Add Huawei Cloud assets to Security Center - Security Center

Security Center uses a Huawei Cloud IAM user's AccessKey pair to access Huawei Cloud APIs, retrieve asset information, and provision host assets and cloud products for protection. This topic describes how to complete the authorization through two methods: manual configuration and quick configuration.

Important

The Huawei Cloud console steps in this topic are for reference only. For detailed instructions, see the linked Huawei Cloud documentation.

Prerequisites

Before you begin, make sure you have:

An Alibaba Cloud account with access to the Security Center consoleSecurity Center console
A Huawei Cloud account with permission to create IAM users and user groups
(For Agentic SOC) Permission to create custom IAM policies in Huawei Cloud

Choose a configuration method

Method	Supported features	When to use
Manual configuration	Host assets, Cloud Security Posture Management (CSPM), Agentic SOC (1.0 only)	Use when you need CSPM or Agentic SOC, or when your security policy requires a dedicated IAM user with minimum required permissions
Quick configuration	Host assets only	Use for fast setup when you only need host asset protection — Security Center creates the IAM user automatically

Agentic SOC support applies only to Agentic SOC 1.0 architecture, not 2.0.

Manual configuration

Manual configuration requires you to create a dedicated Huawei Cloud IAM user, grant the required permissions, and submit the IAM user's AccessKey pair to Security Center.

Step 1: Create a user group and grant permissions

For details, see creating a user group and granting permissions in the Huawei Cloud documentation.

Log in to the Huawei Cloud console and go to the User GroupsUser Groups page. Click Create User Group in the upper-right corner.
Enter a user group name and description, then click OK.
On the User Group page, click Authorize in the Actions column for the new user group.

Grant permissions based on the Security Center features you need, then click Next.

Host assets:

ECS ReadOnlyAccess — read-only access to Elastic Cloud Server
IAM ReadOnlyAccess — read-only access to Identity and Access Management (IAM)

Cloud Security Posture Management:

Tenant Guest — read-only access to all cloud services except IAM
IAM ReadOnlyAccess — read-only access to IAM

Agentic SOC: Click Create Policy to create two custom policies named siemBasePolicy and siemNormalPolicy, then grant both policies to the user group. For details, see creating a custom policy in the Huawei Cloud documentation.

siemBasePolicy (global-level):

Huawei Cloud requires two separate custom policies for Agentic SOC: a global-level policy and a project-level policy. This ensures minimum required permissions.

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:roles:listRoles",
                "iam:roles:getRole",
                "iam:groups:listGroupsForUser",
                "iam:groups:listGroups",
                "iam:users:getUser",
                "iam:groups:getGroup"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "rms:resources:list",
                "rms:resources:summarize"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "obs:object:GetObject",
                "obs:bucket:GetBucketLocation",
                "obs:bucket:HeadBucket",
                "obs:object:GetObjectVersionAcl",
                "obs:bucket:ListAllMyBuckets",
                "obs:bucket:ListBucket",
                "obs:object:GetObjectVersion",
                "obs:object:GetObjectAcl"
            ]
        }
    ]
}

siemNormalPolicy (project-level):

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cfw:ipGroup:list",
                "cfw:acl:list",
                "cfw:ipMember:put",
                "cfw:ipMember:create",
                "cfw:ipGroup:create",
                "cfw:instance:get",
                "cfw:ipGroup:put",
                "cfw:ipMember:list",
                "cfw:ipGroup:get",
                "cfw:ipMember:delete"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "waf:whiteBlackIpRule:list",
                "waf:whiteBlackIpRule:put",
                "waf:ipgroup:get",
                "waf:whiteBlackIpRule:get",
                "waf:ipgroup:list",
                "waf:whiteBlackIpRule:create",
                "waf:whiteBlackIpRule:delete"
            ]
        }
    ]
}

In the Select Authorization Scope section, select All Resources and click OK.

