Add the cloud services on which you want to perform configuration checks -

You can use the configuration assessment feature only after you add the cloud services that you want to check to Security Center. The feature supports Alibaba Cloud services and third-party cloud services. The feature detects risks and vulnerabilities in the configurations of cloud services and provides suggestions and guidelines on how to handle the detected risks and vulnerabilities. You can use the feature to improve the security and reliability of your cloud services.

Prerequisites

A sufficient quota for configuration assessment is purchased, and the feature-related authorization is complete. For more information, see Purchase and authorization.

Add Alibaba Cloud services

Security Center automatically synchronizes Alibaba Cloud services that belong to the same Alibaba Cloud account as Security Center. No manual operations are required in this scenario. If you want to synchronize Alibaba Cloud services from different Alibaba Cloud accounts, you must add the accounts to the multi-account feature to manage the resources within the added accounts. For more information, see Use the multi-account management feature.

You can log on to the Security Center console and choose Assets > Cloud Product in the left-side navigation pane. Then, click Synchronize Assets to manually synchronize cloud services from the current Alibaba Cloud account, different Alibaba Cloud accounts, and third-party cloud accounts that are added to Security Center.

Add third-party cloud services

The configuration assessment feature supports only the third-party cloud services that are provided by Tencent Cloud and Amazon Web Services (AWS). You can add third-party cloud services to Security Center and use the configuration assessment feature to scan the services.

1. Configure a third-party cloud account

Before you can add a third-party cloud service to Security Center, you must log on to the platform of the third-party cloud service provider, create a sub-account and an AccessKey pair for the account, and then grant the sub-account the permissions that are required for the configuration assessment feature.

Configure a sub-account on Tencent Cloud

Create a sub-account. For more information, see Creating Sub-User.
Grant the CloudResourceReadOnlyAccess and QcloudCamReadOnlyAccess permissions to the sub-account. For more information, see Authorization Management.
Create an AccessKey pair for the sub-account. For more information, see Access Key.
Optional. If you want to add the logs of system activities or operations from third-party cloud services to Security Center, configure a log service on the platform of the third-party cloud service provider and grant Security Center the read permissions on the log service.
1. Log on to the Cloud Log Service (CLS) console of Tencent Cloud and create a log topic. For more information, see Managing Log Topic.
  Important
  We recommend that you select the same region for CLS and the cloud services that you want to add.
2. Log on to the CloudAudit console of Tencent Cloud and create a tracking set to deliver logs. For more information, see Shipping Log with Tracking Set.
  To create a tracking set, configure the following parameters:
  - Manage Event Type: Select All.
  - Resource Type: Select All Resource Types.
  - Shipping Location: Select Ship the event to CLS and specify the created log topic as the topic of the logs to deliver. Then, select Complement Events in Last Three Months (90 Days).
3. Create a custom policy and attach the policy to the sub-account that you want to add to Security Center.
  Use the following code to create the custom policy:
```
{
    "statement": [
        {
            "action": [
                "cls:OpenKafkaConsumer"
            ],
            "effect": "allow",
            "resource": [
                "qcs::cls:${Region ID of CLS}:uin/${Master Account ID}:topic/${CLS Topic ID}",
                "qcs::cls:${Region ID of CLS}:uin/${Master Account ID}:logset/${CLS Logset ID}"
            ]
        }
    ],
    "version": "2.0"
}
```
  You must replace the variables in the preceding code with the actual information about your log topic. To obtain the information, go to the basic information page of your log topic.
  - ${CLS Topic ID}: Enter the value of the Log Topic ID parameter.
  - ${CLS Logset ID}: Enter the value of the Logset ID parameter.
  - ${Region ID of CLS}: Enter the region ID that corresponds to the value of the Region parameter.
  - ${Master Account ID}: Enter the ID of the master account. You can click the profile picture in the upper-right corner to obtain the ID.
4. Obtain the Kafka topic name, Kafka public endpoint, and logset ID for your log topic. These details are required when you add the sub-account to Security Center.
  - Go to the basic information page of your log topic and obtain the value of the Logset ID parameter.
  - Go to the Kafka consumption page and obtain the Kafka topic name and Kafka public endpoint. For more information, see Consumption over Kafka.

