Provision Huawei Cloud assets to Security Center - Security Center

You can configure an AccessKey pair (AK) from your Huawei Cloud account in Alibaba Cloud Security Center. This allows Security Center to access Huawei Cloud APIs and retrieve asset information. You can then provision Huawei Cloud resources, such as hosts and cloud products, into Security Center for protection. This topic describes how to provision Huawei Cloud assets using an AccessKey pair. This method helps you centralize the security management of your multicloud assets and reduces the complexity of managing security in a multicloud environment.

Configuration options and supported features

Configuration option	Description	Supported features
Manual configuration	Create a Huawei Cloud IAM user and grant permissions. Then, submit the IAM user's AccessKey pair in Security Center to complete the authorization.	Host assets Cloud Security Posture Management - Cloud product configuration Agentic SOC Important Applies only to Agentic SOC 1.0 architecture. Does not apply to 2.0.
Quick configuration (for host assets only)	Submit the AccessKey pair of your Huawei Cloud root account. Security Center then automatically creates a Huawei Cloud IAM user and completes the authorization.	Host assets

Important

The steps for the Huawei Cloud console described in this topic are for reference only. For detailed instructions, see the Huawei Cloud documentation that is linked in this topic.

Manual configuration

1. Create a user group and grant permissions

For more information, see Create a user group and grant permissions.

Log on to the Huawei Cloud console and go to the User Groups page. In the upper-right corner of the User Groups page, click Create User Group.
On the Create User Group page, enter a user group name and a description, and click OK.
On the User Group page, click Authorize in the Actions column for the new user group.

Configure the required permissions for the features you need, and then click Next.

Host assets:
- ECS ReadOnlyAccess: Grants read-only access permissions for Elastic Cloud Server.
- IAM ReadOnlyAccess: Grants read-only permissions for Identity and Access Management (IAM).
Cloud Security Posture Management:
- Tenant Guest: Grants read-only permissions for all cloud services except for IAM.
- IAM ReadOnlyAccess: Grants read-only permissions for IAM.

Agentic SOC: Click Create Policy to create two custom policies named siemBasePolicy and siemNormalPolicy. Then, grant the policies to the current user group. For more information, see Create a Custom Policy.

Note

When you create a custom policy in Huawei Cloud, you must create a global-level policy and a project-level policy. This lets you grant the minimum required permissions.

siemBasePolicy corresponds to the permissions for global-level cloud services. The policy content is as follows:

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:roles:listRoles",
                "iam:roles:getRole",
                "iam:groups:listGroupsForUser",
                "iam:groups:listGroups",
                "iam:users:getUser",
                "iam:groups:getGroup"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "rms:resources:list",
                "rms:resources:summarize"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "obs:object:GetObject",
                "obs:bucket:GetBucketLocation",
                "obs:bucket:HeadBucket",
                "obs:object:GetObjectVersionAcl",
                "obs:bucket:ListAllMyBuckets",
                "obs:bucket:ListBucket",
                "obs:object:GetObjectVersion",
                "obs:object:GetObjectAcl"
            ]
        }
    ]
}

The siemNormalPolicy is the permission policy for project-level cloud services. The policy is as follows:

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cfw:ipGroup:list",
                "cfw:acl:list",
                "cfw:ipMember:put",
                "cfw:ipMember:create",
                "cfw:ipGroup:create",
                "cfw:instance:get",
                "cfw:ipGroup:put",
                "cfw:ipMember:list",
                "cfw:ipGroup:get",
                "cfw:ipMember:delete"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "waf:whiteBlackIpRule:list",
                "waf:whiteBlackIpRule:put",
                "waf:ipgroup:get",
                "waf:whiteBlackIpRule:get",
                "waf:ipgroup:list",
                "waf:whiteBlackIpRule:create",
                "waf:whiteBlackIpRule:delete"
            ]
        }
    ]
}

In the Select Authorization Scope section, select All Resources and click OK.

2. Create an IAM user and obtain an AccessKey pair

For more information, see Create an IAM User.

In the Huawei Cloud console, go to the Users page. On the Users page, click Create User in the upper-right corner.
On the create user page, enter a username, set Access Type to Programmatic access, and click Next.
On the Add To Group (Optional) wizard page, select the user group you created in the previous step and click Creat User.
In the Download Access Key dialog box, click OK.
Obtain the Access Key ID and Secret Access Key from the credentials file.

