The multi-account management feature allows you to manage multiple members in the resource directory of your enterprise in a centralized manner. You can configure protection settings for the members and view the risks that are detected in the resources of the members in real time. This topic describes how to use the multi-account management feature.
Background information
An increasing number of enterprises are migrating their business to the cloud. After enterprises purchase a large number of cloud resources, the management of resources, projects, personnel, and permissions can become complicated. Single accounts cannot be used to meet the requirements. In this case, a multi-account system is required to migrate business to the cloud. Enterprise users have requirements for centralized management of cloud resources across multiple accounts. The cloud resources include security, compliance audit, network, and O&M products.
Security Center can be integrated with Resource Directory of Resource Management as a trusted service. You can use a resource directory to manage multiple Alibaba Cloud accounts in a centralized and structured manner. For example, you can implement data operations and monitoring on the resources within each Alibaba Cloud account and perform quick operations and management on the resources across the accounts.
- Account monitored by Security Center: If you want to monitor the security status of assets within multiple Alibaba Cloud accounts and configure protection settings other than threat analysis for the accounts, you can add the accounts as members of the account monitored by Security Center type. The settings include settings for alerting, vulnerability detection, baseline check, and configuration assessment.
- Account monitored by threat analysis: If you want to manage security information and events of multiple cloud services that belong to different Alibaba Cloud accounts, you can add the accounts as members of the account monitored by threat analysis type. The services include Cloud Firewall and Virtual Private Cloud (VPC).
Limits
All editions of Security Center support this feature. For more information about the features that each edition supports, see Functions and features.
Prerequisites
- A resource directory is enabled. For more information, see Enable a resource directory.
- A member is created in the resource directory, or an existing Alibaba Cloud account is invited to join the resource directory. For more information, see Create a member and Invite an Alibaba Cloud account to join a resource directory.
- The Account Monitored by Threat Analysis tab is available in the Security Center console. The tab is available only after you enable the threat analysis feature.
Step 1: Add a delegated administrator account
You can use the management account of a resource directory to specify a member in the resource directory as a delegated administrator account of a trusted service. After a member is specified as a delegated administrator account of a trusted service, the member can be used to access information about the resource directory in the trusted service. The information includes the structure and members of the resource directory. The member can also be used to manage business within the resource directory.
- Log on to the Resource Management console by using the management account of your resource directory.
- In the left-side navigation pane, choose .
- On the Trusted Services page, find Security Center or Security Center - Threat Analysis and click Manage in the Actions column.
- In the Delegated Administrator Accounts section of the page that appears, click Add.
- In the Add Delegated Administrator Account panel, specify a member as a delegated administrator account of Security Center and click OK. After you specify the delegated administrator account, the delegated administrator account can be used to perform management operations on all members of the resource directory.
Step 2: Add a member
Add a member of the account monitored by Security Center type
You can invite existing Alibaba Cloud accounts to join your resource directory as members in the Security Center console. This way, you can manage assets within the accounts by using a single account in a centralized manner. You can monitor the security status of the assets and configure protection settings other than threat analysis for the members, such as settings for alerting, vulnerability check, baseline check, and configuration assessment.
- Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
- In the left-side navigation pane, choose .
- The first time you use the multi-account management feature, click Enable Management in Security Center. After you enable the feature, the AliyunServiceRoleForSasRd service-linked role is automatically created for the members in your resource directory. For more information about service-linked roles, see Service-linked roles for Security Center.
- Add a member.
- Configure protection settings for the member.
- After you complete the configurations, click Determine. Security Center enables features for the member and performs vulnerability scans and baseline checks on the assets that belong to the member based on the configurations.
Add a member of the account monitored by threat analysis type
You can enable the threat analysis feature for multiple accounts on the Account Monitored by Threat Analysis tab. Then, you can configure alerts for multiple cloud services that belong to different accounts and handle alert events that are generated for the services.
- Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
- In the left-side navigation pane, choose .
- The first time you use the multi-account management feature, click Enable Threat Analysis and Control. After you enable the feature, the AliyunServiceRoleForSasRd service-linked role is automatically created for the members in your resource directory. For more information, see Service-linked roles for Security Center.
- Add a member.
- Click OK. After the configuration is complete, you can view the added member in the member list on the Account Monitored by Threat Analysis page.
Step 3: View the risks detected in the resources of a member
You can log on to the Security Center console by using the management account of your resource directory or a delegated administrator account to view the risks detected in the resources of a member and manage the member.
View the risks detected in the resources of a member on the Overview tab
- Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
- In the left-side navigation pane, choose .
- On the Multi-account Control page, click the Overview tab to view information about each member, such as the security score, at-risk assets, alerts, vulnerabilities, baseline risks, and asset exposure statistics.
View and manage a member of the account monitored by Security Center type
- Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
- In the left-side navigation pane, choose .
- On the Multi-account Control page, click the Configure tab.
- On the Account Monitored by Security Center tab, view and manage information about a member.
- View the risk information about a member
You can view the risk information about a member in the member list. The risk information includes Security Score, Alerts, Vulnerabilities, Baseline Check, Config Assessment, and Attacks.
- Switch to the Security Center console of a memberIn the member list, click the name of a member to switch to the Security Center console of the member. You can also select a member from the drop-down list in the left-side navigation pane to switch to the Security Center console of the member or switch back to the Security Center console of the current logon account.
After you switch to the Security Center console of a member, you can view the risks detected in the resources of the member and configure protection settings. However, you cannot perform the following operations:
- Go to the buy page or the console of a different cloud service. For example, when you click Buy Now on the Overview page and select an edition, you cannot navigate to the buy page, and the The feature is not supported when the multi-account switching feature is enabled. message appears.
- Use the log analysis feature. After you switch to the Security Center console of a member, the entry point to the log analysis feature is not displayed in the console.
- Use the multi-account management feature. After you switch to the Security Center console of a member, the entry point to the multi-account management feature is not displayed in the console.
- Mark a member as followed
You can select a member from the member list and click Follow to mark the member as followed. Followed members are preferentially displayed in the drop-down list in the upper part of the left-side navigation pane.
- Log on to the Resource Management console
If you log on to the Resource Management console by using the management account of your resource directory, you can click View to go to the Resource Directory page. On the Resource Directory page, you can view directory information about all assets, create members, invite members, or upgrade a resource account to a cloud account.
- Remove a member
Click Delete to remove a member from the member list.
- View the risk information about a member
View and manage a member of the account monitored by threat analysis type
- Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
- In the left-side navigation pane, choose .
- On the Multi-account Control page, click the Configure tab.
- On the Account Monitored by Threat Analysis tab, view and manage the information about a member.
- View information about a member
You can view information about a member in the member list.
- Remove a member
You can click Delete in the Actions column of a member to remove the member from the member list.
- View information about a member