All Products
Search

This Product

    Security Center:Overview

    Document Center

    Security Center:Overview

    Last Updated:May 30, 2024

    To prevent cloud services from being attacked due to configuration errors or accidental operations, Security Center provides the configuration assessment feature. You can use the feature to check whether risks and errors exist in the configurations of your cloud services from multiple dimensions. This helps reduce risks that are caused by configuration errors and improve the security of your cloud services. This topic describes the basic information and billing of the configuration assessment feature.

    Features

    Check the configurations of cloud services

    Security Center allows you to check whether risks and errors exist in the configurations of your cloud services from the following dimensions: cloud infrastructure entitlements management (CIEM), security risk management, and compliance risk management. The check results are classified and displayed by risk level to help you understand the configuration risks of your cloud services.

    Check dimensions

    The following table describes the dimensions from which you can check the configurations of your cloud services.

    Check dimension

    Description

    CIEM

    CIEM is a service that integrates cloud security assessment and authorization management to manage the permissions to use and access cloud platforms.

    Security Center manages identities and permissions on cloud platforms based on CIEM. You can check whether issues exist, such as excessive permissions and password expiration. This helps identify and resolve issues related to permission management at the earliest opportunity and improve the security and reliability of cloud platforms.

    Security risk management

    Best security practices are security measures and solutions that are accumulated by cloud service providers over the years to maximize the security of your data and business.

    Security Center checks the security configurations, code vulnerabilities, and logging configurations of business systems and identifies potential configuration errors on cloud platforms based on the best security practices of different cloud service providers. This helps maximize the security of your data and business.

    Compliance risk management

    The Center for Internet Security (CIS) Benchmarks are internationally recognized as security standards for defending IT systems and data against cyberattacks.

    Security Center checks and manages the compliance risks of cloud platforms in a comprehensive manner and identifies weak configurations that do not meet the CIS Benchmarks. This helps handle the weak configurations at the earliest opportunity and maximize the security of your data and business.

    Supported cloud services

    Security Center allows you to add cloud services provided by Alibaba Cloud and third-party cloud service providers such as Tencent Cloud and Amazon Web Services (AWS). You can view the supported cloud services in the Security Center console. For more information, see the View supported cloud services section of the "Add cloud services" topic.

    Fix configuration risks in cloud services

    Security Center provides optimization suggestions and solutions for each risk item to help you better manage cloud resources and ensure business security.

    Security Center provides the quick fix feature for more than 50 check items. You can directly fix configuration risks for cloud service instances in the Security Center console.

    Billing

    Billing rules

    You are charged for the configuration assessment feature based on the number of times that each check item is used to scan each cloud service instance. Formula: Configuration assessment fee = Unit price × Number of scan times.

    • Unit price:

      USD 0.02 per time.

    • Number of scan times: the number of times that each check item is used to scan each cloud service instance.

      A cloud service instance refers to the instance of a specific application or network device, such as an Object Storage Service (OSS) bucket or an Elastic Compute Service (ECS) security group.

      View the number of cloud service instances

      You can choose Assets > Cloud Product in the left-side navigation pane of the Security Center console and view the number of cloud service instances within your Alibaba Cloud account on the Cloud Product page.

      image.png

      After you enable the configuration assessment feature, the system calculates the number of scan times each time you run a configuration check. Formula: Total number of scan times of a configuration check = Total number of scanned instances × Number of selected check items.

      For example, you have added a total of 10 cloud services, and each cloud service has 15 instances. You run a configuration check in which a total of five check items are selected. In this example, each of the five check items is used to scan each instance and the number of scan times is 750. The value is calculated by using the following formula: 10 × 15 × 5 = 750.

    Billing methods

    The configuration assessment feature supports the subscription and pay-as-you-go billing methods. A free version of the feature is also provided. The free version supports only specific check items, whereas the paid version supports all check items.

    Important

    • You cannot purchase the configuration assessment feature based on the pay-as-you-go and subscription billing methods at the same time within your Alibaba Cloud account.

      For example, if you purchase the configuration assessment feature based on the subscription billing method, you must wait until the subscription to the feature ends or disable the feature before you can purchase the feature based on the pay-as-you-go billing method. For more information, see the Switch from subscription to pay-as-you-go section of this topic.

    • After you purchase the configuration assessment feature based on the pay-as-you-go or subscription billing method, you can use all check items, including the free and billable check items. In this case, when you run a configuration check:

      • You are not charged for the free check items. These free check items do not consume the quota for configuration assessment that you purchase.

      • You are charged for the billable check items based on the number of times that each check item is used to scan each cloud service instance.

    Free usage

    You can use specific check items to scan cloud service instances for an unlimited number of times free of charge.

    Note

    You can choose Risk Governance > Configuration Assessment in the left-side navigation pane of the Security Center console and view the supported free check items on the Configuration Assessment page.

    • If you have not purchased the configuration assessment feature based on the pay-as-you-go or subscription billing method and have not purchased a quota for configuration assessment, you can use more than 60 check items that are provided by the feature free of charge.

