All Products
Search

This Product

    Security Center:Onboard Volcengine assets using an AccessKey

    Document Center

    Security Center:Onboard Volcengine assets using an AccessKey

    Last Updated:Mar 31, 2026

    Configure a Volcengine sub-account AccessKey in Security Center to automatically synchronize your Volcengine host assets into the Alibaba Cloud security protection system. This enables centralized security management across multicloud environments and reduces the operational overhead of managing separate security tools per cloud provider.

    All Volcengine console steps in this topic are for reference only. For exact instructions, see the linked Volcengine documentation.

    Choose a configuration method

    Security Center supports two methods for onboarding Volcengine assets. Choose based on the features you need.

    Configuration methodDescriptionSupported features
    Quick configurationSubmit your Volcengine main account AK. Security Center automatically creates a sub-account and completes the provisioning authorization.Host
    Manual configurationCreate a sub-account in Volcengine with the required permissions, then submit the sub-account AK in Security Center to complete authorization.Host, Cloud Security Posture Management (CSPM)

    When to use quick configuration: Use this method if you only need host asset protection and want the fastest setup. Security Center handles sub-account creation automatically.

    When to use manual configuration: Use this method if you need CSPM in addition to host protection, or if your security policy requires you to control sub-account creation directly.

    Quick configuration

    Prerequisites

    Before you begin, ensure that you have:

    • An active Volcengine main account

    • Sufficient permissions to create and manage AccessKeys in the Volcengine console

    Step 1: Create a main account key

    For more information, see API Access Key Management.

    1. Log on to the Volcengine console and go to the API Access Keys page. On the AK Leak Detection page, click Create Key.

    2. In the Create Key dialog box, click Continue and complete identity authentication as prompted.

    3. In the Key Created Successfully dialog box, click Download Credentials.

    Save the AccessKey ID and SecretAccessKey from the downloaded file.

    Step 2: Submit the main account AK

    1. Log on to the Security Center consoleSecurity Center console.Log on to the Security Center console.

    2. In the navigation pane, choose System Settings > Feature Settings. In the top-left corner, select the region where your assets reside: Chinese Mainland or Outside Chinese Mainland.

    3. On the Multi-cloud Configuration Management > Multi-cloud Assets tab, click Grant Permission and select Volcano Engine from the drop-down list. Alternatively, go to Assets > Host, hover over the image icon in the Add Multi-cloud Asset area, and click Volcano Engine below Add to open the Add Assets Outside Cloud panel.

    4. In the Add Assets Outside Cloud panel, select Quick Configuration and click Next

    5. On the Submit AccessKey Pair wizard page, enter the AccessKey ID, SecretAccessKey, and an account name, then click Next. Use a descriptive account name to distinguish assets from different accounts of the same cloud provider.

    Step 3: Configure the provisioning policy

    1. In the Policy Configuration wizard, configure the following settings for the Volcengine assets to be provisioned, then click OK.

      ParameterDescription
      Select regionSelect the region where the assets are located. Security Center provisions the asset data to the data management center corresponding to the region you selected in the upper-left corner of the console (China or Outside China).
      Region ManagementIf selected, when a new region is added to the current Volcengine account, Security Center automatically provisions the asset data from the new region. If not selected, assets in new regions are not provisioned to Security Center.
      Host Asset Synchronization FrequencyThe interval at which Security Center automatically synchronizes Volcengine host assets. Select Close to turn off synchronization.
      AK Service Status CheckThe interval at which Security Center automatically checks the validity of the Volcengine account's AccessKey. Select Close to turn off the check.

    2. Click Synchronize Assets to sync all host assets from the Volcengine account to Security Center.

    After the provisioning policy is configured, Security Center automatically creates a user with the prefix AlibabaSas_

    Important

    Do not delete or disable this user or its key. Doing so will disrupt Volcengine asset provisioning.

    Step 4: Delete the main account key

    After provisioning completes, delete the main account AccessKey from the Volcengine console to reduce the security risk associated with long-lived main account credentials.

    For more information, see API Access Key Management.

    1. Log on to the Volcengine console and go to the API Access Keys page. For the AccessKey submitted in Security Center, click Disable in the Actions column.

    2. In the Are you sure that the AccessKey pair is disabled? dialog box, click OK and complete identity authentication as prompted.

    3. On the AccessKey Leak Detection page, click Delete for the target AccessKey and follow the prompts to complete deletion.

    Manual configuration

    Prerequisites

    Before you begin, ensure that you have:

    • An active Volcengine main account with permissions to create IAM users and assign access policies

    • Sufficient permissions to manage AccessKeys in the Volcengine console

    Step 1: Create a sub-account and get an AK

    For more information, see User Management.

    1. Log on to the Volcengine console and go to the Users page. Click Add.

    2. On the Create User page, click Create by Username.

    3. Enter a Username. Set Access method to Programmatic Access and click Next.

    4. On the Access Policy tab, select the permission policies required for the Security Center features you plan to use, then click Next. These policies grant the sub-account read-only access to your Volcengine resources, allowing Security Center to scan and monitor your assets.

