Configuration assessment - Security Center - Alibaba Cloud Documentation Center

Security Center provides the configuration assessment feature to prevent cloud services from being attacked due to configuration errors and misoperations. You can use the feature to check whether risks and errors exist in the configurations of your cloud services from multiple dimensions. This helps reduce risks that are caused by configuration errors and improve the security of your cloud services. This topic describes how to use the configuration assessment feature.

Background information

Security Center allows you to check whether risks and errors exist in the configurations of your cloud services from the following dimensions: cloud infrastructure entitlements management (CIEM), security risk management, and compliance risk management. The check results are classified and displayed by risk level to help you understand the configuration risks of your cloud services. Security Center also provides optimization suggestions for and solutions to each risk item to help you better manage cloud resources and ensure the security of the running environment of your cloud services.

The following table describes the dimensions from which you can check the configurations of your cloud services.

Check dimension	Description
CIEM	CIEM is a service that integrates cloud security assessment and authorization management to manage the permissions to use and access cloud platforms. Security Center manages identities and permissions on cloud platforms based on CIEM. You can check whether issues exist, such as excessive authorization and password expiration. This helps identify and resolve issues related to permission management at the earliest opportunity and improve the security and reliability of cloud platforms.
Security risk management	Alibaba Cloud best security practices are security measures and solutions that are accumulated by the Alibaba Cloud security team over the years to maximize the security of your data and business. Security Center checks the security configurations, code vulnerabilities, and logging configurations of business systems and identifies potential configuration errors on cloud platforms based on Alibaba Cloud best security practices. This maximizes the security of your data and business.
Compliance risk management	Center for Internet Security (CIS) benchmarks are internationally recognized as security standards for defending IT systems and data against cyberattacks. Security Center checks and manages the compliance risks of cloud platforms in a comprehensive manner and identifies weak configurations that do not meet CIS benchmarks. This helps handle the weak configurations at the earliest opportunity and maximize the security of your data and business.

Billing

Starting July 07, 2023, before you can use the configuration assessment feature, you must configure the Quota for Configuration Assessment parameter when you purchase Security Center. The following table describes the billing details.

Item	Description
Billing formula	You are charged based on the number of times that each check item is used to scan each cloud service instance. Billing formula: Configuration assessment fee = Unit price × Quota for configuration assessment × Subscription duration. Note A cloud service instance refers to the instance of a specific application or network device, such as an Object Storage Service (OSS) bucket or an Elastic Compute Service (ECS) security group. Unit price: USD 0.002 time-month for each check item on each cloud service instance. The minimum quota that you can purchase is 1,000. Quota for configuration assessment: the number of times that each check item is used to scan each cloud service instance. We recommend that you purchase a quota that is 20 times the number of cloud service instances. If the quota is insufficient, you must re-scan the instances. For example, if you have a total of 10 cloud services and each cloud service has 15 instances, we recommend that you purchase a quota of 3,000. The value is calculated by using the following formula: 10 × 15 × 20 = 3,000. View the number of cloud service instances You can view the number of cloud service instances within your Alibaba Cloud account on the Assets > Cloud Product page in the Security Center console. Subscription duration: the duration of your subscription to Security Center.
Deduction rule	After you enable the configuration assessment feature, the quota is consumed each time you run a configuration check. Quota consumed by a configuration check = Total number of scanned instances × Number of selected check items. For example, you have a total of 10 cloud services, and each cloud service has 15 instances. You run a configuration check task in which a total of 5 check items are selected. In this example, the consumed quota is 750. The value is calculated by using the following formula: 10 × 15 × 5 = 750. Note If the quota is insufficient to offset the fee of a configuration check task, the check items that cannot be covered by the quota are not used to scan instances in the task. You can view the scan results to check the running details of the task.
Free usage	If you enable the configuration assessment feature before July 07, 2023, you can use some check items of the feature free of charge until your Security Center expires. If you renew the subscription before your Security Center expires, you can continue to use the check items free of charge. View details of free usage The following list describes the number of check items that you can use free of charge in different editions of Security Center: Basic: 25 Anti-virus and Advanced: 46 Enterprise and Ultimate: 218 To view more information about the supported check items, you can go to the Risk Management > Config Assessment page in the Security Center console. The number of check items that you can use free of charge cannot be increased. If you want to use more check items, you can upgrade your Security Center to a paid edition and purchase a quota for configuration assessment. A paid edition can be Anti-virus, Advanced, Enterprise, and Ultimate. After you upgrade your Security Center to a paid edition, the historical check results are retained. You can select check items based on your business requirements when you run a configuration check. Important After you upgrade your Security Center to a paid edition, all check items are no longer provided free of charge. When you run a configuration check, you are charged based on the number of times that each check item is used to scan each cloud service instance.

Prerequisites

Security Center Anti-virus, Advanced, Enterprise, or Ultimate is purchased. A sufficient quota for configuration assessment is purchased. For more information, see Purchase Security Center.

