All Products
Search

This Product

    Security Center:Overview of CSPM

    Document Center

    Security Center:Overview of CSPM

    Last Updated:Apr 22, 2025

    The cloud security posture management (CSPM) feature supports cloud service configuration assessment, baseline checks, and attack path analysis. This topic outlines the billing for the feature and provides instructions on how to use it.

    Feature breakdown

    Feature

    Description

    Cloud service configuration check

    Detects configuration issues based on check rules from AI Settings (AI-SPM), Kubernetes Security Posture Management (KSPM), Cloud Infrastructure Entitlements Management (CIEM), best security practices from cloud providers, and compliance standards. This enables prompt fixes to improve cloud service security.

    Baseline check

    Identifies security configuration vulnerabilities in servers that hackers may exploit. This feature scans for issues in systems, account permissions, databases, weak passwords, and compliance configurations in batches. It helps to quickly address these issues, reduce risks, and meet compliance requirements.

    Attack path analysis

    Comprehensively scans and analyzes access paths between cloud services, such as accessing Object Storage Service (OSS) buckets via RAM roles granted to Elastic Compute Service (ECS) instances. It provides visualization results to enhance your understanding of the security status of cloud resource access.

    Billing

    CSPM offers two billing methods, subscription (prepaid) and pay-as-you-go (postpaid). You can access some check items for free, but to use all check items, a payment is required.

    Free usage

    The cloud service configuration assessment feature offers several free check items, allowing you to scan and verify configurations for free, but fixes are not included.

    Important

    • For the supported free check items, see the Risk Governance > CSPM > Cloud Service Configuration Risk tab in the Security Center console.

    • The check items are continuously updated. If you want to use more check items, choose pay-as-you-go or subscription to purchase CSPM feature.

    • Historical scan data is retained and available for viewing after you enable all check items.

    • If you have not enabled pay-as-you-go billing or purchased scan quotas for CSPM, Security Center offers over 80 check items for free by default.

    • If you enabled the CSPM (formerly configuration assessment) feature before July 7, 2023, you can use the following number of free check items based on your Security Center edition until it expires. If you renew before expiration, you can continue using the following number of free check items:

      • Basic and Anti-virus: more than 80 items.

      • Advanced: more than 90 items.

      • Enterprise and Ultimate: more than 250 items.

    If you have not enabled pay-as-you-go billing and has not purchased scan quotas for CSPM, the check items with the Scan button displayed in its Actions column on the Cloud Service Configuration Risk tab are free to use.

    image

    Paid usage

    CSPM billing is based on the quotas for each check item associated with each instance. These quotas specify the number of scans, verifications, and fixes performed for each check item on every instance.

    An instance refers to the instance of a specific network device or an application, such as an OSS bucket or an ECS security group.

    Feature

    Usage note

    Cloud service configuration assessment

    After enabling CSPM with pay-as-you-go or subscription, all check items become available.

    • Fixing issues detected by free check items will use your quotas for successful fixes.

    • Scanning, verifying, or fixing issues detected by paid check items will consume quotas for each scan, verification, and successful fix.

    If you are using the Ultimate edition, check items for Kubernetes Security Posture Management (KSPM) do not consume quotas.

    Baseline check

    • If you are using:

      • Advanced, Enterprise, or Ultimate edition with a subscription

      • host and container security with pay-as-you-go and activating one of the above editions

      You can use the check items supported by each edition for scanning, verification, and fixing at no extra charge.

    Check items and policies by edition:

    • Advanced: Supports only the default policy, and weak password check items.

    • Enterprise: Supports all baseline check policies but does not include container security check items. You can quickly fix baseline risks on Linux servers based on Alibaba Cloud standards or the Multi-Level Protection Scheme (MLPS).

    • Ultimate: Supports all baseline check policies and all check items. You can quickly fix baseline risks on Linux servers based on Alibaba Cloud standards or MLPS.

    For more information about check items, see Baselines.

    • If you are using:

      • Anti-virus edition or the value-added plan with a subscription

      • pay-as-you-go without enabling host and container security

      • host and container security with pay-as-you-go and activating Anti-virus edition

      You can purchase the CSPM feature on a pay-as-you-go or subscription basis to access all baseline check items.

      Once you enable the CSPM feature, scans, verifications, and successful fixes will consume quotas based on the number of actions taken.

    Important

    If you have purchased Security Center Advanced, Enterprise, or Ultimate, you can only use the baseline check items included in that edition, even if you also purchased CSPM.

    For example, with Security Center Advanced and CSPM, you can only access weak password checks available in the Advanced edition.

    Attack path analysis

    After purchasing and enabling CSPM, you can use the attack path analysis feature without consuming any quotas.

    Example: How to count scan quota

    If you have 10 cloud services, each with 15 instances, and you select 5 check items (with each instance executing 5 scans for each check item) in a configuration assessment task, the total scan quota for this task is 10 × 15 × 5 = 750, which means the task consumes a total of 750 quotas.

    The billing rules for pay-as-you-go or subscription are as follows.

    Subscription

    • The subscription fee is: Price × Quota of CSPM × Subscription duration of Security Center.

      Quota

      Price (USD per quota per month)

      0~100,000

      0.0009

      100,001~500,000

      0.00069

      Greater than 500,000

      0.000625

    • Deduction rule: The purchased quotas for CSPM start at 15,000 and increase in increments of 55,000. This total represents the Remaining Quota for CSPM. Each time you perform a paid check item scan, verification, or fix, the Remaining Quota is consumed based on the number of scans, verifications, and successful fixes used.

      Note

      If your purchased quotas are insufficient during a scan task, only the results of successful scans will be displayed. Scans, verifications, and fixes that exceed the available quota will not be executed. You can view the task status through the scan results in the console.

    • Scale-out, downgrade, or renewal

      If the remaining quotas are insufficient or your Security Center expires, you will be unable to execute check policies. In this case, you can click Scale Out and purchase more quotas or renew your subscription on the Order Upgrade page. You can also reduce the quotas or disable CSPM on the Order Downgrade page based on your needs.

    • Switch to pay-as-you-go

      After you purchase scan quotas for CSPM with a subscription, you cannot directly convert the scan quotas to pay-as-you-go. You can wait for your Security Center to expire, downgrade your Security Center, or request a refund to first disable the subscription mode, and enable the pay-as-you-go mode.

    Pay-as-you-go

    • The pay-as-you-go fee is: Price × Quota.

      Billed in tiers based on the number of quotas, calculated by calendar day.

      Quota

      Price (USD per quota)

      Fee formula (Z is the number of quota used in one day)

      0~100,000

      0.0009

      0.0009×Z (USD)

      100,001~500,000

      0.0007

      0.0007×(Z-100,000)+0.0009×100,000 (USD)

      Greater than 500,000

      0.00045

      0.00045×(Z-500,000)+0.0007×400,000+0.0009×100,000 (USD)

    • Billing details.

    • Disable pay-as-you-go

      Go to the Security Center console, click Risk Governance > CSPM > Configuration Check > Used Quota section, click Suspended to disable pay-as-you-go for CSPM.

      Important

      • You can enable the subscription billing method only after disabling pay-as-you-go.

      • After you disable pay-as-you-go, the results of scanned check items and configured scan policies are retained. After you re-enable pay-as-you-go or purchase a subscription, the configured scan policies will be triggered again.

    User guide

    Use cloud service configuration assessment

    The process for checking and handling cloud service configuration risks is shown below:

    image

    Use baseline check

    The process for checking baseline risks is shown in the following figure:

    image

    Use attack path analysis

    The process for analyzing and handling attack paths is shown in the following figure:

    image

    FAQs