Configure and execute check policies - Security Center - Alibaba Cloud Documentation Center

Configuration errors in cloud services can lead to vulnerabilities, performance issues, data leaks, and cyberattacks, which can compromise reliability. To stay secure, set up automatic check policies that regularly scan your cloud platform's security configurations. This helps you quickly detect and fix configuration risks.

Background

View the billing for the configuration check.
View the rules, risk levels, and risk remediation for the configuration check.

Prerequisites

You have authorized Security Center to access your cloud resources. To use all check items for cloud service configuration checks, activate the pay-as-you-go billing method or purchase sufficient scan quotas for Cloud Security Posture Management (CSPM).
You have synchronized the Alibaba Cloud services or added the multi-cloud assets you want to check.

Update check items

Security Center provides predefined check items for cloud service configuration risks. Before scanning for risks, you can modify the predefined check rules or add custom check items to align with your business needs, ensuring more accurate results.

Add custom check items

For Alibaba Cloud and Tencent Cloud services, you can add custom check items to meet your O&M requirements for cloud service configuration security. Configure check rules based on the five predefined scenarios from Security Center: AI Security Posture Management (AI-SPM), Kubernetes Security Posture Management (KSPM), Cloud Infrastructure Entitlements Management (CIEM), security risks, and compliance risks.

Configure and use custom check items

The following flowchart shows the process:

Configure custom check items

To configure and issue custom check items, perform the following steps:

Log on to the Security Center console. In the upper-left corner of the console, select the region where your assets to be protected are located: China or Outside China.
In the left navigation pane, choose Risk Governance > CSPM.
On the CSPM > Cloud Service Configuration Risk tab, click Create Custom Check Item.

Configure the following information and click Next.

Enter an easily identifiable Check Item Name.
Under Check Item Category Settings, set the directory to which the check item belongs:
1. Select Scenario: AI Settings, Kubernetes Security Posture Management (KSPM), CIEM, Security Risk, or Compliance Risk.
2. Based on the Scenario, select Standard/Requirement/Section in sequence.
  You can select predefined items under the corresponding scenario, or click Create Standard, Create Requirement Item, or Create Section, enter the name of the corresponding item, and select the new custom item.
  For information about predefined check items under each scenario, see Check rules.
  Important
  If a custom item is used, all subsequent items must also be customized.
Click Add to set multiple directory paths. Your custom check item will be added under multiple directory paths.
Enter Check Item Description, Solution, and Reference to understand the check content of this item and how to fix the risky configurations.
Set the risk level (High, Medium, or Low) for the current check item to assess the risk impact and enable timely fixes.

After customizing the check item, you can view it in the Cloud Service Configuration Risks tab's All Check Items list based on the directory path.

Example:

You can view the Custom Check Item under Risk > Alibaba Cloud best security practices > Security > Access Control. Click the check item name to view the Check Item Description, Solution, and Reference.

Configure check rules.

Select the Service Provider supported by the check item, and select the Check Item Target.
Note
The selectable Check Item Target depends on what is displayed in the console.
If you need to configure check rules in combination with other asset objects, click Add Associated Asset and select the following parameters in sequence.
Note
The selectable parameters depend on what is displayed in the console. If the Associable Attribute dropdown list is empty, it indicates that the current Check Item Target does not support setting associated assets.
- Associable Attribute: Parameters in the Check Item Target that can be linked.
- Associated Asset: Assets that can be linked to the Associable Attribute.
- Associated Asset Properties: Parameters in the Associated Asset that can be linked to the Associable Attribute.
You can click Add Associated Asset to associate multiple assets and their parameters.
After configuration, you can select parameters related to the Associated Asset to configure check rules when setting conditions in Check Item Settings.
Example:
As shown in the configuration below, after associating Disk (Storage), the conditions in Check Item Settings support setting disk-related parameters.
Click Add Rule to set check rules.
Select rule parameter, operator (In, Equals, NotEquals, NotIn), and enter the expected value based on the parameter and its data type.
- Parameter: You can select parameters related to the Check Item Target and Associated Asset. The selectable parameters depend on what is displayed in the console.
  You can click the icon to the right of the parameter to view the parameter's data type, example, and description. When selecting a parameter, you must select down to the last-level parameter. Otherwise, you cannot set the operator and expected value.
- Operator descriptions:
  In: Checks whether a value exists in a collection. The rule is true if the specified value is in the collection.
  Equals: Compares whether two values are equal. The rule is true if the two values are the same.
  NotEquals: Opposite of Equals, checks whether two values are not equal. The rule is true if the two values are different.
  NotIn: Opposite of In, checks whether a value does not exist in a collection. The rule is true if the specified value is not in the collection.
You can click Add Rule or Add Group to configure multiple rules or groups. The relation between multiple rules can be AND or OR.
Important
Each check item can have up to 5 rule groups, and each rule group can contain a maximum of 10 rules.
Example:
As shown in the left figure, you can set check rules for ResourceGroupId (the enterprise resource group ID to which the instance belongs) and VpcId (the virtual private cloud ID) to check whether ECS instances in a specific resource group use the specified VPC, ensuring that all ECS instances under the same business can communicate with each other over the private network.

