Use a Python script to batch-trigger Cloud Security Center emergency vulnerability scans across all Resource Directory (RD) member accounts. The script calls the ModifyEmgVulSubmit API and auto-discovers accounts through RD, eliminating manual account lists.
Background
Your organization manages 150 member accounts under RD. A local privilege escalation vulnerability (CVE-2021-4034) is found in polkit pkexec, and your security team must assess the blast radius across every account immediately.
Manual approaches have several problems:
Slow manual response: Logging in to 150 accounts one by one takes hours — the containment window may close before you finish.
Gaps in coverage: Hand-maintained account lists easily miss newly added RD members.
Automation pitfalls: A concurrent script without API throttling hits rate limits and causes batch failures.
Fragmented visibility: Scan results scatter across individual accounts with no single-pane view of organization-wide vulnerability status.
Solution overview
A Python script on your local machine pulls all member accounts from RD and submits emergency vulnerability scan tasks through the Cloud Security Center API. After scans complete, view results in the Agentic SOC dashboard.
The script authenticates with a RAM user's AccessKey and calls DescribeEmgVulItem to validate vulnerability names. It then uses the RD ListAccounts API to discover all member accounts and calls ModifyEmgVulSubmit for each account to submit a scan task. Results flow into SLS through Agentic SOC for centralized monitoring.
Procedure
Step 1: Set up the environment and permissions
Verify the following prerequisites:
An enterprise-verified Alibaba Cloud account with administrator privileges.
Cloud Security Center (Advanced edition or higher) enabled on all RD member accounts, with Agentic SOC log ingestion configured (Access configuration).
Python 3.6 or later installed locally.
Create a RAM user (for example,
VulnScanner) and grant it the following permissions:AliyunYundunSASFullAccess(Required): Grants access to Cloud Security Center scanning APIs. This topic uses a system policy for quick validation. In production, create a custom policy that grants only ModifyEmgVulSubmit and DescribeEmgVulItem permissions.AliyunResourceDirectoryReadOnlyAccess(Recommended): Enables auto-discovery of all RD member accounts. Without it, you must list account IDs manually in the configuration file.
Enable OpenAPI access and save the AccessKey. You need it in Step 3: Run the scan.
ImportantNever use the AccessKey of your Alibaba Cloud account (root account) to run the script. Always use the dedicated RAM user's AccessKey created above, and rotate it regularly to minimize the risk of credential leakage.
Step 2: Download the script and configure scan parameters
Download the following three files to your working directory:
scan_manager.py: Main script. Iterates through accounts and calls the scan API for each.config.ini: Configuration file. Specifies the service endpoint, target vulnerabilities, and scan parameters.requirements.txt: Required Python libraries.
Open
config.iniand set the following parameters:endpoint: The Cloud Security Center service endpoint for the region where your assets are located. The script targets one region per run — run it separately for each region if assets span multiple regions.scan_targets: Emergency vulnerability names to scan, comma-separated. Copy names directly from the Urgent Vulnerability page in the console. At startup, the script calls DescribeEmgVulItem to resolve display names into internal API names.max_qps: Maximum API request rate in QPS. Default: 6, sufficient for most scenarios. For higher rates with large account counts, request a quota increase in Quota Center.member_uids: Comma-separated member account IDs to scan. Leave empty if the RAM user has RD read permissions — the script discovers all accounts automatically.
