Onboard Volcengine assets to Security Center - Security Center

Configure a Volcengine sub-account AccessKey (AK) in Alibaba Cloud Security Center to automatically synchronize your Volcengine host assets into Alibaba Cloud’s security protection system. This topic describes how to onboard Volcengine host assets using an AccessKey. This helps you centrally manage security across multicloud environments and reduces the complexity of multicloud security operations.

Configuration options

Important

All Volcengine console steps in this topic are for reference only. For exact instructions, see the linked Volcengine documentation below.

Configuration option	Description	Supported features
Quick configuration	Submit your Volcengine main account AK. Security Center automatically creates a sub-account and completes the provisioning authorization.	Host
Manual configuration	Create a sub-account in Volcengine and grant required permissions. Then submit the sub-account’s AK in Security Center to complete authorization.	Host, CSPM (CSPM)

Quick configuration

1. Create a main account key

For more information, see API Access Key Management.

Log on to the Volcengine console and go to the API Access Keys page. On the AK Leak Detection page, click Create Key.
In the Create Key dialog box, click Continue and complete identity authentication as prompted.
In the Key Created Successfully dialog box, click Download Credentials.
Save the AccessKeyId and SecretAccessKey from the downloaded file.

2. Submit the main account AK

Log on to the Security Center console.
In the navigation pane on the left, choose System Settings > Feature Settings. In the top-left corner of the console, select the region where your assets reside: Chinese Mainland or Outside Chinese Mainland.
On the Multi-cloud Configuration Management > Multi-cloud Assets tab, click Grant Permission and select Volcano Engine from the drop-down list.
Alternatively, on the Assets > Host page, hover over the icon in the Add Multi-cloud Asset area, and click Volcano Engine below Add to open the Add Assets Outside Cloud panel.
In the Add Assets Outside Cloud panel, select Quick Configuration and click Next.
On the Submit AccessKey Pair wizard page, enter the obtained AccessKeyId, SecretAccessKey, and account name, then click Next.
Use a descriptive account name to distinguish assets from different accounts of the same cloud vendor.

3. Complete provisioning policy configuration

In the Add Assets Outside Cloud panel of the Security Center console, configure the region, data synchronization frequency, and other settings for the Volcengine assets to be provisioned in the Policy Configuration wizard, then click OK.

Parameter	Description
Select region	Select the region where the assets to be provisioned are located. Security Center provisions the asset data from the current account to the corresponding data management center based on the center you selected in the upper-left corner of the console (China or Outside China).
Region Management	If you select this option, when a new region is added to the current Volcengine account, Security Center automatically provisions the asset data from the new region to the current data management center. If you do not select this option, assets in new regions will not be provisioned to Security Center.
Host Asset Synchronization Frequency	Select the interval at which Security Center automatically syncs Volcengine host assets. Select Close to turn off synchronization.
AK Service Status Check	Select the interval at which Security Center automatically checks the validity of the Volcengine account’s AccessKey. Select Close to turn off the check.

Click Synchronize Assets to sync all host assets from the Volcengine account to Security Center.

After you configure the provisioning policy, Security Center automatically creates a user with the prefix AlibabaSas_ in the Volcengine console to authorize asset provisioning. Do not delete or disable this user or its key. This will disrupt Volcengine asset provisioning.

4. Delete the main account key

After provisioning completes, delete the main account’s AccessKey from the Volcengine console to secure your main account. For more information, see API Access Key Management.

Log on to the Volcengine console and go to the API Access Keys page. For the AccessKey submitted in Security Center, click Disable in the Actions column.
In the Are you sure that the AccessKey pair is disabled? dialog box, click OK. Complete identity authentication as prompted.
On the AccessKey Leak Detection page, click Delete for the target AccessKey and follow the prompts to complete deletion.

Manual configuration

1. Create a sub-account and get an AK

For more information, see User Management.

Log on to the Volcengine console and go to the Users page. On the Users page, click Add.
On the Create User page, click Create by Username.
On the Create by Username page, enter a Username. Set Access method to Programmatic Access and click Next.

Configure provisioning policies: On the Access Policy tab, select the required permission policies based on the Security Center features you plan to use, then click Next.