3. Select permission descriptions and submit the IAM user's AccessKey pair

Log on to the Security Center console.
In the navigation pane on the left, choose System Settings > Feature Settings. In the upper-left corner of the console, select the region where the assets that you want to protect are located: Chinese Mainland or Outside Chinese Mainland.
On the Multi-cloud Configuration Management > Multi-cloud Assets tab, click Grant Permission and select Huawei Cloud from the drop-down list.
You can also open the Provision Assets Outside Alibaba Cloud panel from the following entry points:
- On the Assets > Host page, in the Add Multi-cloud Asset area and under Huawei Cloud, hover over the icon and click Add.
- On the Risk Governance > CSPM page, on the Cloud Service Configuration Risk tab, hover over the icon in the Multi-cloud Service Integration area, and click Add under Huawei Cloud.
- On the Agentic SOC > Integration Center page, in the Multi-cloud Service Access area, hover over the icon and click Add under Huawei Cloud.
In the Add Assets Outside Cloud panel, keep Manual Configuration selected. In the Permission Description section, select the Security Center features that you want to use and click Next.
- Host Assets: Select this configuration item to allow Security Center to automatically synchronize your Huawei Cloud host assets. Selecting this item requires you to grant read permissions for cloud servers to the IAM user in the next step.
- CSPM: Select this configuration item to scan your Huawei Cloud product configurations and manage configuration risks.
- Agentic SOC: Select this configuration item to block malicious IP addresses and perform other response operations on your Huawei Cloud assets.
In the Submit AccessKey Pair wizard, enter the AccessKey ID and AccessKey secret of the IAM user and click Next.
The account name distinguishes assets of different accounts from the same cloud service provider. Specify a descriptive name based on the purpose of the account.
Important
Do not delete or disable the IAM user or its AccessKey pair. This ensures that the provisioning process is not interrupted.

4. Complete the provisioning policy configuration

In the Policy Configuration wizard on the Add Assets Outside Cloud panel in the Security Center console, configure parameters such as the region for the Huawei Cloud assets and the data synchronization frequency. Then, click OK.

Configuration item	Description
Select region	Select the region where the assets that you want to provision reside. Security Center provisions the asset data of the current account to the corresponding data center based on the data center (Chinese Mainland or Outside Chinese Mainland) that you selected in the upper-left corner of the console.
Region Management	If you select this option and a new region is added to the current Huawei Cloud account, Security Center provisions the asset data of the new region to the current data center by default. If you do not select this option, new regions are not provisioned to Security Center.
Host Asset Synchronization Frequency	Select the interval at which Security Center automatically synchronizes Huawei Cloud host assets. Select Disable to disable synchronization. Note You must configure this parameter if you select Host Assets for Permission Description.
Cloud Service Synchronization Frequency	Select the interval at which Security Center automatically synchronizes Huawei Cloud cloud products. Select Disable to disable synchronization. Note You must configure this parameter if you select CSPM for Permission Description.
AK Service Status Check	Select the interval at which Security Center automatically checks the validity of the AccessKey pair of the Huawei Cloud account. Select Disable to disable the check.

Click Synchronize Assets to sync all assets from the Huawei Cloud account to Security Center.

Quick configuration (for host assets only)

1. Create an AccessKey pair for the root account

For more information, see Creating an Access Key.

Log on to the Huawei Cloud console and go to the Access Keys page.
Click Add Access Key. In the dialog box, select I understand the risks and still want to create access keys for my account. and click Create.
Click Download Now in the Creation Successful dialog box.
Retrieve the Access Key ID and Secret Access Key from the credentials file.