Step 3: Run the scan
Export the RAM user's AccessKey (created in Step 1) as environment variables.
export ALIBABA_CLOUD_ACCESS_KEY_ID="YOUR_ACCESSKEY_ID" export ALIBABA_CLOUD_ACCESS_KEY_SECRET="YOUR_ACCESSKEY_SECRET"Install dependencies.
pip3 install -r requirements.txtRun the scan script.
python3 scan_manager.pyThe script prints progress in real time. Sample output:
Querying the list of emergency vulnerabilities... ✅ 'polkit pkexec Local Privilege Escalation Vulnerability (CVE-2021-4034)' → emg_cve-2021-4034:EMG:AVD-2021-4034 ✅ Successfully matched 1 vulnerability ℹ️ 'member_uids' is empty, attempting to auto-discover member accounts from Resource Directory... ✅ Successfully discovered 150 member accounts from Resource Directory. Starting to process 1 vulnerability × 150 accounts = 150 scan tasks QPS is throttled at 6. Estimated time to completion: 25.0 seconds ✅ [1/150] Success: Vulnerability='polkit pkexec Local Privilege Escalation Vulnerability (CVE-2021-4034)', Account ID=198XXXXXXXXXXX13 (Current avg QPS: 5.8) ✅ [2/150] Success: Vulnerability='polkit pkexec Local Privilege Escalation Vulnerability (CVE-2021-4034)', Account ID=142XXXXXXXXXXX84 (Current avg QPS: 5.9) ✅ [3/150] Success: Vulnerability='polkit pkexec Local Privilege Escalation Vulnerability (CVE-2021-4034)', Account ID=188XXXXXXXXXXX97 (Current avg QPS: 5.7) ... ✅ [150/150] Success: Vulnerability='polkit pkexec Local Privilege Escalation Vulnerability (CVE-2021-4034)', Account ID=156XXXXXXXXXXX62 (Current avg QPS: 5.9) ================================================== Processing complete! Total time: 25.8 seconds Success: 150, Failures: 0, Total: 150 Actual avg QPS: 5.8 (Target QPS: 6) ==================================================
Step 4: View scan results
Log on to the Cloud Security Center console as the RAM user. In the left-side navigation pane, choose Agentic SOC > Log. From the Logstore list, select Standardized Log > Vulnerability Activity. Set a time range covering your scan window and click Search & Analyze.
Emergency vulnerabilities support scanning only — not automated remediation. These vulnerabilities are detected in software installed on your servers. Follow the remediation advice in the vulnerability details to manually upgrade or reconfigure the affected software.
Best practices for production environments
Set up routine scanning
Rather than running the script only after a disclosure, schedule it to run regularly so new vulnerabilities are caught automatically:
Use a crontab job or Windows Task Scheduler to run the script daily.
Deploy the script as a Function Compute (FC) function with a time-based trigger to avoid maintaining a dedicated server.
Harden AccessKey management
Rotate regularly: Rotate the RAM user's AccessKey every 90 days to limit exposure if a key is compromised.
Use instance RAM roles: If the script runs on an ECS instance, assign an instance RAM role instead of exporting an AccessKey into environment variables.
Restrict source IPs: Add an IP condition to the RAM policy so that API calls are accepted only from your operations network.
FAQ
Scans were submitted successfully, but no records appear in the Agentic SOC vulnerability log
Log collection not enabled: In Agentic SOC, verify that the Vulnerability Activity collection toggle is enabled on the Log page.
Scan still in progress: ModifyEmgVulSubmit only submits the scan task — the actual scan runs asynchronously and may take several minutes to tens of minutes depending on asset count.
No vulnerabilities detected: The Vulnerability Log only records detected vulnerabilities. If a member account's assets are not affected, no entries are generated. To verify, log on to the member account and check Risk Governance > Vulnerabilities > Urgent Vulnerability.
Multi-account logs not aggregated: Member account logs must be aggregated into the management account through Agentic SOC. Verify that Cloud Security Center is enabled on all member accounts and centralized multi-account onboarding is complete.
Vulnerability name resolution fails with "No matching emergency vulnerability found"
Verify that the names in scan_targets of config.ini exactly match the Urgent Vulnerability page in the Cloud Security Center console, including parentheses and spaces. Copy names directly from the console to avoid errors.
If the name is correct but resolution still fails, the vulnerability may have passed its emergency response period and is no longer available through DescribeEmgVulItem.