Onboard Kingsoft Cloud assets

更新时间:
复制 MD 格式

In a multi-cloud environment, fragmented security management and delayed threat response are common operational challenges. By connecting Kingsoft Cloud assets to Security Center, you can centralize asset visibility, threat detection, and policy enforcement across cloud platforms. This topic describes how to connect your Kingsoft Cloud assets using an AccessKey (AK).

Step 1: Create a Kingsoft Cloud credential

Create a dedicated IAM user in the Kingsoft Cloud console, and attach read-only policies so that Security Center can securely access your Kingsoft Cloud assets.

  1. Go to the Kingsoft Cloud - Access Control page. In the left-side navigation pane, choose Identities > IAM Users.

  2. On the Sub-user page, click Create IAM User.

  3. On the Create User page, configure the following parameters and click Next step(Confirm Information).

    • User: Enter a username of 1 to 64 characters. Letters, digits, periods (.), underscores (_), and hyphens (-) are allowed.

    • Display Name: Enter a display name. Chinese characters, letters, digits, at signs (@), double quotes (""), and underscores (_) are allowed.

    • Logon Settings: Select Programmatic Access.

    • IAM user can view projects: We recommend that you select Specific Project to avoid granting excessive permissions.

  4. On the Confirm Information page, click Replication Information in the Actions column or click Download CSV in the upper-right corner to save the AccessKeyId and SecretAccessKey locally.

    Warning

    Store the access key securely. It cannot be retrieved after you close the page.

  5. After saving the access key, click Continue authorization at the bottom of the page.

  6. On the authorization page, select the required policies based on the Security Center features you plan to use, and then click Next step (Confirm Information).

    Feature

    Kingsoft Cloud Policy

    Host

    KECReadOnlyAccess
    IAMReadOnlyAccess

    CSPM

    IAMReadOnlyAccess

  7. On the Authorization Result page, confirm that the authorization succeeds and click Finished.

Step 2: Complete the connection in Security Center

  1. Go to the authorization page:

    1. Log on to the Security Center console.

    2. In the navigation pane on the left, select System Settings > Feature Settings. In the upper-left corner of the console, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland.

    3. On the Multi-cloud Configuration Management > Multi-cloud Assets tab, click Grant Permission and select Kingsoft Cloud.

  2. Configure connection credentials:

    1. In the Add Assets Outside Cloud panel, select the Security Center service modules you need in the Select the modules to authorize section, and then click Next.

      • Host: Allows Security Center to automatically discover and synchronize your Kingsoft Cloud compute instances.

      • CSPM: Uses Cloud Security Posture Management (CSPM) to scan the configurations of your Kingsoft Cloud services and manage configuration risks.

    2. On the Submit AccessKey Pair page, enter the credential information you created in Kingsoft Cloud.

      • Enter Sub-account Secret ID: Enter the AccessKeyId obtained in Step 1.

      • Enter Sub-account Secret Key: Enter the SecretAccessKey obtained in Step 1.

    3. After filling in the credentials, click Next. The system automatically validates the credentials and permissions.

  3. Configure synchronization policies:

    • Select region: Select the region where the Kingsoft Cloud assets are located.

      Note

      Synchronized asset data is attributed to the data center corresponding to the region selected in the upper-left corner of the Security Center console.

      • Chinese Mainland: Mainland China data center.

      • Outside Chinese Mainland: Singapore data center.

    • Region Management: Recommended. Assets in future Kingsoft Cloud regions are synchronized automatically.

    • Host Asset Synchronization Frequency: Set the interval at which Kingsoft Cloud compute instance assets are automatically synchronized. Set to Disabled if you do not need to synchronize host assets.

      Note

      This parameter is required only when Host is selected.

    • Cloud Service Synchronization Frequency: Set the interval at which Kingsoft Cloud service configurations are automatically synchronized. Set to Disabled if you do not need to synchronize cloud service configurations.

      Note

      This parameter is required only when Cloud Security Posture Management is selected.

    • AK Service Status Check: Set the interval at which Security Center automatically checks the validity of the Kingsoft Cloud account API key. Set to Disabled to skip the check.

