Cloud security posture management (CSPM) includes cloud service configuration risk check, baseline risk check, and attack path analysis. Activate features based on your business needs.
Authorize access to cloud resources
To use the cloud service configuration risk check of CSPM for the first time, you must authorize Security Center to access your cloud resources.
Log on to the Security Center console. In the upper-left corner of the console, select the region where your assets are located: China or Outside China.
In the left-side navigation pane, choose .
Click Authorize Now.
If you have activated the baseline risk check feature, click Authorize Now on the Cloud Service Configuration Risk tab.
NoteAfter authorization, Security Center automatically creates the service-linked role AliyunServiceRoleForSasCspm to access and modify cloud service configurations within your account. Security Center ensures secure configuration practices across various aspects, including identity authentication, network access control, data security, log auditing, and basic protection.
After authorization, you can use the free check items of the cloud service configuration assessment.
If you have not enabled pay-as-you-go billing and has not purchased scan quotas for CSPM, the check items with the Scan button displayed in its Actions column on the Cloud Service Configuration Risk tab are free to use.
Activate baseline check
To activate the baseline check feature, use one of the following methods:
If you have purchased Security Center Advanced, Enterprise, or Ultimate, you can only use the baseline check items included in that edition, even if you also purchased CSPM.
For example, with Security Center Advanced and CSPM, you can only access weak password checks available in the Advanced edition.
Method | Billing | Edition | Instruction |
Purchase the following editions to access the corresponding check items without additional fees.
| Subscription | Advanced, Enterprise, or Ultimate |
|
Pay-as-you-go | Activate host and container security, and authorize Advanced, Enterprise, or Ultimate | Go to the Security Center buy page, select Billing Method as Pay-as-you-go, select Host and Container Security as Yes. By default, Security Center Enterprise edition will be bound. You can change the bound edition through Quota Management. | |
Purchase CSPM to access all check items. Charges are based on the quotas used for scans, verifications, and successful fixes of baseline checks. | Subscription | Anti-virus or value-added plan | See Subscription in Purchase CSPM below. |
Pay-as-you-go | Activate host and container security, and authorize Anti-virus | See Pay-as-you-go in Purchase CSPM below. | |
Do not activate host and container security |
Purchase CSPM
Once CSPM is purchased, you can access all check items for cloud service configuration assessment, baseline risk check, and attack path analysis. Use one of the following methods:
An Alibaba Cloud account can use only one billing method to activate CSPM at a time.
Subscription
Go to the Security Center buy page, set the Billing Method to Subscription, set Cloud Security Posture Management to Yes, and specify Quantity and Duration (in months or years). You can purchase additional features as needed. For more information, see Purchase Security Center.
Scanning, verification, and successful fixes consume quotas. To avoid re-scanning due to insufficient quotas, we recommend purchasing Quotas for CSPM at 20 times the number of your instances. For example, if you have 10 cloud services and each service contains 15 instances that require scanning, purchase:
Scan quotas=10×15×20=3,000
This ensures you can scan all instances efficiently.
If you have purchased an instance with a subscription, go to the Subscription section of the Overview page in the Security Center console, click to purchase the Cloud Security Posture Management feature.
After the feature is activated, you can view the Remaining Quota on the tab.
Pay-as-you-go
Go to the Security Center buy page, set Billing Method to Pay-as-you-go, set Cloud Security Posture Management to Yes, and activate additional features as needed. For more information, see Purchase Security Center.
If you have activated a pay-as-you-go instance, turn on Cloud Security Posture Management in the Pay-as-you-go Feature section of the Overview page in the Security Center console.
After the feature is activated, you can view the Used Quota on the tab.