      For CSPM, you can assign the global read-only policy ReadOnlyAccess instead of the individual policies listed above. This ensures CSPM can detect new assets and properties automatically when Volcengine adds new services, without requiring manual permission updates.
      FeatureRequired permission policies
      HostIAMReadOnlyAccess, ECSReadOnlyAccess
      CSPMALBReadOnlyAccess, AdvDefenceReadOnly, CLBReadOnlyAccess, CRReadOnlyAccess, CloudFirewallReadOnlyAccess, CloudIdentityReadOnlyAccess, ECSReadOnlyAccess, HBaseReadOnlyAccess, IAMReadOnlyAccess, KMSReadOnlyAccess, MCDNReadOnlyAccess, MongoDBReadOnlyAccess, NATReadOnlyAccess, RDSMSSQLReadOnlyAccess, RDSMySQLReadOnlyAccess, RDSPGReadOnlyAccess, RedisReadOnlyAccess, SecCenterReadOnlyAccess, TOSReadOnlyAccess, VBHReadOnlyAccess, VKEReadOnlyAccess, VPCReadOnlyAccess, VedbMysqlReadOnlyAccess, VeenReadOnlyAccess, WafReadOnlyAccess, AgentKitReadOnlyAccess, IDReadOnlyAccess, ArkReadOnlyAccess

    5. After confirming the user information, click Bind Account and Go to Bind Data Source.

    6. In the User Information section, click Save and Download CSV or the image icon to save the AccessKey ID and SecretAccessKey.

    Step 2: Submit the sub-account AK

    1. Log on to the Security Center consoleSecurity Center console.Log on to the Security Center console.

    2. In the navigation pane, choose System Settings > Feature Settings. In the top-left corner, select the region where your assets reside: Chinese Mainland or Outside Chinese Mainland.

    3. On the Multi-cloud Configuration Management > Multi-cloud Assets tab, click Grant Permission and select Volcano Engine from the drop-down list. Alternatively, go to Assets > Host, hover over the image icon in the Add Multi-cloud Asset area, and click Volcano Engine below Add to open the Add Assets Outside Cloud panel.

    4. In the Add Assets Outside Cloud panel, keep Manual Configuration selected. In the Permission Description section, select Host and click Next.

    5. On the Submit AccessKey Pair wizard page, enter the sub-account AccessKey ID, SecretAccessKey, and an account name, then click Next. Use a descriptive account name to distinguish assets from different accounts of the same cloud provider.

    Important

    Do not delete or disable the sub-account or its AccessKey. Doing so will disrupt provisioning.

    Step 3: Configure the provisioning policy

    1. In the Policy Configuration wizard, configure the following settings for the Volcengine assets to be provisioned, then click OK.

      ParameterDescription
      Select regionSelect the region where the assets are located. Security Center provisions the asset data to the data management center corresponding to the region you selected in the upper-left corner of the console (China or Outside China).
      Region ManagementIf selected, when a new region is added to the current Volcengine account, Security Center automatically provisions the asset data from the new region. If not selected, assets in new regions are not provisioned to Security Center.
      Host Asset Synchronization FrequencyThe interval at which Security Center automatically synchronizes Volcengine host assets. Select Close to turn off synchronization.
      AK Service Status CheckThe interval at which Security Center automatically checks the validity of the Volcengine account's AccessKey. Select Close to turn off the check.

    2. Click Synchronize Assets to sync all host assets from the Volcengine account to Security Center.

    Manage provisioned assets

    After onboarding, apply protection and monitor your Volcengine assets from the Security Center console.

    Host assets

    Go to Assets > Host. In the Add Multi-cloud Asset area, click the image icon to view the list of provisioned Volcengine assets.

    For more information, see Host assets.

    To apply protection to your provisioned hosts:

    1. Install the Security Center client: The default Free Edition provides only basic security checks. To enable advanced detection capabilities, install the Security Center client on your Volcengine hosts. For more information, see Install the client.

    2. Upgrade for advanced protection: To get comprehensive security coverage — including antivirus, vulnerability remediation, and intrusion prevention — attach the Anti-virus Edition or a higher edition to your Volcengine hosts. For more information, see Manage authorizations for hosts and containers.

    Cloud Security Posture Management (CSPM)

    CSPM is available only for assets onboarded using manual configuration. For more information, see View cloud product information.

    In the Security Center console, go to Assets > Cloud Product. In the All Alibaba Cloud Services navigation pane, click Volcengine to view your connected assets.

    The following CSPM features are available for connected Volcengine assets:

    1. Run a configuration risk check: Identify configuration risks in your Volcengine products. For more information, see Set and execute cloud platform configuration risk check policies.

    2. Address risk items: Review and fix failed risk checks to improve the compliance and security of your cloud assets. For more information, see View and address failed cloud platform configuration risk checks.