Use the multi-account management feature - Security Center

The multi-account management feature allows you to manage multiple members in the resource directory of your enterprise in a centralized manner. You can configure protection settings for the members and view the risks that are detected in the resources of the members in real time. This topic describes how to use the multi-account management feature.

Background information

An increasing number of enterprises are migrating their business to the cloud. After enterprises purchase a large number of cloud resources, the management of resources, projects, personnel, and permissions can become complicated. Single accounts cannot be used to meet the requirements. In this case, a multi-account system is required to migrate business to the cloud. Enterprise users have requirements for centralized management of cloud resources across multiple accounts. The cloud resources include security, compliance audit, network, and O&M products.

Security Center can be integrated with Resource Directory of Resource Management as a trusted service. You can use a resource directory to manage multiple Alibaba Cloud accounts in a centralized and structured manner. For example, you can implement data operations and monitoring on the resources within each Alibaba Cloud account and perform quick operations and management on the resources across the accounts.

The multi-account management feature allows you to add members of the following types: account monitored by Security Center and account monitored by threat analysis.

Account monitored by Security Center: If you want to monitor the security status of assets within multiple Alibaba Cloud accounts and configure protection settings other than threat analysis for the accounts, you can add the accounts as members of the account monitored by Security Center type. The settings include settings for alerting, vulnerability detection, baseline check, and configuration assessment.
Account monitored by threat analysis: If you want to manage security information and events of multiple cloud services that belong to different Alibaba Cloud accounts, you can add the accounts as members of the account monitored by threat analysis type. The services include Cloud Firewall and Virtual Private Cloud (VPC).

Limits

All editions of Security Center support this feature. For more information about the features that each edition supports, see Functions and features.

Prerequisites

A resource directory is enabled. For more information, see Enable a resource directory.
A member is created in the resource directory, or an existing Alibaba Cloud account is invited to join the resource directory. For more information, see Create a member and Invite an Alibaba Cloud account to join a resource directory.
The Account Monitored by Threat Analysis tab is available in the Security Center console. The tab is available only after you enable the threat analysis feature.

Step 1: Add a delegated administrator account

You can use the management account of a resource directory to specify a member in the resource directory as a delegated administrator account of a trusted service. After a member is specified as a delegated administrator account of a trusted service, the member can be used to access information about the resource directory in the trusted service. The information includes the structure and members of the resource directory. The member can also be used to manage business within the resource directory.

Note You can add up to 10 delegated administrator accounts for Security Center.

Log on to the Resource Management console by using the management account of your resource directory.
In the left-side navigation pane, choose Resource Directory > Trusted Services.
On the Trusted Services page, find Security Center or Security Center - Threat Analysis and click Manage in the Actions column.
In the Delegated Administrator Accounts section of the page that appears, click Add.
In the Add Delegated Administrator Account panel, specify a member as a delegated administrator account of Security Center and click OK.
After you specify the delegated administrator account, the delegated administrator account can be used to perform management operations on all members of the resource directory.

Step 2: Add a member

Add a member of the account monitored by Security Center type

You can invite existing Alibaba Cloud accounts to join your resource directory as members in the Security Center console. This way, you can manage assets within the accounts by using a single account in a centralized manner. You can monitor the security status of the assets and configure protection settings other than threat analysis for the members, such as settings for alerting, vulnerability check, baseline check, and configuration assessment.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose System Configuration > Multi-account Control.
The first time you use the multi-account management feature, click Enable Management in Security Center.
After you enable the feature, the AliyunServiceRoleForSasRd service-linked role is automatically created for the members in your resource directory. For more information about service-linked roles, see Service-linked roles for Security Center.
Add a member.
1. On the Multi-account Control page, click the Configure tab. On the Account Monitored by Security Center tab, click Add.
2. In the Add Account panel, select the existing Alibaba Cloud account that you want to invite.
  Note The members in the drop-down list are the same regardless of whether you use the management account of your resource directory or a delegated administrator account.
3. Optional:Select When a new account is created, the account is added to the list of managed accounts by default.After you select this option, Security Center automatically synchronizes newly added accounts to the member list.
4. Click OK.
  You can view the added member in the member list on the Multi-account Control page.

Configure protection settings for the member.

On the Account Monitored by Security Center tab, find the member in the member list and click Settings in the Actions column.

In the Settings panel, configure the parameters in the Client management step and click Next.