Configure a sub-account on AWS

Log on to the IAM Identity Center console and create an Identity and Access Management (IAM) user. For more information, see Add users.
Grant the ReadOnlyAccess permission to the IAM user. For more information, see Adding permissions to a user (console).
Optional. If you want to add the logs of system activities or operations from third-party cloud services to Security Center, configure a log service on the platform of the third-party cloud service provider and grant Security Center the read permissions on the log service.
1. Log on to the Amazon Simple Queue Service (Amazon SQS) console and create an SQS queue. For more information, see Creating an Amazon SQS standard queue and sending a message or Creating an Amazon SQS FIFO queue and sending a message.
2. Log on to the Amazon Simple Storage Service (Amazon S3) console and select an existing S3 bucket or create an S3 bucket. For more information, see Step 1: Create your first S3 bucket.
  Important
  Make sure that the S3 bucket and SQS queue reside in the same region.
3. Enable CloudTrail event logging for the S3 bucket and related objects. For more information, see Enabling CloudTrail event logging for S3 buckets and objects.
  Important
  When you create a CloudTrail trail, do not set the Log file SSE-KMS encryption parameter to Enabled.
4. Log on to the Amazon S3 console and enable event notifications for the S3 bucket. For more information, see Enabling and configuring event notifications using the Amazon S3 console.
  - Event types: Select Send.
  - Destination: Select SQS Queue and enter the Amazon Resource Name (ARN) of the SQS queue.
5. Create a custom policy that grants read and write permissions on the S3 bucket to the SQS queue. For more information, see Creating IAM policies.
  Use the following code to create the custom policy:
```
{
  "Version": "2012-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__owner_statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::${Account ID}:root"
      },
      "Action": "SQS:*",
      "Resource": "${System-provided SQS Queue ARN}"
    },
    {
            "Sid": "example-statement-ID",
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": [
                "SQS:SendMessage"
            ],
            "Resource": "${System-provided SQS Queue ARN}",
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:s3:*:*:${S3 Bucket Name}"
                }
            }
        }
  ]
}
```
  - You can obtain the ID of the sub-account and the ARN of the SQS queue in the default policy of the SQS queue. Replace ${Account ID} and ${System-provided SQS ARN} in the preceding code with the obtained information.
  - You can obtain the name of the S3 bucket on the details page of the bucket. Replace ${S3 Bucket Name} in the preceding code with the obtained information.
6. Attach the custom policy to the IAM user. For more information, see Adding permissions to a user (console).
7. Go to the details page of the SQS queue and obtain the name and region ID of the SQS queue. These details are required when you add the IAM user to Security Center.

2. Add the AccessKey pair of the third-party cloud account to Security Center

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. You can select China or Outside China.
In the left-side navigation pane, choose System Configuration > Feature Settings.
On the Multi-cloud configuration management > Multi-cloud assets tab, click Add authorization. Then, select Tencent Cloud or AWS from the drop-down list.
In the Edit a multi-cloud configuration panel, select Manual Configuration. Then, select Config Assessment below Permission description and click Next. Security Center is granted the read permissions on all cloud services within the third-party cloud account.
In the Submit AccessKey Pair step, enter the AccessKey pair of the third-party cloud account and click Next.
If you want to add audit logs, configure the audit log settings in the Log Audit Settings step and click Next. If you do not want to add audit logs, click Skip.
- When you add the sub-account of Tencent Cloud, enter the obtained Kafka topic name, Kafka public endpoint, and logset ID of the log topic in sequence.
- When you add the sub-account of AWS, enter the obtained region ID and name of the SQS queue in sequence.

Configure the settings of the third-party cloud services that you want to add and click OK. For example, you can configure regions and data synchronization frequencies.

Parameter	Description
Cloud Service Synchronization Frequency	The interval at which Security Center automatically synchronizes the data of third-party cloud services. If you select Disable, the data is not synchronized.
AK Service Status Check	The interval at which Security Center automatically checks the validity of the AccessKey pair of the third-party cloud account. If you select Disable, Security Center does not check the validity of the AccessKey pair.

Click Synchronize Assets to synchronize the assets within the third-party cloud account to Security Center.

References

For more information about the feature details and billing methods of configuration assessment, see Overview of configuration assessment.
For more information about how to perform configuration checks and handle the detected risk items, see Use the configuration assessment feature.
For more information about how to call an API operation to perform configuration checks, see SubmitCheck.