Click Test, select test data in the Test area on the right (Security Center will provide asset data based on the selected Check Item Target), and click Test.
Security Center will detect the selected test data, for example, using this check item. You can verify if the results meet your expectations: Check Item Fails to Pass Check or The check item passed the check.
If the test results do not match your expectations, verify that the check rules are set correctly and test again.
After the test meets your expectations, click Save or Publish.
- Save: Check items that have been saved but not published can be edited, published, and deleted.
- Publish: Only published check items can be displayed and used in the check item list. Published check items cannot be modified.

Added custom check items will appear on the Custom Check Item Management page, where you can view, edit, publish, unpublish, or delete check items. To manage all custom check items, click Custom Check Item Management in the upper-right corner of the CSPM page.

Important

To modify published check items, you must first unpublish them. Unpublishing a check item will clear its original rules and historical scan results.
Deleting a check item will also clear its historical check data and alert information.

Modify predefined check item rules

Security Center allows you to modify check rules for certain items, such as OSS-Bucket hotlink protection configuration, idle user cleanup, and password validity period.

Log on to the Security Center console. In the upper-left corner of the console, select the region where your assets to be protected are located: China or Outside China.
In the left-side navigation pane, choose Risk Governance > CSPM.
On the Cloud service Configuration Risk tab, search for check items whose Support Custom Parameters is Yes, and click the name of the target check item, such as Delete Idle RAM User.
In the check item details panel, click Parameter Configuration.
Note
If the Parameter Configuration button is visible, you can modify the check item configurations. If it is not visible, modifications are not allowed.
In the Parameter Configuration panel, click Add Modifiable Parameter in the Modifiable Parameter column, select the parameter that you want to modify from the drop-down list, set Edit Parameter, and click OK.
The modified check rules take effect immediately. You can view the check results after the next check is executed.

Set check policies

After updating the check items, you can specify whitelisted check items, check cycles, check times, and cloud service instances by configuring automatic check policies and whitelist policies.

Automatic check policies

If you need to check for specific cloud service configuration risks or run periodic checks, you can enable and configure the Automatic CSPM Check feature.

In the upper-right corner of the Risk Governance > CSPM page, click Policy Management.
In the Policy Management panel, on the Cloud service Scan Policy tab, turn on the icon, set Check Cycle and Check At, and select the check item.
After selecting check items, the estimated quota consumed by the scan policy will be displayed above the list. Note that this estimated value is for reference only, as instances may be added or released during the check.

Once you complete the policy configuration, Security Center will perform a Policy-based Scan according to the settings you specified.

Whitelist policies

If you need to exclude certain instances from specific check items, you can add them to a whitelist. After configuring a whitelist policy, it takes effect immediately for both Full Scan and Policy-based Scan.

In the upper-right corner of the Risk Governance > CSPM page, click Policy Management.
On the Whitelist Rule > By Check Item tab, click Create Whitelist Rule.
In the right panel, whitelist Cloud Service Provider, Cloud Service, Check Item, and Policy Effective Scope as needed, and click OK.
When Policy Effective Scope is set to All Instances, whitelisting occurs at the check item level. Newly added cloud service instances are automatically whitelisted, and the whitelisted check items will not be scanned or displayed in the risk list.
When Policy Effective Scope is set to Some Instances, whitelisting occurs at the instance level. Newly added instances will not be whitelisted and will still be subject to scanning.

The created whitelist rules are displayed in the By Check Item list.

Note

Whitelisted Check items are also synchronized to the By Check Item list.

You can Edit (modify Policy Effective Scope) or Delete (cancel whitelisting) whitelisted check items.

Perform configuration checks

Security Center supports both periodic automatic checks and immediate manual checks. The check modes are as follows:

Periodic automatic check: Security Center automatically executes configuration checks on a regular basis according to the Check Cycle, Check At, and Check Item in your scan policy.
Immediate manual check: To quickly assess whether the configurations of all cloud services or specific check items have risks, you can select Full Scan or Scan by Policy to perform checks immediately and view any corresponding configuration risks in real time.

After configuring your check items and policies, follow these steps on the Risk Governance > CSPM page to perform immediate cloud service configuration checks:

In the Risk Overview tab, click Scan Now in the Detected Threat Types section, and select Full Scan or Scan by Policy.
Note
A full scan will take some time to complete. Please be patient.
In the Cloud Service Configuration Risk tab, click Scan Now, and select Full Scan or Scan by Policy.

What to do next

After completing the configuration check, you can view the failed check items and fix risks on the Cloud Service Configuration Risk tab.

Security Center:Configure and execute check policies