Security management in a multi-cloud environment is often fragmented, making it hard to respond to threats quickly. By connecting Ucloud assets to Security Center through access keys (AK), you can centrally monitor cross-cloud assets, detect security events, and unify policy management. To set up the connection, create IAM credentials in Ucloud, configure the connection in Security Center, and sync your assets.
Step 1: Create connection credentials
Connect with a sub-account
-
Create a sub-account :
-
Log on to the Ucloud console and click the profile icon in the upper-right corner.
-
On the account information panel, click IAM.
-
In the left-side navigation pane, select User Management and click Invite Sub Account.
-
In the Invite Sub User dialog box, enter a User Name and Display Name , and click Confirm.
-
-
Configure permissions:
-
On the sub-user list page, click Add Policy in the Operation column next to the new sub-user.
-
On the Add Permissions page, configure the authorization as described in the following table.
-
Configure policy: Select the corresponding permission policy based on the features you plan to use in Security Center.
NoteIf fine-grained permission control is not required, you can attach only the global read-only policy
ReadOnlyAccess.Feature
Ucloud policy
Host
IAMReadOnlyAccessUHostReadOnlyAccessCSPM (CSPM)
-
UHostReadOnlyAccess -
UMongoDBReadOnlyAccess -
UDBReadOnlyAccess -
KafkaSinkerReadOnlyAccess -
UMemReadOnlyAccess -
URocketMQReadOnlyAccess -
UFileReadOnlyAccess -
ULogReadOnlyAccess -
IAMReadOnlyAccess -
VPCReadOnlyAccess -
UCDNReadOnlyAccess -
IPSecVPNReadOnlyAccess
-
-
Project-level policy application scope: Select the projects that the sub-account can access and click Confirm.
-
-
-
Create an API key
-
Return to the sub-user list page and click the name of the new sub-user to go to its details page.
-
In the API Keys section, click A New Key.
-
After the key pair is created, view and save the Public Key and Private Key from the list.
-
Connect with the primary account
-
Log on to the Ucloud console and click the profile icon in the upper-right corner.
-
On the account information panel, click UAccount.
-
In the left-side navigation pane, select API Keys and click A New Key.
-
After the key pair is created, view and save the Public Key and Private Key from the list.
Step 2: Connect in Security Center
-
Go to the authorization page:
-
Log on to the Security Center console.
-
In the navigation pane on the left, select . In the upper-left corner of the console, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland.
-
On the tab, click Grant Permission and select Ucloud.
-
-
Configure connection credentials:
-
In the Add Assets Outside Cloud panel, select Quick Configuration, select the features you want to connect, and click Next.
-
Host: Automatically discovers and syncs your Ucloud UHost assets.
-
CSPM: Scans Ucloud cloud product configurations with Cloud Security Posture Management (CSPM) to identify configuration risks.
-
-
On the Submit AccessKey Pair page, enter the credentials you created in Ucloud.
-
Enter Sub-account Secret ID: Enter the Public Key obtained in Step 1.
-
Enter Sub-account Secret Key: Enter the Private Key obtained in Step 1.
-
Domain: Select "China Edition" for the China proxy or "International Edition" for other regions.
-
-
After you enter the credentials, click Next. The system automatically validates the credentials and permissions.
NoteAfter successful validation, the page automatically redirects to the sync policy configuration step. If validation fails, see FAQ.
-
-
Configure sync policies:
-
Select region: Select the region where the Ucloud assets reside.
NoteSynced asset data is assigned to the data center corresponding to the region selected in the upper-left corner of the Security Center console.
-
Chinese Mainland: Mainland China data center.
-
Outside Chinese Mainland: Singapore data center.
-
-
Region Management: Recommended. After you select this option, assets in new regions under the Ucloud account are automatically synced without manual configuration.
-
Host Asset Synchronization Frequency: Set the frequency at which Security Center automatically syncs Ucloud host (UHost) assets. Select "Disabled" if syncing is not needed.
-
AK Service Status Check: Set the interval at which Security Center automatically checks the validity of the Ucloud account API keys. Select "Disabled" to skip this check.
-
-
After you complete the configuration, click Synchronize Assets. Security Center automatically syncs the host assets from the Ucloud account.
After the connection is set up, go to the page to verify that the Ucloud host assets appear in the asset list.
View and manage connected assets
Host
Go to the page. In the Add Multi-cloud Asset section, click the
icon to view connected Ucloud hosts. Complete the following steps to enable advanced protection for the connected Ucloud UHost hosts.
For more information, see Server assets.
-
Install the client: Install the Security Center agent on the Ucloud host. When running the installation command, select Service Provider as Ucloud. For detailed steps, see Install the agent.
-
Upgrade to a paid edition: The free edition provides only basic security detection. For full protection capabilities (such as antivirus, vulnerability fixing, and intrusion prevention), bind a paid edition (Anti-Virus edition or higher) to your Ucloud hosts. For detailed steps, see Manage host and container security quotas.
CSPM
In the Security Center console, go to the page. In the left-side navigation pane under All Alibaba Cloud Services, select Ucloud to view connected Ucloud assets. The following CSPM features are available:
For more information, see View cloud service information.
-
Run configuration risk checks: Check whether configuration risks exist in your Ucloud products. For detailed steps, see Configure and run cloud configuration risk check policies.
-
Handle risks: View and remediate failed check items to improve the compliance and security of your cloud assets. For detailed steps, see View and handle failed cloud configuration risk check items.
Operations management
Key rotation
To ensure account security, rotate access keys (AKs) regularly.
-
Create a new AccessKey for the dedicated IAM user in the Ucloud console.
-
In the Security Center console, go to the page, find the corresponding Ucloud account, and click Modify to update the AK/SK to the newly created credentials.
-
After verifying that the new key syncs assets correctly, return to the Ucloud IAM console and delete the old AccessKey.
Update authorization scope
To bring new Ucloud products under Security Center management, update the authorization scope.
-
In the Ucloud console, find the user and attach the permission policy corresponding to the new product.
-
Security Center automatically discovers and manages newly authorized assets during the next sync cycle.
NoteYou can also manually trigger Sync Latest Assets on the page.
Remove a connection
When you no longer need Security Center to manage a Ucloud account, remove the connection.
-
On the page in the Security Center console, find the Ucloud account you want to remove and click Delete.
-
After removal, Security Center stops monitoring and scanning all assets under the account, and the asset information is no longer displayed.
After removal, delete or disable the corresponding dedicated sub-user in the Ucloud console to prevent credential leakage.
FAQ
-
Why are some connected Ucloud resources not visible in Security Center?
-
Region not selected: Check whether the region where the resource resides is selected during connection configuration.
-
Sync delay: Asset syncing may be delayed after initial connection or configuration changes. Wait for the sync to complete.
-
Insufficient permissions: Make sure the access key has sufficient read-only permissions to query cloud resource information.
-
-
What should I do if credential and permission validation fails after entering the AK?
-
Permission issue: The access key has insufficient permissions. Refer to "Step 1: Create connection credentials" and attach the relevant user permission policies in Ucloud.
-
Account issue: Make sure the access key is valid and has not expired.
-
Region issue: The selected domain does not match the account region. Switch to another available domain and resubmit.
-