2. Submit the root account's AccessKey pair

Log on to the Security Center console.
In the navigation pane on the left, choose System Settings > Feature Settings. In the upper-left corner of the console, select the region where the assets that you want to protect are located: China or Outside China.
On the Multi-cloud Configuration Management > Multi-cloud Assets tab, click Grant Permission and select Huawei Cloud from the drop-down list.
You can also open the Provision Assets Outside Alibaba Cloud panel from the following entry points:
- On the Assets > Host page, in the Add Multi-cloud Asset area and under Huawei Cloud, hover over the icon and click Add.
- On the Risk Governance > CSPM page, on the Cloud Service Configuration Risk tab, hover over the icon in the Multi-cloud Service Integration area, and click Add under Huawei Cloud.
- On the Agentic SOC > Integration Center page, in the Multi-cloud Service Access area, hover over the icon and click Add under Huawei Cloud.
In the Provision Assets Outside Alibaba Cloud panel, select Quick Configuration and click Next.
In the Submit AccessKey Pair wizard, enter the AccessKey ID, AccessKey secret, and account name, and then click Next.
The account name distinguishes assets of different accounts from the same cloud service provider. Specify a descriptive name based on the purpose of the account.

After you complete these steps, Security Center automatically creates a user and a user group with the prefix AlibabaCloudGroup_ in the Huawei Cloud console. This user and user group are used to authorize Security Center to provision assets. Do not delete or disable the user or its AccessKey pair. This prevents the provisioning of Huawei Cloud assets from being disrupted.

3. Complete the provisioning policy configuration

In the Policy Configuration wizard of the Add Assets Outside Cloud panel in the Security Center console, configure parameters such as the Huawei Cloud asset region and the data synchronization frequency, and then click OK.

Configuration item	Description
Select region	Select the region where the assets that you want to provision reside. Security Center provisions the asset data of the current account to the corresponding data center based on the data center (Chinese Mainland or Outside Chinese Mainland) that you selected in the upper-left corner of the console.
Region Management	If you select this option and a new region is added to the current Huawei Cloud account, Security Center provisions the asset data of the new region to the current data center by default. If you do not select this option, new regions are not provisioned to Security Center.
Host Asset Synchronization Frequency	Select the interval at which Security Center automatically synchronizes Huawei Cloud host assets. Select Disable to disable synchronization.
AK Service Status Check	Select the interval at which Security Center automatically checks the validity of the Huawei Cloud IAM user's AccessKey pair. Select Disable to disable the check.

Click Synchronize Assets to sync all host assets from your Huawei Cloud account to Security Center.

4. Delete the root account's AccessKey pair

For more information, see Deleting an Access Key.

Log on to the Huawei Cloud console and go to the Access Keys page.
Click Disable in the Actions column for the AccessKey pair. In the dialog box that appears, click Yes.
Click Delete in the Actions column for the AccessKey pair. In the dialog box that appears, click Yes.

Verify the results

Host assets

In the Security Center console, go to the Assets > Host page. In the Multicloud Asset Provisioning section, click the icon to view the provisioned Huawei Cloud hosts. For more information, see Host assets.

Cloud Security Posture Management

In the Security Center console, go to the Assets > Cloud Product page to view the list of Huawei Cloud products that are provisioned using the IAM user. For more information, see View information about cloud products.

Agentic SOC

In the Security Center console, go to the System Setting > Feature Settings page and click the Multi-cloud Configuration Management tab to view the service status of Agentic SOC. If the service status is Normal, the provisioning is successful.

What to do next

Install the agent on host assets and bind a license

Install the Security Center agent on your Huawei Cloud assets. For more information, see Install the agent.
Important
When you run the agent installation command, you must set Service Provider to Huawei Cloud.
The Free Edition provides only basic threat detection and does not provide security protection. You can bind a paid edition of Security Center, such as the Anti-Virus, Premium, Enterprise, or Ultimate edition, to your provisioned Huawei Cloud servers to use the security protection features that Security Center provides. For more information, see Manage licenses for hosts and containers.

Run a check for Cloud Security Posture Management

You can configure and run a check policy for cloud platform configuration risks to check for configuration risks in your Huawei Cloud products.
You can view and handle failed check items for cloud platform configuration risks.

Ingest logs into Agentic SOC

You must ingest the logs of Huawei Cloud Web Application Firewall and Cloud Firewall to use the features of Agentic SOC, such as threat detection and security event handling. The following steps describe how to ingest logs:

Ingest Huawei Cloud logs into Agentic SOC.
You can use features of Agentic SOC, such as threat detection and security event handling.

References

For more information about Cloud Security Posture Management, see Overview of Cloud Security Posture Management.
For more information about Agentic SOC, see What is Agentic SOC?.