Check and handle risks in cloud service configurations -

Improper configurations of cloud services can cause risks such as vulnerabilities, performance bottlenecks, data leaks, and attacks. The risks seriously affect the reliability of the cloud services. We recommend that you perform regular scans to check the configurations of cloud services and handle the risk items that are detected at the earliest opportunity. This helps improve the security, performance, and reliability of the cloud services and ensure normal service running and data security.

Prerequisites

A sufficient quota for configuration assessment is purchased, and the feature-related authorization is complete. For more information, see Purchase and authorization.
The cloud services that you want to check are added to Security Center. For more information, see Add cloud services.

Step 1: (Optional) Modify the configurations of a check item

Security Center allows you to modify the configurations of specific check items, such as OSS Bucket Immobilizer Configuration, Idle user cleaning, and Password_validity. You can modify the configurations of check items based on your business requirements to increase the accuracy of check results.

In the left-side navigation pane, choose Risk Governance > Configuration Assessment.
Click the Configuration Check tab and click the name of a check item.
In the details panel, click Modify Check Item Configurations.
If the Modify Check Item Configurations button appears in the details panel, the configurations of the check item can be modified. If the button does not appear, the configurations of the check item cannot be modified.
In the Modify Check Item Configurations panel, click Add Modifiable Parameter in the Modifiable Parameter column, select a parameter, specify a value for the selected parameter in the Edit Parameter column, and then click OK.
The modification immediately takes effect. You can view the check result of the new check item in the next configuration check.

Step 2: Run a configuration check

The configuration assessment feature supports full scans and scans by policy.

In the left-side navigation pane, choose Risk Governance > Configuration Assessment.
Click the Configuration Check tab and run a configuration check.
- Full Scanning
  If you want to immediately check whether risks exist in the configurations of your cloud services, you can choose Immediate Scan > Full Scanning on the Configuration Assessment page. The system checks all your cloud services.
- Scan By Policy
  After you configure a policy for the configuration assessment feature, Security Center runs configuration checks based on the time range that you specify in the policy. You can also select Scan By Policy to immediately check your cloud services.
  1. In the upper-right corner of the Configuration Assessment page, click Check Policy Settings.
  2. In the Check Policy Settings panel, turn on Automatic Configuration Assessment.
  3. Configure the Detection Cycle: and Detection Time: parameters, select the required check items, and then click OK.
  4. Optional. On the Configuration Assessment page, choose Immediate Scan > Scan by Policy.
    Security Center immediately scans the configurations of cloud services based on the policy that you configure.
Note
A full scan requires a long period of time to complete.

Step 3: View check results

In the left-side navigation pane, choose Risk Governance > Configuration Assessment.
Click the Configuration Check tab and view the check results.
- View the overall information
  The section in the upper part of the Configuration Assessment page displays the overall information. You can view the pass rates for check items of the CIEM, Risk, and Compliance Risk types. You can move the pointer over the lines above Pass Rate to view the numbers of high-risk items, medium-risk items, low-risk items, and passed check items.
  Note
  Different risk levels of check items are displayed in different colors.
  High Risk: red. The risk item poses major threats to your assets. We recommend that you handle the risk item at the earliest opportunity.
  Medium Risk: orange. The risk item causes damage to your assets. You can handle the risk item at your convenience.
  Low Risk: gray. The risk item causes less damage to your assets. You can handle the risk item at your convenience.
- View risk items
  - In the All Check Items section, click a check item type. In the list of risk items on the right, view the risk items of the selected check item type.
  - Use the filter widget above the list to search for the risk items that you want to view. You can filter risk items by conditions such as the risk level and status of risk items.
- View the details of a risk item
  Find a risk item and click Details in the Actions column. In the panel that appears, view the following information: Check Item Description, Solution, Help, and Impact.

Step 4: Handle the detected configuration risks

In the left-side navigation pane, choose Risk Governance > Configuration Assessment.
Click the Configuration Check tab and handle the detected risk items.
You can perform the following operations based on your business requirements:
- Fix a risk item
  Find a risk item and click Details in the Actions column. In the Impact section of the details panel that appears, click the instance ID of the cloud service on which risks are detected, the ID of an account, or the name of a policy to go to the console of the cloud service. Then, fix the risk item based on the information provided in the Solution and Help sections.
- Add a risk item to the whitelist
  Important
  After you add a risk item to the whitelist, the risks that are detected for the risk item are no longer reported in subsequent configuration checks. We recommend that you add risk items to the whitelist only after you confirm that the risk items do not pose threats.
  If you identify a risk item as a false positive, you can find the risk item in the check item list and click Add to Whitelist in the Actions column to add the risk item to the whitelist. Then, the status of the risk item changes to Whitelist. Risk items that are added to the whitelist are not counted in the total number of risk items.
  You can click Remove from Whitelist in the Actions column to remove risk items from the whitelist.
Verify fixes.
If you have modified the configurations of an instance based on the information in the details panel of a risk item that affects the instance, you can use one of the following methods to check whether the new configurations contain risks:
- Verify a fix: Find the risk item in the check item list and click Verify in the Actions column.
- Verify fixes: Select multiple risk items and click Verify below the check item list.
If the configurations do not contain risks, the instance is removed from the list in the Impact section, and the status of the risk item changes to Passed.

View risk reports

You can view a risk report on the Risk Overview tab of the Configuration Assessment page. The report visualizes the overall configuration risks of your cloud assets and allows you to identify and handle configuration errors at the earliest opportunity.

In the left-side navigation pane, choose Risk Governance > Configuration Assessment.

On the Risk Overview tab, select the vendor of the cloud assets that you want to view. If you do not select an option, you can view the risk data of all cloud assets.

A risk report contains data in the following sections.

Section	Description
Detected Threat Types	Displays the proportion of executed check items to all supported check items in different dimensions.
At-risk Cloud Service Statistics	Displays the statistics of cloud services on which configuration risks are detected. Total Cloud Services: the total number of cloud services that are added to Security Center, including Alibaba Cloud services and third-party cloud services. Total At-risk Cloud Services: the number of cloud services on which configuration risks are detected, including Alibaba Cloud services and third-party cloud services. Remaining Quota: the remaining quota for configuration assessment. You can click Scale Out to purchase an additional quota. Top 5 At-risk Cloud Services: the top 5 at-risk cloud services based on risk item quantities. You can click a service name to go to the details page of the service.
Check Item Pass Rate	Displays the pass rate of check items and the distribution of risk items. Overall Pass Rate: the proportion of failed check items to all executed check items. Detected Threat Types: the number of check items that are executed. The system also displays the numbers of high-risk, medium-risk, and low-risk items. Failed Check Items: the number of failed check items among the executed check items. The system also displays the numbers of high-risk, medium-risk, and low-risk items. Check Items: the numbers of passed and failed check items of the CIEM, Risk, and Compliance Risk Types in a column chart.
Trend of Check Item Pass Rate	Displays the trends of pass rates for check items that are used within a specific period of time in a line chart.
Trend of Asset-based Check Pass Rate	Displays the trends of pass rates for assets that are scanned within a specific period of time in a line chart. Asset-based Check Pass Rate: the proportion of at-risk assets to all assets that are scanned.
Top 5 Objects with Excessive Permissions	Displays the top 5 users or roles that are granted excessive permissions within the current scope.

References

For more information about the feature details and billing methods of configuration assessment, see Overview of configuration assessment.
For more information about how to purchase a quota for configuration assessment and add cloud services to Security Center, see Add cloud services.
GetCheckProcess
AddCheckResultWhiteList
ChangeCheckConfig
GetCheckConfig
GetCheckDetail