How Security Center protects assets across accounts - Security Center

You can use the multi-account management feature of Security Center to centrally purchase security products, configure security protection settings, and handle security risks for multiple Alibaba Cloud accounts in your enterprise. You can also monitor the security risk status of each member account in real time. This topic describes how to use the multi-account management feature.

Multi-account scenarios

Centralized security configuration and risk management

Centralized management of security configurations and risks
Member accounts maintain independent data and configurations. You can use a delegated administrator account of Security Center to centrally manage security configurations for multiple member accounts, handle security risks, and implement security hardening. This improves operational efficiency and solves the challenges of managing security operations across multiple accounts.
Cross-account log ingestion, storage, and threat analysis
With the cloud threat detection and response (CTDR) feature of Security Center, you can ingest data from member accounts into the delegated administrator account for centralized storage and analysis. This helps identify cross-account security risks and provides a global perspective on security events.

Unified payment and shared authorization

The delegated administrator can purchase authorization quotas for multiple Security Center features and allocate these quotas to member accounts without making additional purchases. This allows enterprises to centrally purchase Security Center features, facilitating internal expense settlement.

Important

You cannot assign a quota to a member account that has already purchased a Security Center instance. To assign a quota, the member account must cancel its subscription instance and shut down its pay-as-you-go instance.
You can use the finance trusteeship feature to consolidate payments for all cloud products across the member accounts in your enterprise. For more information, see Trusteeship Overview.
For account security, use a Security Center delegated administrator instead of the management account to purchase quotas.

Example of a multi-account system

Security experts can use a security account (Security Center delegated administrator) to centrally manage Alibaba Cloud accounts for production and testing within an enterprise. This allows for unified risk detection, risk handling, and security hardening, improving security operation efficiency. If your enterprise has a complex multi-account scenario, you can submit a ticket for technical support.

Prerequisites

A resource directory is enabled.
You have created a new member in the resource directory or invited an existing Alibaba Cloud user to join.

Step 1: Add a delegated administrator account

The management account of a resource directory can designate a member as a delegated administrator for a trusted service. Once this is assigned, the delegated administrator receives authorization from the management account and can access the resource directory’s organization and member information within the trusted service, as well as manage business operations within that organization.

Log on to the Resource Management console using the management account.
In the left-side navigation pane, choose Resource Directory > Trusted Services.
On the Trusted Services page, find Security Center and click Manage in the Actions column.
In the Delegated Administrator Accounts section of the page that appears, click Add.
In the Add Delegated Administrator Account panel, select the member you want to set as a delegated administrator, and click OK.
After the account is added successfully, you can use this delegated administrator account to access the multi-account management feature of Security Center and perform management within the organization.
Note
You can add up to 10 Security Center delegated administrator accounts.

Step 2: Configure account management scope

You can use a delegated administrator to centrally manage member accounts. Follow these steps to configure the scope of member accounts that the delegated administrator can manage.

Important

Delegated administrators can view and manage only the member accounts within their assigned scope. They cannot access member accounts managed by other delegated administrators. If an account management scope is configured by the management account, only the management account can view and manage the member accounts within that scope.
A member account can be assigned to only one delegated administrator at a time.

Use the delegated administrator account to log on to the Security Center console. In the top navigation bar, select the region where your assets are located: China or Outside China.
In the left-side navigation pane, choose System Settings > Multi-account Management.
(Required for first-time users) On the Multi-account Management page, click Enable Management in Security Center.
On the Configure tab, in the Total Monitored Accounts section, click Account Management.
In the Multi-account Management Settings panel, select the member accounts that you want the current account to manage.
(Optional) Enable Automatic Management of New Accounts to set management policies for new accounts.
After enabling this option, click Configure Policy, select the target resource directory node, and click OK. New accounts added to the selected resource directory node will be automatically added to the management list.
Click OK.
You can view the member accounts within the management scope on the Configure tab.

Step 3: (Optional) Allocate authorization quotas

Enterprises can use a delegated administrator account to centrally purchase quotas for specific features with a subscription and allocate them to member accounts.

