Cloud Security Posture Management (CSPM) offers features such as cloud service configuration checks, baseline risk checks, and attack path analysis. You can activate these features based on your business requirements.
Authorize access to cloud resources
When you first use the cloud service configuration check feature of CSPM, you must authorize Security Center to access your cloud resources.
Log on to the Security Center console.
In the navigation pane on the left, choose . In the upper-left corner of the console, select the region where your assets reside: Chinese Mainland or Outside Chinese Mainland.
Click Authorize Now.
If you have activated the Baseline risk check feature, on the Cloud Service Configuration Risk tab, click Authorize Now.
NoteAfter you grant these permissions, Security Center automatically creates the AliyunServiceRoleForSasCspm service-linked role to access and edit your account's cloud product configurations. This role applies security best practices for identity authentication, network access control, data security, log auditing, and basic security protection. For more information about the AliyunServiceRoleForSasCspm role, see Service-linked roles for Security Center.
After you grant these permissions, you can use the free check items included with the cloud service configuration check feature to check your cloud product configurations.
For example, if you have not activated the pay-as-you-go billing method and have not purchased a scan quota for CSPM, you can view the check items that have a Scan button in the Actions column on the Cloud Service Configuration Risk tab. These are the free check items.
Activate baseline check
To activate the baseline risk check feature, choose a billing method from the table below, based on the feature's capabilities and the billing rules of Security Center.
If you subscribe to the Advanced, Enterprise, or Ultimate Edition of Security Center, you can only use the baseline check items included with your edition, even if you also purchase paid CSPM features.
For example, if you have purchased the Advanced Edition of Security Center and also purchased the paid features of CSPM, you can only use the Weak password check item.
Billing rules | Billing Method | Edition | Procedure |
After you purchase one of the following editions, you can use the corresponding Baseline risk check feature at no extra cost.
| Subscription | Advanced, Enterprise, or Ultimate Edition |
|
Pay-as-you-go | Enterprise Edition (by default) when you enable Host and Container Security. | Go to the buy page of Security Center, set Billing Method to Pay-as-you-go, and select Yes for Host and Container Security. By default, this binds the features of the Enterprise Edition. For more information, see Purchase Security Center. You can use the Quota Management feature to change the protection edition for your hosts and containers. For more information, see Manage the quota for Host and Container Security. | |
After you purchase the paid features of CSPM, you can use the Baseline risk check feature and all of its check items. This feature is billed based on the quota consumed by scans, verifications, and successful remediations for baseline risk checks. | Subscription | Anti-Virus Edition or purchase only value-added services | For more information, see the Subscription mode section in Activate Paid Features of CSPM below. |
Pay-as-you-go | Activate Host and Container Security and authorize the Anti-Virus Edition. | For more information, see the Pay-as-you-go mode section in Activate Paid Features of CSPM below. | |
Do not activate Host and Container Security |
Activate paid features of CSPM
Activate the paid features of CSPM using one of the following methods. After activation, you can use all check items for cloud service configuration check, Baseline risk check, and the Attack path analysis feature.
You can only use one billing method per Alibaba Cloud account at a time to activate CSPM features.
Subscription
Go to the buy page of Security Center, set Billing Method to Subscription, select Yes for CSPM, and set the Quantity and Subscription Duration (in months or years). Purchase other features as needed. For more information, see Purchase Security Center.
Scans, verifications, and successful remediations all consume quota. To avoid re-scans due to insufficient quota, purchase a quota for CSPM that is 20 times the number of your instances. For example, if you have 10 cloud products, each containing 15 instances, and all need to be scanned, we recommend you purchase a scan quota of 10 × 15 × 20 = 3,000.
If you already have a subscription, go to the Subscription section on the Overview page in the Security Center console. Then, click to purchase the CSPM feature.
Pay-as-you-go
Go to the buy page of Security Center, set Billing Method to Pay-as-you-go, and select Yes for CSPM. Activate other features as needed. For more information, see Purchase Security Center.
If you already use pay-as-you-go, go to the Pay-as-you-go section on the Overview page in the Security Center console and enable the CSPM feature.
What to do next
To use the cloud service configuration check feature, see cloud service configuration check Cloud service configuration check.
To use the Baseline risk check feature, see Baseline risk check.
To use the Attack path analysis feature, see Attack path analysis.