Step 1: Grant Security Center the required permissions

If this is the first time you use the configuration assessment feature, you must grant Security Center the required permissions. After the required permissions are granted, a service-linked role named AliyunServiceRoleForSasCspm is created for Security Center to access resources of cloud services such as ActionTrail. This way, you can use the configuration assessment feature to check the configurations of your cloud services.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Risk Management > Config Assessment.
On the Config Assessment page, click Authorize Immediately.

Step 2: (Optional) Modify the configurations of a check item

Security Center allows you to modify the configurations of specific check items, such as OSS Bucket Immobilizer Configuration, Idle user cleaning, and Password_validity. You can modify the configurations of check items based on your business requirements. This increases the accuracy of check results.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Risk Management > Config Assessment.
On the Config Assessment page, click the name of a check item.
In the details panel, click Modify Check Item Configurations.
If the Modify Check Item Configurations button appears in the details panel, the configurations of the check item can be modified. If the button does not appear, the configurations of the check item cannot be modified.
In the Modify Check Item Configurations panel, click Add Modifiable Parameter in the Modifiable Parameter column, specify a value for the selected parameter in the Edit Parameter column, and then click Determine.
The modifications to the check item immediately take effect. You can view the check result of the check item after modification in the next configuration check.

Step 3: Run a configuration check

The configuration assessment feature supports full scans and scans by policy.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Risk Management > Config Assessment.
On the Config Assessment page, run a configuration check.
- Full Scanning
  If you want to immediately check whether risks exist in the configurations of your cloud services, you can choose Immediate Scan > Full Scanning on the Config Assessment page. The system checks all your cloud services.
- Scan By Policy
  After you configure a policy for the configuration assessment feature, Security Center runs configuration checks based on the time range that you specify in the policy. You can also select Scan By Policy to immediately check your cloud services.
  1. In the upper-right corner of the Config Assessment page, click Check Policy Settings.
  2. In the Check Policy Settings panel, turn on Automatic Configuration Assessment.
  3. Configure the Detection Cycle: and Detection Time: parameters, select the required check items, and then click OK.
  4. Optional. On the Config Assessment page, choose Immediate Scan > Scan by Policy.
    Security Center immediately scans the configurations of cloud services based on the policy that you configure.
Note
A full scan requires a long period of time to complete.

Step 4: View check results

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Risk Management > Config Assessment.
On the Config Assessment page, view the results of the configuration check on your cloud services.
- View the overall information
  The section in the upper part of the Config Assessment page displays the overall information. You can view the pass rates for check items of the CIEM, Risk, and Compliance Risk types. You can move the pointer over the lines above Pass Rate to view the numbers of high-risk items, medium-risk items, low-risk items, and passed check items.
  Note
  Different risk levels of check items are displayed in different colors. The following list describes the mappings between the risk levels and colors:
  High Risk: red. The risk item poses major threats to your assets. We recommend that you handle the risk item at the earliest opportunity.
  Medium Risk: orange. The risk item causes damage to your assets. You can handle the risk item at your convenience.
  Low Risk: gray The risk item causes less damage to your assets. You can handle the risk item at your convenience.
- View risk items
  - In the All Check Items section, click a check item type. In the list of risk items on the right, view the risk items of the selected check item type.
  - Use the search conditions above the list to search for the risk items that you want to view. The search conditions include the risk level and status of risk items.
- View the details of a risk item
  Find a risk item and click Details in the Actions column. In the panel that appears, view the following information: Check Item Description, Solution, Reference, and Risks.

Step 5: Handle the detected configuration risks

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Risk Management > Config Assessment.
On the Config Assessment page, handle the detected configuration risks of your cloud services.
You can perform the following operations based on your business requirements:
- Fix a risk item
  Find a risk item and click Actions in the Details column. In the Risks section of the details panel that appears, click the instance ID of the cloud service on which risks are detected, the ID of an account, or the name of a policy to go to the console of the cloud service. Then, fix the risk item based on the information provided in the Solution and Reference sections.
- Add a risk item to the whitelist
  Important
  After you add a risk item to the whitelist, the risks that are detected for the risk item are no longer reported in subsequent configuration checks. We recommend that you add risk items to the whitelist only after you confirm that the risk items do not pose threats.
  If you identify a risk item as a false positive, you can find the risk item in the check item list and click Add to Whitelist in the Actions column to add the risk item to the whitelist. Then, the status of the risk item changes to Whitelist. Risk items that are added to the whitelist are not counted in the total number of risk items.
  You can click Remove from Whitelist in the Actions column to remove risk items from the whitelist.
Verify fixes.
If you have modified the configurations of an instance based on the information provided in the details panel of a risk item that affects the instance, you can use one of the following methods to check whether the new configurations contain risks:
- Verify a fix: Find the risk item in the check item list and click Verify in the Actions column.
- Verify fixes: Select multiple risk items and click Verify below the check item list.
If the configurations do not contain risks, the instance is removed from the list in the Risks section, and the status of the risk item changes to Passed.