All Products
Search
Document Center

Security Center:Authorize Agentless detection for ECS encrypted disks

Last Updated:Jun 02, 2026

Before Security Center can scan encrypted disks using agentless detection, you must grant permissions to access encrypted snapshots and images under your account.

Authorize encrypted disk detection

Authorization resources

Agentless detection requires the following resources under your account to access encrypted snapshots and images.

Resource name

Description

AliyunECSShareEncryptSnapshotDefaultRole

Encrypted snapshot sharing role. Allows ECS to share encrypted snapshots with Security Center and grants access to KMS keys to decrypt snapshot data.

AliyunECSShareEncryptImageDefaultRole

Encrypted image sharing role. Allows ECS to share encrypted images with Security Center and grants access to KMS keys to decrypt image data.

Note
  • The account must have RAM management permissions (AliyunRAMFullAccess or equivalent).

  • For more information about ECS encrypted resource sharing permissions, see Encryption permissions.

Procedure

Step 1: Create the encrypted snapshot sharing role
  1. Log on to the RAM consoleRAM console.

  2. In the left-side navigation pane, choose Identities > Roles, and then click Create Role.

  3. In the Create Role dialog box, set Trusted Entity Type to Alibaba Cloud Service, and then click Next.

  4. Set Trusted Service to Elastic Compute Service, and then click Next.

  5. Enter AliyunECSShareEncryptSnapshotDefaultRole as the role name, and then click Complete.

  6. Click Close to return to the role list, then click AliyunECSShareEncryptSnapshotDefaultRole to open its details page.

  7. On the Trust Policy Management tab, click Edit Trust Policy, replace the policy with the following JSON, and click Save.

    Note

    The Security Center service provider UID 1699778034952274 is pre-filled below. To authorize additional UIDs, add them to the Service array.

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": [
              "1699778034952274@ecs.aliyuncs.com"
            ]
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
  8. On the Permissions tab, click Grant Permission. Set Permission Type to System Policy, search for AliyunKMSFullAccess, select it, and click Confirm.

Step 2: Create the encrypted image sharing role

This process mirrors Step 1. The following steps highlight key differences only.

  1. Log on to the RAM consoleRAM console.

  2. In the left-side navigation pane, choose Identities > Roles, and then click Create Role.

  3. In the Create Role dialog box, set Trusted Entity Type to Alibaba Cloud Service, and then click Next.

  4. Set Trusted Service to Elastic Compute Service, and then click Next.

  5. Enter AliyunECSShareEncryptImageDefaultRole as the role name (different from the role name in Step 1), and then click Complete.

  6. Click Close to return to the role list, then click AliyunECSShareEncryptImageDefaultRole to open its details page.

  7. On the Trust Policy Management tab, click Edit Trust Policy, replace the policy with the following JSON, and click Save.

    Note

    The trust policy is identical to Step 1. The service provider UID is also 1699778034952274.

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": [
              "1699778034952274@ecs.aliyuncs.com"
            ]
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
  8. On the Permissions tab, click Grant Permission. Set Permission Type to System Policy, search for AliyunKMSFullAccess, select it, and click Confirm.

Step 3: Verify role creation

Go to Identities > Roles and verify that both roles exist:

  • AliyunECSShareEncryptSnapshotDefaultRole

  • AliyunECSShareEncryptImageDefaultRole

What's next

After you complete the ECS authorization, Agentless detection user guide to create a detection task. When configuring Scan Scope, select the authorized ECS instances.

FAQ

  • What conditions must be met for encrypted disk detection?

    Besides this authorization, the KMS keys used by encrypted disks must grant Security Center access. Verify that both AliyunECSShareEncryptSnapshotDefaultRole and AliyunECSShareEncryptImageDefaultRole have the AliyunKMSFullAccess policy attached.

  • How long does it take for authorization to take effect?

    Authorization takes effect immediately. Refresh the Security Center console to see the updated status.