Category	Parameter	Description	References
Host Protection Settings	Proactive Defense	Proactive defense automatically intercepts common viruses, malicious network connections, and webshell connections. Proactive defense also allows you to use bait to capture ransomware.	Use proactive defense
	Webshell Detection	Webshell detection scans servers and web directories for webshells and trojans at regular intervals. Security Center generates alerts for detected webshells and displays alerts only if webshell detection is enabled.	Webshell Detection
	Dynamic adaptive threat detection capability	If a high-risk intrusion is detected on your server after the adaptive threat detection feature is enabled, the Security Center agent on your server automatically runs in Safeguard Mode For Major Activities mode. In this mode, all protection rules and security engines are enabled to detect intrusions in a more comprehensive manner.	Dynamic adaptive threat detection capability
	Protection Mode	The Security Center agent is a local plug-in provided by Security Center. Before you can use Security Center to protect your servers, you must install the Security Center agent on your servers. Security Center provides multiple protection modes. The Security Center agent can run in different modes to meet security requirements in different scenarios.	Protection Mode
Container Protection Settings	K8s Threat Detection	The feature of threat detection on Kubernetes containers checks the security status of running container clusters and detects security threats and attacks in the container clusters at the earliest opportunity.	K8s Threat Detection
Container Protection Settings	Container Escape Prevention	The feature of container escape prevention detects high-risk behavior in processes, files, and system calls. The feature establishes a protective barrier between containers and hosts and effectively intercepts escapes to ensure the security of the container runtime.	Container Escape Prevention
Agent Settings	Client Protection	The client protection feature blocks malicious operations that attempt to uninstall the Security Center agent. The feature ensures that Security Center provides stable protection capabilities.	Client Protection
Agent Settings	Local File Detection Engine	The local file detection engine is a high-efficiency and low-cost engine that is developed by Alibaba Cloud Security Center to detect threats in files. If you enable local file detection for a server, threats in the files on the server are detected by using local file detection and cloud file detection engines.	Local File Detection Engine
Other Settings	Global Log Filter	The Global Log Filter section is displayed in the Security Center console only after you enable the log analysis feature. The global log filtering feature helps improve log storage utilization and improve operational efficiency.	Global Log Filter

Configure the parameters in the Vulnerability management step and click Next.
You can enable or disable automatic scan for each type of vulnerability, and enable vulnerability scan for specific servers. You can also configure the scan cycle and scan method and specify the number of days after which a detected vulnerability is automatically deleted. For more information, see Scan for vulnerabilities.
Configure the parameters in the Baseline inspection step.
The baseline check feature allows you to configure baseline check policies for the member. You can use baseline check policies to check whether risks exist in the baseline configurations of the assets that belong to the member. For more information, see Create baseline check policies and run baseline checks based on the policies.

After you complete the configurations, click Determine.
Security Center enables features for the member and performs vulnerability scans and baseline checks on the assets that belong to the member based on the configurations.

Add a member of the account monitored by threat analysis type

You can enable the threat analysis feature for multiple accounts on the Account Monitored by Threat Analysis tab. Then, you can configure alerts for multiple cloud services that belong to different accounts and handle alert events that are generated for the services.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose System Configuration > Multi-account Control.
The first time you use the multi-account management feature, click Enable Threat Analysis and Control.
After you enable the feature, the AliyunServiceRoleForSasRd service-linked role is automatically created for the members in your resource directory. For more information, see Service-linked roles for Security Center.
Add a member.
1. On the Multi-account Control page, click the Configure tab. On the Account Monitored by Threat Analysis tab, click Add.
2. In the Add Account panel, select the existing Alibaba Cloud account that you want to invite.
  Note The members in the drop-down list are the same regardless of whether you use the management account of your resource directory or a delegated administrator account.
3. Optional:Select When a new account is created, the account is added to the list of managed accounts by default.After you select this option, Security Center automatically synchronizes newly added accounts to the member list.
Click OK.
After the configuration is complete, you can view the added member in the member list on the Account Monitored by Threat Analysis page.

Step 3: View the risks detected in the resources of a member

You can log on to the Security Center console by using the management account of your resource directory or a delegated administrator account to view the risks detected in the resources of a member and manage the member.

View the risks detected in the resources of a member on the Overview tab

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose System Configuration > Multi-account Control.
On the Multi-account Control page, click the Overview tab to view information about each member, such as the security score, at-risk assets, alerts, vulnerabilities, baseline risks, and asset exposure statistics.

View and manage a member of the account monitored by Security Center type

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose System Configuration > Multi-account Control.
On the Multi-account Control page, click the Configure tab.
On the Account Monitored by Security Center tab, view and manage information about a member.
- View the risk information about a member
  You can view the risk information about a member in the member list. The risk information includes Security Score, Alerts, Vulnerabilities, Baseline Check, Config Assessment, and Attacks.
- Switch to the Security Center console of a member
  In the member list, click the name of a member to switch to the Security Center console of the member. You can also select a member from the drop-down list in the left-side navigation pane to switch to the Security Center console of the member or switch back to the Security Center console of the current logon account.
  After you switch to the Security Center console of a member, you can view the risks detected in the resources of the member and configure protection settings. However, you cannot perform the following operations:
  - Go to the buy page or the console of a different cloud service. For example, when you click Buy Now on the Overview page and select an edition, you cannot navigate to the buy page, and the The feature is not supported when the multi-account switching feature is enabled. message appears.
  - Use the log analysis feature. After you switch to the Security Center console of a member, the entry point to the log analysis feature is not displayed in the console.
  - Use the multi-account management feature. After you switch to the Security Center console of a member, the entry point to the multi-account management feature is not displayed in the console.
- Mark a member as followed
  You can select a member from the member list and click Follow to mark the member as followed. Followed members are preferentially displayed in the drop-down list in the upper part of the left-side navigation pane.
- Log on to the Resource Management console
  If you log on to the Resource Management console by using the management account of your resource directory, you can click View to go to the Resource Directory page. On the Resource Directory page, you can view directory information about all assets, create members, invite members, or upgrade a resource account to a cloud account.
- Remove a member
  Click Delete to remove a member from the member list.

View and manage a member of the account monitored by threat analysis type

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose System Configuration > Multi-account Control.
On the Multi-account Control page, click the Configure tab.
On the Account Monitored by Threat Analysis tab, view and manage the information about a member.
- View information about a member
  You can view information about a member in the member list.
- Remove a member
  You can click Delete in the Actions column of a member to remove the member from the member list.