Limits

Only a delegated administrator account can assign Security Center subscription quotas to the member accounts it manages. The member accounts must not have an existing Security Center subscription instance or any enabled pay-as-you-go services, except for agentless detection and Serverless security. The following table lists the features that can be assigned.

Feature	Minimum allocation quota and increment	Note
Host and container security Ultimate edition server quota Enterprise edition server quota Advanced edition server quota Anti-virus edition server quota	Minimum: 1 server or 1 core Increment: 1 server or 1 core	Pay-as-you-go Security Center instances do not support unified settlement or quota allocation. The following features do not support quota allocation: Vulnerability fixing Agentless detection (pay-as-you-go only) Serverless asset protection (pay-as-you-go only) Note When member accounts with allocated quotas need to use vulnerability fixing capabilities, you can allocate Advanced, Enterprise, or Ultimate Edition quotas to them and attach them to the corresponding servers. These editions allow unlimited vulnerability fixes. The Anti-virus Edition does not support vulnerability fixing. When member accounts with allocated quotas need to use agentless detection and Serverless asset protection, they can activate the corresponding pay-as-you-go services.
Anti-ransomware capacity	Minimum: 10 GB Increment: 10 GB Note After purchasing the managed anti-ransomware service, the anti-ransomware capacity allocated to member accounts will use the managed anti-ransomware capabilities by default.
Managed anti-ransomware
Log analysis capacity	Minimum: 10 GB Increment: 10 GB
Container image scan	Minimum: 20 scans Increment: 20 scans
Application protection	Minimum: 1 master process Increment: 1 master process
Cloud honeypot	Minimum: 20 probe Increment: 20 probe
Web tamper proofing	Minimum: 1 server Increment: 1 server
CSPM	Minimum: 15,000 times Increment: 55,000 times
SDK for malicious file detection	Minimum: 100,000 times Increment: 100,000 times
CTDR - Traffic of adding logs	Minimum: 100 GB Increment: 100 GB
CTDR - Log storage capacity	Minimum: 1000 GB Increment: 1000 GB

View and purchase quotas

Use the delegated administrator account to log on to the Security Center console. In the top navigation bar, select the region where your assets are located: China or Outside China.
On the Overview page, in the Subscription section, view the quotas for your instance.
This section displays all features and quotas you have purchased. For example, as shown in the figure, Anti-ransomware (GB) displays 132.9/150, where 150 indicates the total anti-ransomware capacity quota of 150 GB purchased for the current Alibaba Cloud account, and 132.9 indicates the anti-ransomware capacity already used by the current account (including both China and Outside China regions).
To purchase more quotas, click Buy Now or Upgrade.
For more information, see Purchase a subscription-based instance and Upgrade and downgrade.

Allocate quotas

Use the delegated administrator account to log on to the Security Center console. In the top navigation bar, select the region where your assets are located: China or Outside China.
On the Overview page, in the Subscription section, click Multi-account Management.
You can also go to the Configure tab on the System Configuration > Multi-account Management page, and click Quota Management under Total Monitored Accounts.
On the Multi-account Quota Management page, click Add Account.
In the Add Account dialog box, select the member accounts to which you want to allocate quotas, and click OK.
- You can grant quotas only to member accounts managed by the current delegated administrator account. You cannot grant authorization to unmanaged member accounts or to member accounts managed by other delegated administrator accounts.
- You can only select member accounts that have not purchased subscription Security Center instances and have not activated pay-as-you-go for any value-added features, except for agentless detection and Serverless asset protection.
In the Quota Management section, allocate quotas to member accounts.
In the Purchased Quota section, view the features and quotas purchased by the current account.
The first account shown in the Quota Management section displays the remaining allocatable quotas for the current account. This row cannot be edited, and unallocated quotas are automatically assigned to the current account. When allocating quotas for a specific feature to member accounts, the total allocated quotas must not exceed the number initially displayed in the first row of that column. After you allocate quotas to member accounts, the number in the first row decreases accordingly. For information about minimum quotas and increments, see Limits.
Click Save.
After allocating server quotas to a member account, the system automatically binds the allocated quotas to the member account's servers at random, aiming to utilize all the quotas. Any additional quotas allocated to member accounts later will not be automatically bound to servers; you must switch to the member account and manually bind these additional quotas. For more information, see Manage host and container security authorizations.