    • The number of check items that you can use free of charge varies based on the edition of Security Center. If you enable the configuration assessment feature before July 07, 2023, you can use the following number of check items free of charge until your subscription to Security Center expires. If you renew the subscription before your Security Center service expires, you can continue to use the check items free of charge.

      • Basic Edition and Anti-Virus Edition: more than 60

      • Advanced Edition: more than 70

      • Enterprise Edition and Ultimate Edition: more than 200

    More check items will be provided by the configuration assessment feature. If you want to use more check items, you can purchase the configuration assessment feature based on the pay-as-you-go or subscription billing method. For more information, see the Authorization and purchase section of this topic. After you purchase the feature, you can use all check items. The historical scan data is retained. You can view all check items and select check items for a configuration check.

    Subscription

    • For more information about how to purchase the feature based on the subscription billing method, see the Authorization and purchase section of this topic.

      Formula: Unit price × Number of scan times × Subscription duration. The unit price is

      USD 0.02 per time. The number of scan times is the quota for configuration assessment that you purchase. The subscription duration is the subscription duration of Security Center.

    • Offset rule: You purchase a quota for configuration assessment of at least 1,000 scan times as the remaining quota. Each time you run a configuration check, the remaining quota is consumed based on the number of scan times.

      Note

      If the remaining quota is insufficient to offset the fee of a configuration check, the check items that cannot be covered by the quota are not used to scan instances in the configuration check. You can view the scan results to check the details of the configuration check.

    Pay-as-you-go

    • For more information about how to purchase the feature based on the pay-as-you-go billing method, see the Authorization and purchase section of this topic.

    • Billing cycle: You are charged at

      USD 0.02 per time on a daily basis.

    • Formula: Unit price × Number of scan times on the current day.

    • For more information about how to view the bills of the configuration assessment feature, see Billing Details.

    Authorization and purchase

    When you use the configuration assessment feature for the first time, you must authorize Security Center to access cloud resources.

    1. Authorize Security Center to access cloud resources.

      1. Log on to the Security Center console. In the top navigation bar, select the region of the assets that you want to manage. You can select China or Outside China.

      2. In the left-side navigation pane, choose Risk Governance > Configuration Assessment.

      3. On the Configuration Assessment page, click Authorize Now. The first time you use the configuration assessment feature, you must perform this operation.

        After the authorization is complete, a service-linked role named AliyunServiceRoleForSasCspm is created for Security Center to access and modify the resources of cloud services within the current account. Then, you can use the configuration assessment feature to check the following configurations of your cloud services: identity authentication, network access control, data security, log audit, and basic protection. This helps you reinforce security configurations and reduce risks that are caused by configuration errors in your cloud services. For more information about the AliyunServiceRoleForSasCspm service-linked role, see Service-linked roles for Security Center.

    2. Select a billing method to purchase the feature.

      Pay-as-you-go

      1. After the authorization is complete, click Activate Now on the Configuration Assessment page.

      2. In the dialog box that appears, read and agree to Security Center (Pay-as-you-go) Terms of Service by selecting the check box and click Activate Now.

      After you purchase the configuration assessment feature, you can view the quota that is consumed by configuration checks on the Configuration Check tab of the Configuration Assessment page.

      Disable the pay-as-you-go billing method

      To disable the pay-as-you-go billing method for the configuration assessment feature, find Used Quota and click Suspended.

      Note

      You can enable the subscription billing method only after you disable the pay-as-you-go billing method.

      Subscription

      Visit the Security Center buy page and configure the Quota for Configuration Assessment and Duration parameters. For more information, see Purchase Security Center.

      Note

      We recommend that you purchase a quota that is 20 times the number of cloud service instances. If the quota is insufficient, you must re-scan the instances. For example, if you have added a total of 10 cloud services and each cloud service has 15 instances, we recommend that you purchase a quota of 3,000. The value is calculated by using the following formula: 10 × 15 × 20 = 3,000.

      After you purchase the configuration assessment feature, you can view the remaining quota that can be consumed by configuration checks on the Configuration Check tab of the Configuration Assessment page.

      Upgrade, downgrade, or renew Security Center

      If you cannot run configuration checks because the remaining quota is insufficient or your subscription to Security Center expires, you can click Scale Out to purchase more quota or renew the subscription to Security Center on the Order Upgrade tab. You can also reduce the quota on the Order Downgrade tab based on your business requirements.

      Switch from subscription to pay-as-you-go

      After you purchase a quota for configuration assessment based on the subscription billing method, you cannot directly switch the billing method from subscription to pay-as-you-go. You can downgrade Security Center or request a refund for Security Center before you enable the feature based on the pay-as-you-go billing method.

      • For more information about how to downgrade Security Center, see the Downgrade section of the "Upgrade and downgrade Security Center" topic.

      • To unsubscribe from Security Center, submit a ticket.

    Use the feature

    1. Add cloud services: View the supported cloud services and add the cloud services whose configurations you want to check to Security Center. Alibaba Cloud services and third-party cloud services are supported.

    2. Use the configuration assessment feature: Configure a check policy, run a configuration check, view check results, and then handle the detected risk items.