Step 2: Create an IAM user and get an AccessKey pair

For details, see creating an IAM user in the Huawei Cloud documentation.

In the Huawei Cloud console, go to the Users page and click Create User in the upper-right corner.
Enter a username, set Access Type to Programmatic access, and click Next.
On the Add To Group (Optional) page, select the user group you created in the previous step and click Create User.
In the Download Access Key dialog box, click OK. Retrieve the AccessKey ID and AccessKey secret from the downloaded credentials file.

Step 3: Submit the IAM user's AccessKey pair to Security Center

Log in to the Security Center consoleSecurity Center console.Log on to the Security Center console.
In the left navigation pane, choose System Settings > Feature Settings. In the upper-left corner, select the data center where your assets reside: Chinese Mainland or Outside Chinese Mainland.
On the Multi-cloud Configuration Management > Multi-cloud Assets tab, click Grant Permission and select Huawei Cloud from the drop-down list. Alternatively, open the Provision Assets Outside Alibaba Cloud panel from:
- Assets > Host page: in the Add Multi-cloud Asset area, hover over the icon under Huawei Cloud and click Add.
- Risk Governance > CSPM page: on the Cloud Service Configuration Risk tab, hover over the icon in the Multi-cloud Service Integration area and click Add under Huawei Cloud.
- Agentic SOC > Integration Center page: in the Multi-cloud Service Access area, hover over the icon and click Add under Huawei Cloud.

In the Add Assets Outside Cloud panel, keep Manual Configuration selected. In the Permission Description section, select the features you want to enable and click Next.

Feature	What it enables
Host assets	Security Center automatically syncs your Huawei Cloud host assets. Requires read permissions for cloud servers on the IAM user.
CSPM	Security Center scans your Huawei Cloud product configurations and identifies configuration risks.
Agentic SOC	Security Center can block malicious IP addresses and perform response operations on your Huawei Cloud assets.

In the Submit AccessKey Pair wizard, enter the AccessKey ID and AccessKey secret of the IAM user, specify an account name, and click Next. The account name distinguishes assets from different accounts of the same cloud provider. Use a descriptive name based on the account's purpose.
Important
Do not delete or disable the IAM user or its AccessKey pair. Doing so interrupts the provisioning process.

Step 4: Configure the provisioning policy

In the Policy Configuration wizard, configure the following parameters and click OK.

Parameter	Description
Select region	Select the Huawei Cloud regions where your assets reside. Security Center provisions asset data to the data center (Chinese Mainland or Outside Chinese Mainland) you selected in the upper-left corner of the console.
Region Management	If enabled, Security Center automatically provisions asset data from any new Huawei Cloud regions added to your account. If disabled, new regions are not provisioned.
Host Asset Synchronization Frequency	Set the interval for Security Center to automatically sync Huawei Cloud host assets. Select Disable to turn off sync. Required if you selected Host assets in the Permission Description.
Cloud Service Synchronization Frequency	Set the interval for Security Center to automatically sync Huawei Cloud products. Select Disable to turn off sync. Required if you selected CSPM in the Permission Description.
AK Service Status Check	Set the interval for Security Center to check the validity of the AccessKey pair. Select Disable to turn off the check.

Click Synchronize Assets to immediately sync all assets from your Huawei Cloud account to Security Center.

Quick configuration

Quick configuration is for host assets only. Submit your Huawei Cloud root account's AccessKey pair, and Security Center automatically creates a dedicated IAM user with the required permissions.

Step 1: Create an AccessKey pair for the root account

For details, see Creating an Access Key in the Huawei Cloud documentation.

Log in to the Huawei Cloud console and go to the Access Keys page.Access KeysAccess Keys
Click Add Access Key. In the dialog box, select I understand the risks and still want to create access keys for my account. and click Create.
Click Download Now in the Creation Successful dialog box. Retrieve the AccessKey ID and AccessKey secret from the downloaded credentials file.