Feature

Permission policy

Host

IAMReadOnlyAccess
ECSReadOnlyAccess

CSPM

ALBReadOnlyAccess

AdvDefenceReadOnly

CLBReadOnlyAccess

CRReadOnlyAccess

CloudFirewallReadOnlyAccess

CloudIdentityReadOnlyAccess

ECSReadOnlyAccess

HBaseReadOnlyAccess

IAMReadOnlyAccess

KMSReadOnlyAccess

MCDNReadOnlyAccess

MongoDBReadOnlyAccess

NATReadOnlyAccess

RDSMSSQLReadOnlyAccess

RDSMySQLReadOnlyAccess

RDSPGReadOnlyAccess

RedisReadOnlyAccess

SecCenterReadOnlyAccess

TOSReadOnlyAccess

VBHReadOnlyAccess

VKEReadOnlyAccess

VPCReadOnlyAccess

VedbMysqlReadOnlyAccess

VeenReadOnlyAccess

WafReadOnlyAccess

AgentKitReadOnlyAccess

IDReadOnlyAccess

ArkReadOnlyAccess

Note

You can also assign the global read-only policy ReadOnlyAccess to ensure CSPM can detect new assets and properties without manual permission updates.

After confirming user information, click Bind Account and Go to Bind Data Source.
In the User Information section, click Save and Download CSV or the icon to save the Access Key ID and Secret Access Key.

2. Submit the sub-account AK

Log on to the Security Center console.
In the navigation pane on the left, choose System Settings > Feature Settings. In the top-left corner of the console, select the region where your assets reside: Chinese Mainland or Outside Chinese Mainland.
On the Multi-cloud Configuration Management > Multi-cloud Assets tab, click Grant Permission and select Volcano Engine from the drop-down list.
Alternatively, on the Assets > Host page, hover over the icon in the Add Multi-cloud Asset area, and click Volcano Engine below Add to open the Add Assets Outside Cloud panel.
In the Add Assets Outside Cloud panel, keep Manual Configuration selected. In the Permission Description section, select Host and click Next.
On the Submit AccessKey Pair wizard page, enter the obtained sub-account AccessKeyId, SecretAccessKey, and account name, then click Next.
Use a descriptive account name to distinguish assets from different accounts of the same cloud vendor.
Important
Do not delete or disable the sub-account or its AccessKey. This will disrupt provisioning.

3. Complete provisioning policy configuration

Parameter	Description
Select region	Select the region where the assets to be provisioned are located. Security Center provisions the asset data from the current account to the corresponding data management center based on the center you selected in the upper-left corner of the console (China or Outside China).
Region Management	If you select this option, when a new region is added to the current Volcengine account, Security Center automatically provisions the asset data from the new region to the current data management center. If you do not select this option, assets in new regions will not be provisioned to Security Center.
Host Asset Synchronization Frequency	Select the interval at which Security Center automatically syncs Volcengine host assets. Select Close to turn off synchronization.
AK Service Status Check	Select the interval at which Security Center automatically checks the validity of the Volcengine account’s AccessKey. Select Close to turn off the check.

Click Synchronize Assets to sync all host assets from the Volcengine account to Security Center.

Manage provisioned assets

Host assets

Go to the Assets > Host page. In the Add Multi-cloud Asset area, click the icon to view the list of provisioned Volcengine assets. Follow these steps to apply advanced protection and management to your provisioned hosts.

Note

For more information, see Host assets.

Install the client: Install the Security Center client on your AWS hosts. When you execute the installation command, set the Service Provider to AWS. For more information, see Install the client.
Upgrade for advanced protection: The default Free Edition provides only basic security checks. To obtain comprehensive security protection (such as antivirus, vulnerability remediation, and intrusion prevention), you must attach a paid edition (Anti-virus Edition or a higher edition) to your AWS hosts. For more information, see Manage Authorizations for Hosts and Containers.

Cloud Security Posture Management (CSPM)

In the Security Center console, go to Assets > Cloud Product. In the All Alibaba Cloud Services navigation pane on the left, click AWS to view your connected AWS assets. The following Cloud Security Posture Management (CSPM) features are available for connected AWS assets:

Note

For more information, see View cloud product information.

Execute a configuration risk check: Identify configuration risks in AWS products. For more information, see Set and execute cloud platform configuration risk check policies.
Address risk items: Review and fix failed risk checks to improve compliance and security of your cloud assets. For more information, see View and address failed cloud platform configuration risk checks.