Use the multi-account management feature - Security Center

The multi-account management feature allows you to manage multiple members in the resource directory of your enterprise in a centralized manner. You can configure protection settings for the members and view the risks that are detected in the resources of the members in real time. This topic describes how to use the multi-account management feature.

Background information

An increasing number of enterprises are migrating their business to the cloud. After enterprises purchase a large number of cloud resources, the management of resources, projects, personnel, and permissions can become complicated. Single accounts cannot be used to meet the requirements. In this case, a multi-account system is required to migrate business to the cloud. Enterprise users have requirements for centralized management of cloud resources across multiple accounts. The cloud resources include security, compliance audit, network, and O&M products.

Security Center can be integrated with Resource Directory of Resource Management as a trusted service. You can use a resource directory to manage multiple Alibaba Cloud accounts in a centralized and structured manner. For example, you can implement data operations and monitoring on the resources within each Alibaba Cloud account and perform quick operations and management on the resources across the accounts.

Limits

All editions of Security Center support this feature. For more information about the features that are supported by each edition, see Functions and features.

Prerequisites

A resource directory is enabled. For more information, see Enable a resource directory.
A member is created in the resource directory, or an existing Alibaba Cloud account is invited to join the resource directory. For more information, see Create a member and Invite an Alibaba Cloud account to join a resource directory.
The threat analysis feature is enabled. This requirement must be met if you want to add an account to threat analysis for monitoring. For more information, see Use the threat analysis feature.

Step 1: Add a delegated administrator account

You can use the management account of a resource directory to specify a member in the resource directory as a delegated administrator account of a trusted service. After a member is specified as a delegated administrator account of a trusted service, the member can be used to access information about the resource directory in the trusted service. The information includes the structure and members of the resource directory. The member can also be used to manage business within the resource directory.

Note

You can add up to 10 delegated administrator accounts for Security Center.

Log on to the Resource Management console by using the management account of your resource directory.
In the left-side navigation pane, choose Resource Directory > Trusted Services.
On the Trusted Services page, find Security Center or Security Center - Threat Analysis and click Manage in the Actions column.
In the Delegated Administrator Accounts section of the page that appears, click Add.
In the Add Delegated Administrator Account panel, specify a member as a delegated administrator account of Security Center and click OK.
After you specify the delegated administrator account, the delegated administrator account can be used to perform management operations on all members of the resource directory.

Step 2: Add a member

The multi-account management feature allows you to add members of the following types: account monitored by Security Center and account monitored by threat analysis.

Account monitored by Security Center: If you want to monitor the security status of assets within multiple Alibaba Cloud accounts and configure protection settings other than threat analysis for the accounts, you can add the accounts as members of the account monitored by Security Center type. The settings include settings for alerting, vulnerability detection, baseline check, and configuration assessment.
Account monitored by threat analysis: If you want to manage security information and events of multiple cloud services that belong to different Alibaba Cloud accounts, you can add the accounts as members of the account monitored by threat analysis type. The services include Cloud Firewall and Virtual Private Cloud (VPC).

Add a member of the account monitored by Security Center type

You can invite existing Alibaba Cloud accounts to join your resource directory as members in the Security Center console. This way, you can manage assets within the accounts by using a single account in a centralized manner. You can monitor the security status of the assets and configure protection settings other than threat analysis for the members, such as settings for alerting, vulnerability check, baseline check, and configuration assessment.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose System Configuration > Multi-account Control.
The first time you use the multi-account management feature, click Enable Management in Security Center.
After you enable the feature, the AliyunServiceRoleForSasRd service-linked role is automatically created for the members in your resource directory. For more information about service-linked roles, see Service-linked roles for Security Center.
Add a member.
1. On the Multi-account Control page, choose Configure > Account Monitored by Security Center. Then, click Add.
2. In the Add Account panel, select the existing Alibaba Cloud account that you want to invite.
  Note
  The members in the drop-down list are the same regardless of whether you use the management account of your resource directory or a delegated administrator account.
3. Optional. Select When a new account is created, the account is added to the list of managed accounts by default..
  After you select this option, Security Center automatically synchronizes newly added accounts to the member list.
4. Click OK.
  You can view the added member in the member list on the Multi-account Control page.
Configure protection settings for the member.
1. On the Account Monitored by Security Center tab, find the member in the member list and click Settings in the Actions column.
2. In the Settings panel, configure the parameters in the Client management step and click Next.
  You can configure settings such as host protection, container protection, and agent settings. For more information, see Feature Settings.
3. Configure the parameters in the Vulnerability management step and click Next.
  You can enable or disable automatic scan for each type of vulnerability, and enable vulnerability scan for specific servers. You can also configure the scan cycle and scan method and specify the number of days after which a detected vulnerability is automatically deleted. For more information, see Scan for vulnerabilities.
4. Configure the parameters in the Baseline inspection step.
  The baseline check feature allows you to configure baseline check policies for the member. You can use baseline check policies to check whether risks exist in the baseline configurations of the assets that belong to the member. For more information, see Create baseline check policies and run baseline checks based on the policies.
After you complete the configurations, click Determine.
Security Center enables features for the member and performs vulnerability scans and baseline checks on the assets that belong to the member based on the configurations.