Step 2: Submit the root account's AccessKey pair

Log in to the Security Center consoleSecurity Center console.Log on to the Security Center console.
In the left navigation pane, choose System Settings > Feature Settings. In the upper-left corner, select the data center where your assets reside: China or Outside China.
On the Multi-cloud Configuration Management > Multi-cloud Assets tab, click Grant Permission and select Huawei Cloud from the drop-down list. Alternatively, open the panel from:
- Assets > Host page: in the Add Multi-cloud Asset area, hover over the icon under Huawei Cloud and click Add.
- Risk Governance > CSPM page: on the Cloud Service Configuration Risk tab, hover over the icon in the Multi-cloud Service Integration area and click Add under Huawei Cloud.
- Agentic SOC > Integration Center page: in the Multi-cloud Service Access area, hover over the icon and click Add under Huawei Cloud.
In the Provision Assets Outside Alibaba Cloud panel, select Quick Configuration and click Next.
In the Submit AccessKey Pair wizard, enter the AccessKey ID, AccessKey secret, and account name, then click Next. The account name distinguishes assets from different accounts of the same cloud provider.

After these steps complete, Security Center automatically creates a user and user group prefixed with AlibabaCloudGroup_ in the Huawei Cloud console. Do not delete or disable this user or its AccessKey pair — doing so interrupts provisioning.

Step 3: Configure the provisioning policy

In the Policy Configuration wizard, configure the following parameters and click OK.

Parameter	Description
Select region	Select the Huawei Cloud regions where your assets reside. Security Center provisions asset data to the data center (Chinese Mainland or Outside Chinese Mainland) you selected in the upper-left corner of the console.
Region Management	If enabled, Security Center automatically provisions asset data from any new Huawei Cloud regions added to your account. If disabled, new regions are not provisioned.
Host Asset Synchronization Frequency	Set the interval for Security Center to automatically sync Huawei Cloud host assets. Select Disable to turn off sync.
AK Service Status Check	Set the interval for Security Center to check the validity of the Huawei Cloud IAM user's AccessKey pair. Select Disable to turn off the check.

Click Synchronize Assets to immediately sync all host assets from your Huawei Cloud account to Security Center.

Step 4: Delete the root account's AccessKey pair

For details, see Deleting an Access Key in the Huawei Cloud documentation.

Log in to the Huawei Cloud console and go to the Access Keys page.
Click Disable in the Actions column for the AccessKey pair. Click Yes to confirm.
Click Delete in the Actions column. Click Yes to confirm.

Verify the results

Host assets

Go to Assets > Host in the Security Center console. In the Multicloud Asset Provisioning section, click the icon to view provisioned Huawei Cloud hosts. For more information, see Host assets.

Cloud Security Posture Management

Go to Assets > Cloud Product in the Security Center console to view the list of Huawei Cloud products provisioned using the IAM user. For more information, see View information about cloud products.

Agentic SOC

Go to System Setting > Feature Settings in the Security Center console and click the Multi-cloud Configuration Management tab. If the Agentic SOC service status shows Normal, provisioning is successful.

What's next

Install the agent on host assets

Install the Security Center agent on your Huawei Cloud hosts. For details, see Install the agent.
Important
When running the agent installation command, set Service Provider to Huawei Cloud.
Bind a paid Security Center edition (Anti-Virus, Premium, Enterprise, or Ultimate) to your provisioned Huawei Cloud hosts to access protection features. The Free Edition provides only basic threat detection. For details, see Manage licenses for hosts and containers.

Run a CSPM check

Configure and run a check policy for cloud platform configuration risks to scan your Huawei Cloud products.
View and handle failed check items to remediate configuration risks.

Ingest logs into Agentic SOC

To use Agentic SOC features such as threat detection and security event handling, ingest logs from Huawei Cloud Web Application Firewall (WAF) and Cloud Firewall:

Security Center:Guide to onboarding Huawei Cloud assets