You can use the multicloud configuration management feature of Security Center to onboard Baidu Cloud products to Alibaba Cloud. This enables unified Cloud Security Posture Management (CSPM) and provides a single security view for threat detection across your cloud environments.
Step 1: Create authorization credentials for an IAM user in Baidu Cloud
Create an IAM user with the minimum permissions required for integration with Alibaba Cloud Security Center, and then obtain its AccessKey.
For more information, see the official Baidu Cloud documents User Management and User management.
Log on to the IAM user console
Log on to the Baidu Cloud - IAM user console and click Create IAM User.
Configure user information
Username: Enter a custom, easily identifiable name, such as
aliyun-security-center-user.Access Mode: Select Programmatic access.
Quick Authorization: Do not select this option to avoid granting excessive permissions.
Set user permissions
In the user list, find the target user and click Add Permission in the Operation column.
Select the permission policies that correspond to the features you want to use in Security Center.
Feature
Policy Option
Notes
CSPM
Option 1:
IAMReadAccessPolicy+GlobalReadPolicyOption 2:
IAMReadAccessPolicy+BCCReadAccessPolicy+ permission policies for each Baidu Cloud product.
GlobalReadPolicyincludes read-only permissions for all products. This allows for quick provisioning.For fine-grained authorization, use Option 2 and add policies for cloud products as needed.
Create and save the AccessKey
In the user list, click the name of the target user to go to the user details page.
On the user details page, in the AccessKey section, click Create AccessKey.
After you complete the security authentication, click Download AccessKey in the pop-up window. Save the AccessKeyID and AccessKeySecret.
WarningYou cannot download the AccessKey again after you close the pop-up window. Make sure to download and store the AccessKey information immediately.
Step 2: Complete the provisioning configuration in Security Center
After you create the API key for the IAM user in Baidu Cloud, return to the Security Center console to complete the provisioning configuration.
Go to the authorization page
You can access the AWS asset onboarding flow from any of the following paths:
Recommended path:
Go to the Security Center console > System Settings > Feature Settings page. In the upper-left corner of the page, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
On the tab, click Grant Permission, and then select Baidu Cloud.
Other entry points:
In the Multi-cloud Service Integration area on the page, click the Add button below the
icon.
Configure provisioning credentials
In the Add Assets Outside Cloud panel, in the Select the modules to authorize section, select the features to provision and click Next.
NoteCurrently, only CSPM is supported.
On the Submit AccessKey Pair page, enter the AccessKey information that you created in Step 1.
After you enter the information, click Next. The system automatically verifies the credentials and permissions.
NoteAuthentication failed. For more information, see Why can't I see some added Baidu Cloud resources in Security Center?
Configure the synchronization policy:
Select region: Select the region where the Baidu Cloud assets that you want to provision are located.
NoteThe synchronized asset data is stored in the data center that corresponds to the region you selected in the upper-left corner of the Security Center console.
Chinese Mainland: data center in the Chinese mainland.
Outside Chinese Mainland: data center in Singapore.
Region Management: Select this option to automatically synchronize cloud products in new regions under this Baidu Cloud account. You do not need to add them manually.
Cloud Service Synchronization Frequency: Set the interval for automatically synchronizing Baidu Cloud products. To disable synchronization, set this to Off.
AK Service Status Check: Set the interval for Security Center to automatically check the validity of the Baidu Cloud account's API key. You can select Off to disable this check.
After you complete the configuration, click Synchronize Assets. The system then automatically synchronizes the cloud products from the Baidu Cloud account to Security Center.
Step 3: View onboarded products
In the Security Center console, go to the page. In the All Alibaba Cloud Services navigation pane on the left, click Baidu Cloud to view the provisioned Baidu Cloud assets. For more information, see View cloud product information.
After the initial provisioning or a configuration change, there may be a synchronization latency.
Appendix: Baidu Cloud product permission policies
The list of Baidu Cloud products supported by Security Center is continuously updated. For the latest list of supported products, refer to the console.
Policy Name | Permission Description |
| Read-only access permissions for Redis instances. |
| Read-only access permissions for Kafka instances. |
| Read-only access permissions for MongoDB instances. |
| Read-only access permissions for RDS instances. |
| Read-only access permissions for VPC resources. |
| Read permissions for BOS buckets. |
| Read-only access permissions for BLB instances. |
FAQ
Why can't I see some of my provisioned Baidu Cloud resources in Security Center?
Region not selected: In the provisioning configuration in Security Center, check if the Baidu Cloud region where the resource is located is selected.
Synchronization latency: A synchronization latency may occur after the initial provisioning or a configuration change. Wait for the synchronization to complete.
What should I do if the automatic credential and permission check fails after I enter the AccessKey?
This issue usually occurs because the IAM user has insufficient permissions. For more information, see Set user permissions. You can then go to the Baidu Cloud console to modify or add the required user permission policies.