.
Add assets of Tencent Cloud, Huawei Cloud, and AWS to Security Center
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose .
On the tab, click Add authorization and select Tencent Cloud, Huawei Cloud, or AWS from the drop-down list.
In the Access to assets outside the cloud panel, create a sub-account for the cloud service provider as prompted and add third-party cloud servers to Security Center.
Log on to the platform of the third-party cloud service provider and create an AccessKey pair for the sub-account.
You can select Quick configuration scheme or Manual configuration scheme.
Manual configuration scheme: Create a sub-account for the cloud service provider and authorize Security Center to use the AccessKey pair of the sub-account. We recommend that you use this method.
You must grant the sub-account the permissions that are required by Security Center. Otherwise, Security Center cannot protect your third-party assets.
Quick configuration scheme: After you authorize Security Center to use the AccessKey pair of a master account, Security Center automatically creates the AccessKey pair for a sub-account.
In the Submit AccessKey Pair step, enter the obtained AccessKey pair, select the type of assets that you want to add, and then click Next.
Host Assets: Grant Security Center the read permissions on cloud servers within the third-party account.
Cloud product configuration check: Grant Security Center the read permissions on all cloud assets within the third-party account. If you want to use the configuration assessment feature to scan third-party assets, select this option.
Threat Analysis: Grant Security Center the read permissions on all cloud assets and write permissions on some cloud assets within the third-party account. If you want to use the threat analysis feature to manage the logs of third-party cloud assets in a centralized manner and interact with third-party cloud assets to handle alerts, select this option.
NoteThe types of assets that you can add to Security Center vary based on the cloud service provider. The types that are displayed on the page shall prevail.
In the Log Audit Settings step, configure the region where the third-party assets are deployed and the data synchronization frequency, and then click OK.
Parameter
Description
Select Region
Select the region where the assets within the third-party account are deployed. Security Center can synchronize the data within the third-party account to the data management center that you select in the top navigation bar of the Security Center console. The data management centers are China and Outside China.
Region Management
If you select this option, Security Center automatically synchronizes the data of the newly created assets in the specified region within the third-party account to the current data management center.
If you do not select this option, newly created servers in the specified region are not automatically added to the current data management center.
Host Asset Synchronization Frequency
Select the interval at which Security Center automatically synchronizes the data of third-party cloud servers. If you select Disable, the data is not synchronized.
Cloud Service Synchronization Frequency
The interval at which Security Center automatically synchronizes the data of third-party cloud assets. If you select Disable, the data is not synchronized.
NoteThis parameter is required only if you set the Permission description parameter to Cloud product configuration check.
AK Service Status Check
The interval at which Security Center automatically checks the validity of the AccessKey pair of the third-party account. If you select Disable, Security Center does not check the validity.
Click Synchronize Asset to synchronize the data of assets within the third-party account to Security Center.
If you use the AccessKey pair of a master account, the data of the assets within all sub-accounts of the master account is automatically synchronized to Security Center.
If you use the AccessKey pair of a sub-account, the data of the assets within the sub-account is automatically synchronized to Security Center.
Add Microsoft Azure assets to Security Center
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose .
On the tab, click Add authorization, and select Azure from the drop-down list.
In the Access to assets outside the cloud panel, create a sub-account for the cloud service provider as prompted and add third-party cloud servers to Security Center.
Create a sub-account for the third-party cloud service provider.
You must log on to the platform of the third-party cloud service provider and run a command to create a Microsoft Azure sub-account as prompted. You must obtain the following information from the command output:
appId,displayName,name,password, andtenant.ImportantYou must grant the read-only permissions on Microsoft.Compute permissions resources to the sub-account that you created.
In the Submit AccessKey Pair step, configure the Enter an AppID, Enter a password, tenant, SubscriptionId, and Domain parameters, select the type of assets that you want to add to Security Center, and then click Next.
You can add assets only of the Host Assets type to Security Center. This indicates that Security Center has the read permissions on cloud servers within the sub-account of the third-party cloud service provider.
In the Log Audit Settings step, configure the region where the third-party assets are deployed and the data synchronization frequency, and then click OK.
Parameter
Description
Select Region
Select the region where the assets within the third-party account are deployed. Security Center can synchronize the data within the third-party account to the data management center that you select in the top navigation bar of the Security Center console. The data management centers are China and Outside China.
Region Management
If you select this option, Security Center automatically synchronizes the data of the newly created assets in the specified region within the third-party account to the current data management center.
If you do not select this option, newly created servers in the specified region are not automatically added to the current data management center.
Host Asset Synchronization Frequency
Select the interval at which Security Center automatically synchronizes the data of third-party cloud servers. If you select Disable, the data is not synchronized.
Cloud Service Synchronization Frequency
The interval at which Security Center automatically synchronizes the data of third-party cloud assets. If you select Disable, the data is not synchronized.
NoteThis parameter is required only if you set the Permission description parameter to Cloud product configuration check.
AK Service Status Check
The interval at which Security Center automatically checks the validity of the AccessKey pair of the third-party account. If you select Disable, Security Center does not check the validity.
Click Synchronize Asset to synchronize the data of assets within the third-party account to Security Center.
If you use the AccessKey pair of a master account, the data of the assets within all sub-accounts of the master account is automatically synchronized to Security Center.
If you use the AccessKey pair of a sub-account, the data of the assets within the sub-account is automatically synchronized to Security Center.
Verify results
After you add third-party assets to Security Center, you can view the assets on the Assets page.
View assets that are added based on the Host Assets type
You can go to the page to view the third-party cloud servers that are added to Security Center. For more information, see Server assets.
View assets that are added based on the Cloud product configuration check type
You can go to the page to view the third-party assets that are added to Security Center based on the Cloud product configuration check type.
You can find an asset and click View in the Actions column to view the basic information about the asset and the configuration check results of the asset. For more information, see View information about cloud services and Configuration assessment.
What to do next
If you use the AccessKey pair of the sub-account that is authorized to manage the assets to add third-party assets to Security Center, you must install the Security Center agent on the assets. This way, you can use the protection capabilities of Security Center. For more information about how to install the Security Center agent, see Install the Security Center agent.
Related operations
After you add third-party assets to Security Center, Security Center automatically generates a policy for the service provider of the added assets. You can view, modify, or delete the policy of third-party assets on the tab.
You can click the
icon to the right of a policy to view the permission information and service status of the policy. The Service Status parameter of a policy is displayed as Normal only when the value of the Service Status parameter is Normal for all permissions specified in the policy. If the service status of a permission is abnormal, move the pointer over the
icon in the Service Status column to view the cause. You can click Modify in the Actions column of a policy or a permission to modify the information about the policy, such as the AccessKey secret, asset type, and region.
You can enable, disable, or delete policies or permissions based on your business requirements.
After you disable or delete policies or permissions, Security Center no longer synchronizes assets of the cloud service provider based on the policy or permission.