The multi-account control feature allows you to manage multiple cloud accounts and resource accounts of your enterprise in a centralized manner. You can configure protection settings for members of your enterprise and view the risks that are detected in the resources of the members in real time. This topic describes how to use the multi-account control feature.

Background information

Security Center can be integrated with the Resource Directory service of Resource Management as a trusted service. Then, you can use Security Center to manage the members of your resource directory in a centralized and structured manner.

You can use the management account of your resource directory or a delegated administrator account to add other Alibaba Cloud accounts of your enterprise to your resource directory for centralized management.

After you specify a member as a delegated administrator account, the member is authorized by the management account of your resource directory to perform the following operations: access and manage the organization and the members of your resource directory from Security Center, and view the risks that are detected in the resources of the members. For more information, see Management account and Manage a delegated administrator account.

Limits

All editions of Security Center support this feature. For more information about the features that each edition supports, see Functions and features.

Prerequisites

Add a delegated administrator account

Before you can add members to your resource directory, you must specify a member as a delegated administrator account.

  1. Log on to the Resource Management console by using the management account of your resource directory.
  2. In the left-side navigation pane, choose Resource Directory > Trusted Services. On the page that appears, specify a member as a delegated administrator account for Security Center.

    After you specify a delegated administrator account, the delegated administrator account can be used to perform management operations in a trusted service on behalf of the management account. In this topic, Security Center is the trusted service.

    For more information, see Add a delegated administrator account.

Note You can add a maximum of five delegated administrator accounts for Security Center.

Add members

You can use the management account of your resource directory or a delegated administrator account to add members for centralized management.

  1. Log on to the Security Center console. In the left-side navigation pane, choose System Configuration > Multi-account Control.
  2. On the Multi-account Control page, click Add.
  3. In the Add panel, select an account from the Select account. drop-down list.
    Note The members in the drop-down list are the same regardless of whether you use the management account of your resource directory or a delegated administrator account.
  4. Optional:Select When a new account is created, the account is added to the list of managed accounts by default. Newly created accounts are automatically added to the member list.
  5. Click OK.
    You can view the added member in the member list of the Multi-account Control page.

Configure protection settings for a member

You can use the management account of your resource directory or a delegated administrator account to configure settings for a member without the need to log on to the Security Center console as the member. You can configure the Security Center agent installed on the assets that belong to the member, specify vulnerabilities for detection, and configure baseline check policies for the assets.

  1. Log on to the Security Center console. In the left-side navigation pane, choose System Configuration > Multi-account Control.
  2. In the member list of the Multi-account Control page, click Settings in the Actions column of a member.
  3. In the Settings panel, configure parameters in the following steps for the member.
    1. Configure parameters in the Client management step.
      Parameter Description References
      Proactive Defense Proactive defense automatically intercepts common viruses, malicious network connections, and webshell connections. Proactive defense also allows you to use bait to capture ransomware. Use proactive defense
      Webshell Detection Webshell detection scans servers and web directories for webshells and trojans at regular intervals. Security Center generates alerts for detected webshells and displays alerts only when webshell detection is enabled. Use the webshell detection feature
      K8s Threat Detection The feature of threat detection on Kubernetes containers checks the security status of running container clusters and detects security threats and attacks in the container clusters at the earliest opportunity. Use threat detection on Kubernetes containers
      Dynamic adaptive threat detection capability If a high-risk intrusion is detected on your server after the adaptive threat detection feature is enabled, the Security Center agent on your server automatically runs in Safeguard Mode For Major Activities mode. The mode enables all protection rules and security engines, which helps detect intrusions in a more comprehensive manner. Use adaptive threat detection
      Alarm aggregation switch The feature of automatic alert correlation analysis automatically aggregates multiple alerts generated on the intrusions that may be launched by the same attacker. For example, alerts on attacks from the same IP address or service, or on the assets of the same user can be aggregated. After you enable the feature, you can handle alerts that have the same characteristics with a few clicks. The feature allows you to handle alerts in an efficient manner. Enable automatic alert correlation analysis
      Protection Mode The Security Center agent is a local plug-in provided by Security Center. Before you can use Security Center to protect your servers, you must install the Security Center agent on your servers. Security Center provides multiple protection modes. This allows the Security Center agent to run in different modes to meet security requirements in different scenarios. Manage protection modes
      Client Protection The client protection feature blocks malicious operations that attempt to uninstall the Security Center agent. The feature ensures that Security Center provides stable protection capabilities. Use the client protection feature
      Client engine After you turn on the switch in the Client engine section, Security Center detects webshells and viruses only by using the engines of Alibaba Cloud. We recommend that you turn on the switch only when the network connections of your servers in data centers are limited. None
    2. Click Next.
    3. Configure the parameters in the Vulnerability management step.
      You can enable or disable automatic scan for each type of vulnerabilities, and enable vulnerability scan for specific servers. In addition, you can configure the scan cycle and scan method, and specify the number of days after which a detected vulnerability is automatically deleted. For more information, see Scan for vulnerabilities.
    4. Click Next.
    5. Configure the parameters in the Baseline inspection panel.
      The baseline check feature allows you to configure baseline check policies for the member. You can use baseline check policies to check whether risks exist in the baseline configurations of the assets that belong to the member. For more information, see Create baseline check policies and run baseline checks based on the policies.
  4. After you complete the configurations, click Determine.
    Security Center enables the features that are supported by the Security Center agent for the member, and performs baseline checks for the member, and scans the assets that belong to the member for vulnerabilities based on the configurations.

View the risks detected in the resources of a member

You can view the risks detected in the resources of a member that is displayed in the member list of the Multi-account Control page and manage the member by using the management account of your resource directory or a delegated administrator account.

  1. Log on to the Security Center console. In the left-side navigation pane, choose System Configuration > Multi-account Control.
  2. In the account list of the Multi-account Control page, view the risks that are detected in the resources of a member and manage the member.
    • View the risks detected in the resources of a member

      You can view the information about a member. The information includes the security score of the assets that belong to the member, the details about the alerts that are generated on the assets, and the vulnerabilities and baseline risks that are detected on the assets.

    • Manage a member
      • Click View to go to the Resource Directory page in the Resource Management console. On the Resource Directory page, you can view directory information about all assets, create members, invite members, or upgrade a resource account to a cloud account.
      • Click Delete to remove the member from the member list.