Add a member of the account monitored by threat analysis type

You can enable the threat analysis feature for multiple accounts on the Account Monitored by Threat Analysis tab. Then, you can configure alerts for multiple cloud services that belong to different accounts and handle alert events that are generated for the services.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose System Configuration > Multi-account Control.
The first time you use the multi-account management feature, click Enable Threat Analysis and Control.
After you enable the feature, the AliyunServiceRoleForSasRd service-linked role is automatically created for the members in your resource directory. For more information, see Service-linked roles for Security Center.
Add a member.
1. On the Multi-account Control page, choose Configure > Account Monitored by Threat Analysis. Then, click Add.
2. In the Add Account panel, select the existing Alibaba Cloud account that you want to invite.
  Note
  The members in the drop-down list are the same regardless of whether you use the management account of your resource directory or a delegated administrator account.
3. Optional. When a new account is created, the account is added to the list of managed accounts by default..
  After you select this option, Security Center automatically synchronizes newly added accounts to the member list.
Click OK.
After the configuration is complete, you can view the added member in the member list on the Account Monitored by Threat Analysis page.

Step 3: View the risks detected in the resources of a member

You can log on to the Security Center console by using the management account of your resource directory or a delegated administrator account to view the risks detected in the resources of a member and manage the member on the Overview tab of the Multi-account Control page.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose System Configuration > Multi-account Control.
On the Multi-account Control page, click the Overview tab to view information about each member, such as the security score, at-risk assets, alerts, vulnerabilities, baseline risks, and asset exposure statistics.

View and manage a member of the account monitored by Security Center type

In the Security Center console, you can view and manage members of the account monitored by Security Center type or the account monitored by threat analysis type. For example, you can add or remove members.

Account Monitored by Security Center

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose System Configuration > Multi-account Control.
On the Multi-account Control page, choose Configure > Account Monitored by Security Center. Then, view and manage information about a member.
- View the risk information about a member
  You can view the risk information about a member in the member list. The risk information includes Security Score, Alerts, Vulnerabilities, Baseline Check, Config Assessment, and Attacks.
- Switch to the Security Center console of a member
  In the member list, click the name of a member to switch to the Security Center console of the member. You can also select a member from the drop-down list in the left-side navigation pane to switch to the Security Center console of the member or switch back to the Security Center console of the current logon account.
  After you switch to the Security Center console of a member, you can view the risks detected in the resources of the member and configure protection settings. However, you cannot perform the following operations:
  - Go to the buy page or the console of a different cloud service. For example, when you click Buy Now on the Overview page and select an edition, you cannot navigate to the buy page, and the The feature is not supported when the multi-account switching feature is enabled. message appears.
  - Use the log analysis feature. After you switch to the Security Center console of a member, the entry point to the log analysis feature is not displayed in the console.
  - Use the multi-account management feature. After you switch to the Security Center console of a member, the entry point to the multi-account management feature is not displayed in the console.
- Mark a member as followed
  You can select a member from the member list and click Follow to mark the member as followed. Followed members are preferentially displayed in the drop-down list in the upper part of the left-side navigation pane.
- Log on to the Resource Management console
  If you log on to the Resource Management console by using the management account of your resource directory, you can click View to go to the Resource Directory page. On the Resource Directory page, you can view directory information about all assets, create members, invite members, or upgrade a resource account to a cloud account.
- Remove a member
  Click Delete to remove a member from the member list.

Account Monitored by Threat Analysis

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose System Configuration > Multi-account Control.
On the Multi-account Control page, choose Configure > Account Monitored by Threat Analysis. Then, view and manage the information about a member.
- View information about a member
  You can view information about a member in the member list.
- Remove a member
  You can click Delete in the Actions column of a member to remove the member from the member list.