Before Security Center can scan encrypted disks using agentless detection, you must grant permissions to access encrypted snapshots and images under your account.
Authorize encrypted disk detection
Authorization resources
Agentless detection requires the following resources under your account to access encrypted snapshots and images.
|
Resource name |
Description |
|
|
Encrypted snapshot sharing role. Allows ECS to share encrypted snapshots with Security Center and grants access to KMS keys to decrypt snapshot data. |
|
|
Encrypted image sharing role. Allows ECS to share encrypted images with Security Center and grants access to KMS keys to decrypt image data. |
-
The account must have RAM management permissions (
AliyunRAMFullAccessor equivalent). -
For more information about ECS encrypted resource sharing permissions, see Encryption permissions.
Procedure
Step 1: Create the encrypted snapshot sharing role
-
Log on to the RAM consoleRAM console.
-
In the left-side navigation pane, choose Identities > Roles, and then click Create Role.
-
In the Create Role dialog box, set Trusted Entity Type to Alibaba Cloud Service, and then click Next.
-
Set Trusted Service to Elastic Compute Service, and then click Next.
-
Enter
AliyunECSShareEncryptSnapshotDefaultRoleas the role name, and then click Complete. -
Click Close to return to the role list, then click
AliyunECSShareEncryptSnapshotDefaultRoleto open its details page. -
On the Trust Policy Management tab, click Edit Trust Policy, replace the policy with the following JSON, and click Save.
NoteThe Security Center service provider UID
1699778034952274is pre-filled below. To authorize additional UIDs, add them to the Service array.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "1699778034952274@ecs.aliyuncs.com" ] }, "Action": "sts:AssumeRole" } ] } -
On the Permissions tab, click Grant Permission. Set Permission Type to System Policy, search for
AliyunKMSFullAccess, select it, and click Confirm.
Step 2: Create the encrypted image sharing role
This process mirrors Step 1. The following steps highlight key differences only.
-
Log on to the RAM consoleRAM console.
-
In the left-side navigation pane, choose Identities > Roles, and then click Create Role.
-
In the Create Role dialog box, set Trusted Entity Type to Alibaba Cloud Service, and then click Next.
-
Set Trusted Service to Elastic Compute Service, and then click Next.
-
Enter
AliyunECSShareEncryptImageDefaultRoleas the role name (different from the role name in Step 1), and then click Complete. -
Click Close to return to the role list, then click
AliyunECSShareEncryptImageDefaultRoleto open its details page. -
On the Trust Policy Management tab, click Edit Trust Policy, replace the policy with the following JSON, and click Save.
NoteThe trust policy is identical to Step 1. The service provider UID is also
1699778034952274.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "1699778034952274@ecs.aliyuncs.com" ] }, "Action": "sts:AssumeRole" } ] } -
On the Permissions tab, click Grant Permission. Set Permission Type to System Policy, search for
AliyunKMSFullAccess, select it, and click Confirm.
Step 3: Verify role creation
Go to Identities > Roles and verify that both roles exist:
-
AliyunECSShareEncryptSnapshotDefaultRole -
AliyunECSShareEncryptImageDefaultRole
What's next
After you complete the ECS authorization, Agentless detection user guide to create a detection task. When configuring Scan Scope, select the authorized ECS instances.
FAQ
-
What conditions must be met for encrypted disk detection?
Besides this authorization, the KMS keys used by encrypted disks must grant Security Center access. Verify that both
AliyunECSShareEncryptSnapshotDefaultRoleandAliyunECSShareEncryptImageDefaultRolehave theAliyunKMSFullAccesspolicy attached. -
How long does it take for authorization to take effect?
Authorization takes effect immediately. Refresh the Security Center console to see the updated status.