  4. Click OK. You are redirected to the Complete page. Click Synchronize Assets to start synchronizing assets from your Kingsoft Cloud account to Security Center.

Verify the connection

After synchronization completes, go to the Host Assets page and confirm that your Kingsoft Cloud hosts appear in the asset list. The asset count should match the total number of compute instances in your Kingsoft Cloud account. If no assets appear after 5 minutes, refer to the FAQ section for troubleshooting.

View and manage connected assets

Host assets

Go to the Assets > Host page. In the Add Multi-cloud Asset section, click the Expand icon icon to view the connected Kingsoft Cloud hosts. Perform the following operations on the connected hosts for in-depth protection and management.

Note

For information about host asset management, see the Server assets.

  1. Install the Security Center agent: Install the Security Center agent on your Kingsoft Cloud hosts. When you run the installation command, set Service Provider to Kingsoft Cloud. For information about agent installation, see the Security Center documentation.

  2. Upgrade to a paid edition for full protection: The free edition provides only basic security detection. For full protection capabilities such as antivirus, vulnerability fixing, and intrusion prevention, bind a paid edition (Anti-virus edition or above) to your Kingsoft Cloud hosts. For edition comparison, see the Security Center documentation.

Cloud Security Posture Management (CSPM)

On the Security Center console, go to the Assets > Overview > Cloud Product page. In the left-side All Alibaba Cloud Services navigation pane, click Kingsoft Cloud to view the connected Kingsoft Cloud assets. The following CSPM features are available for connected Kingsoft Cloud assets:

Note

For information about Cloud Security Posture Management, see the View cloud service information.

  1. Run configuration risk checks: Check for configuration risks in your Kingsoft Cloud services. For information about running configuration checks, see the Security Center documentation.

  2. Handle risks: View and fix failed risk check items to improve the compliance and security of your cloud assets. For information about handling risk items, see the Security Center documentation.

Operations management

Rotate access keys

To secure your account, rotate the AccessKey (AK) periodically.

  1. In the Kingsoft Cloud console, create a new AccessKey for the dedicated IAM user.

  2. On the Security Center System Settings > Feature Settings > Multi-cloud Configuration Management > Multi-cloud Assets page, find the corresponding Kingsoft Cloud account, click Edit, and update the AK/SK with the newly created credentials.

  3. After verifying that the new key synchronizes assets correctly, return to the Kingsoft Cloud IAM console and delete the old AccessKey.

Remove a connection

When you no longer need Security Center to manage a Kingsoft Cloud account, you can remove the connection.

  1. On the Security Center System Settings > Feature Settings > Multi-cloud Configuration Management > Multi-cloud Assets page, find the Kingsoft Cloud account you want to remove and click Delete.

  2. After you remove the connection, Security Center stops monitoring all assets under the account and performing risk scans. The related asset information is no longer displayed.

Note

We recommend that you also delete or disable the dedicated IAM user in the Kingsoft Cloud IAM console to prevent credential leakage.

FAQ

  • Why are some connected Kingsoft Cloud resources not visible in Security Center?

    • Region not selected: Check whether the region of the resource is selected in the connection configuration. If the region was not selected during setup, edit the connection and add the missing region.

    • Synchronization delay: Asset synchronization may be delayed after initial connection or configuration changes. Wait a few minutes for the synchronization to complete, or manually trigger a sync from the connection settings page.

    • Insufficient permissions: Make sure that the AccessKey you provided has read-only permissions to query cloud resources. If the key lacks required permissions, return to the Kingsoft Cloud IAM console and attach the missing policies to the sub-user.

  • What should I do if credential and permission validation fails after entering the AK?

    • Insufficient permissions: If you receive a permission error, the AccessKey does not have the required read-only permissions. Follow the steps in Step 1: Create a Kingsoft Cloud authorization credential to attach the required policies.

    • Account issue: If the AccessKey is invalid or has expired, create a new AccessKey in the Kingsoft Cloud IAM console and update it in the connection settings.

    • Region mismatch: If the selected domain does not match the region of the account, switch to another available domain in the connection settings and try again.