Step 4: Manage configurations and risks for member accounts

Risk overview

View risk overview for member accounts
On the Overview tab of the System Configuration > Multi-account Management page, you can view statistics for member accounts within your management scope, including security scores, number of at-risk assets, security alerts, vulnerabilities, and baseline issues. This helps identify member accounts with significant security risks.
On the Configure tab of the System Configuration > Multi-account Management page, you can view statistics about security risks in member accounts.
View detailed risk information for member accounts
In the upper-left corner of the Security Center console, switch to a member account. Then, you can view security operations for that account on the overview page. For more information, see Overview (new version).

Manage configurations and risks for member accounts

Use the delegated administrator account to log on to the Security Center console. In the top navigation bar, select the region where your assets are located: China or Outside China.
In the left-side navigation pane, choose System Settings > Multi-account Management.
On the Configure tab, click Settings in the Actions column for a member account.
In the Settings panel, configure agent, vulnerability and baseline scan settings for the member account, and click OK.
- Agent Management: Configure security defense capabilities and alert settings.
- Vulnerabilities: Configure vulnerability scan settings for the member account. For parameter descriptions, see Scan for vulnerabilities.
- Baseline Check: Configure baseline check policies for the member account. For parameter descriptions, see Configure and execute baseline check policies.
In the upper-left corner of the console, switch to a member account to access that member account's console.
After switching to a member account's console, the delegated administrator account can perform asset inventory, risk detection, security hardening, real-time protection, and proactive detection and response. For more information about Security Center features, see Functions and features.

Additional operations

Instructions for using allocated quotas

After a Security Center delegated administrator allocates quotas to member accounts, those accounts can utilize the allocated quotas. If quotas are insufficient, member accounts can contact the management account to request additional allocations. Member accounts cannot purchase, renew, or upgrade Security Center instances. Delegated administrators or member accounts can refer to the instructions below to effectively use quotas for various features and avoid wastage.

Manage host and container quotas: View and manage server protection quotas on the Overview or Host page in the console. These include Ultimate Edition, Enterprise Edition, Advanced Edition, and Anti-virus Edition server quotas.
Anti-ransomware: Create protection policies to back up core data files for servers or databases. Guides:
- Anti-ransomware for servers
- Anti-ransomware for databases
Log analysis: All log types are delivered by default. No manual operation is required.
Important
Delegated administrator accounts cannot use the log analysis feature of member accounts by switching accounts in the upper-left corner of the console. Member accounts need to log on to the console themselves to use the log analysis feature.
Container image scan: After performing an image scan, the corresponding quota is used to detect security risks in the image.
Application protection: Applications need to be added to the application protection feature.
Cloud honeypot: Implement attack capture by deploying cloud honeypots on servers.
Web tamper proofing: Add protection to servers to prevent websites from being injected with illegal information and ensure normal website operation.
CSPM: Configure cloud service configuration risk check policies, system baseline risk check policies, and attack path scan rules to implement cloud security posture detection.
SDK for malicious file detection: Detect malicious files by calling the SDK on servers to check offline files or by checking files stored in OSS in the Security Center console.
CTDR log storage capacity: Enable delivery of Security Center logs and standardized log.
CTDR - Traffic of adding logs: Add cloud service logs to CTDR.

Delete member accounts

Log on with the delegated administrator account and go to the Configure tab of the System Configuration > Multi-account Management page. Click Delete in the Actions column for a member account to remove it.

Important

After quotas are allocated to a member account, removing the member account and its quotas will also remove the quotas. All assets under the member account will lose protection, the system will automatically release all quotas, and logs will be cleared. Please proceed with caution.

Delete quotas for member accounts

Log on with the delegated administrator account and go to the Overview page. In the Subscription section, click Multi-account Management. In the Quota Management section, move your pointer over the account name, click the icon, and click OK in the confirmation dialog box.

References

If you use the CTDR 1.0 and manage multiple accounts through the Security Center - Threat Analysis delegated administrator, see Centrally manage multiple accounts for related operation instructions.
If an authorized member account needs to purchase Security Center independently, see How can an authorized member account independently purchase Security Center?