DocsICP FilingConsole
官方文档
首页

Onboard Tencent Cloud Assets

更新时间:
复制 MD 格式
产品详情
我的收藏

After you provide a Tencent Cloud sub-account API key to Alibaba Cloud Security Center, Security Center can access Tencent Cloud APIs to onboard Tencent Cloud hosts, cloud products, and other resources into its security protection system. This topic describes how to connect Tencent Cloud assets by providing a sub-account API key, enabling centralized security management across cloud providers and reducing the complexity of managing a multi-cloud environment.

Configuration methods

Features supported by each method

Configuration method

Description

Supported features

Manual configuration

Create a sub-account in Tencent Cloud, grant the required permissions, and then submit the sub-account API key in Security Center to complete the onboarding.

  • Host assets

  • Cloud Security Posture Management (CSPM) - cloud product configuration

  • Agentic SOC

Quick configuration

After you submit your root account API key, Security Center automatically creates a sub-account and completes the onboarding authorization.

Host assets

Configuration workflows

Manual configuration

image

Quick configuration

image
Important

The Tencent Cloud console steps described in this topic are for reference only. For specific instructions, refer to the Tencent Cloud documentation linked in each section.

Manual configuration

Step 1: Create a sub-account and grant permissions

For more information, see Create a sub-user and Configure permissions for a sub-user.

  1. Log on to the Tencent Cloud console and go to the User List page.

  2. On the User List page, click Create User and select Quick Create.

  3. On the Quick Create User page, configure the following parameters:

    • Username: Enter a name that helps you identify and manage the account.

    • Access Mode: Select Programmatic Access.

  4. Click the image icon in the User Permissions column. Grant the required permissions based on the features you want to use, and then click OK.

    • Host assets: Grant QcloudCVMReadOnlyAccess - which provides read-only access to Cloud Virtual Machine (CVM) resources.

    • Cloud Security Posture Management - Cloud Product Configuration:

      When using Cloud Security Posture Management, you can choose either a preset policy or a custom policy for authorization.

      Preset policy

      To use a preset policy, grant the following permissions to the user you are creating.

      • CloudResourceReadOnlyAccess : This policy allows read-only access to all cloud services in the account, except for financial information and some CAM APIs (such as sub-user properties, keys, and user groups).

      • QcloudCamReadOnlyAccess: Read-only access to Cloud Access Management (CAM).

      Custom policy

      Important

      If new check items are added to Cloud Security Posture Management in Security Center, you must update the corresponding custom policy promptly. Otherwise, the new check items cannot be detected. Use custom policies with caution.

      If you need fine-grained control over the permissions that Security Center has to access your Tencent Cloud assets, you can create a custom policy. This allows you to flexibly limit access by operation type and resource scope, ensuring both asset security and reasonable permission allocation. Follow these steps:

      Click Create Custom Policy to create a custom policy named cspmPolicy. Then attach this policy to the user you are creating. For more information, see Create a custom policy by using policy syntax. For detailed descriptions of the elements in the policy content, see Element reference.

      cspmPolicy content

      {
	"version": "2.0",
	"statement": [{
			"effect": "allow",
			"action": [
				"cam:DescribeRoleList",
				"cam:DescribeSafeAuthFlagColl",
				"cam:GetPolicy",
				"cam:GetRole",
				"cam:GetRolePermissionBoundary",
				"cam:GetUser",
				"cam:GetUserPermissionBoundary",
				"cam:ListAccessKeys",
				"cam:ListAttachedRolePolicies",
				"cam:ListAttachedUserAllPolicies",
				"cam:ListCollaborators",
				"cam:ListUsers"
			],
			"resource": [
				"*"
			]
		},
		{
			"effect": "allow",
			"action": [
				"cbs:DescribeDiskAssociatedAutoSnapshotPolicy",
				"cbs:DescribeDisks",
				"cdb:DescribeAccountPrivileges",
				"cdb:DescribeAccounts",
				"cdb:DescribeAuditConfig",
				"cdb:DescribeBackupConfig",
				"cdb:DescribeDBFeatures",
				"cdb:DescribeDBInstances",
				"cdb:DescribeDBSecurityGroups"
			],
			"resource": [
				"*"
			]
		},
		{
			"effect": "allow",
			"action": [
				"clb:DescribeLoadBalancers",
				"clb:DescribeTargetHealth",
				"clb:DescribeTargets"
			],
			"resource": [
				"*"
			]
		},
		{
			"effect": "allow",
			"action": [
				"cvm:DescribeInstances"
			],
			"resource": [
				"*"
			]
		},
		{
			"effect": "allow",
			"action": [
				"cwp:DescribeAssetMachineDetail"
			],
			"resource": [
				"*"
			]
		},
		{
			"effect": "allow",
			"action": [
				"dcdb:DescribeDCDBInstances"
			],
			"resource": [
				"*"
			]
		},
		{
			"effect": "allow",
			"action": [
				"es:DescribeInstances"
			],
			"resource": [
				"*"
			]
		},
		{
			"effect": "allow",
			"action": [
				"mariadb:DescribeAccountPrivileges",
				"mariadb:DescribeAccounts",
				"mariadb:DescribeBackupTime",
				"mariadb:DescribeDBInstanceDetail",
				"mariadb:DescribeDBInstances",
				"mariadb:DescribeDBSecurityGroups"
			],
			"resource": [
				"*"
			]
		},
		{
			"effect": "allow",
			"action": [
				"postgres:DescribeBackupPlans",
				"postgres:DescribeDBInstanceSecurityGroups",
				"postgres:DescribeDBInstances"
			],
			"resource": [
				"*"
			]
		},
		{
			"effect": "allow",
			"action": [
				"redis:DescribeAutoBackupConfig",
				"redis:DescribeDBSecurityGroups",
				"redis:DescribeInstanceMonitorTopNCmd",
				"redis:DescribeInstances"
			],
			"resource": [
				"*"
			]
		},
		{
			"effect": "allow",
			"action": [
				"region:DescribeRegions"
			],
			"resource": [
				"*"
			]
		},
		{
			"effect": "allow",
			"action": [
				"ssl:DescribeCertificate",
				"ssl:DescribeCertificates"
			],
			"resource": [
				"*"
			]
		},
		{
			"effect": "allow",
			"action": [
				"tcr:DescribeInstances",
				"tcr:DescribeRepositories"
			],
			"resource": [
				"*"
			]
		},
		{
			"effect": "allow",
			"action": [
				"vpc:DescribeNetworkAcls",
				"vpc:DescribeSecurityGroupPolicies",
				"vpc:DescribeSecurityGroups",
				"vpc:DescribeSubnets"
			],
			"resource": [
				"*"
			]
		},
		{
			"effect": "allow",
			"action": [
				"mysql:DescribeDBInstances"
			],
			"resource": [
				"*"
			]
		}
	]
}

    • Agentic SOC: Click Create Custom Policy to create a custom policy named siemPolicy. Then attach this policy to the user you are creating. For more information, see Create a custom policy by using policy syntax.

      siemPolicy content

      {
    "statement": [
        {
            "action": [
                "cfw:DescribeAclApiDispatch",
                "cfw:DescribeBorderACLList",
                "cfw:CreateAcRules"
            ],
            "effect": "allow",
            "resource": [
                "*"
            ]
        },
        {
            "action": [
                "waf:DescribeDomains",
                "waf:DescribeIpAccessControl",
                "waf:DeleteIpAccessControl",
                "waf:UpsertIpAccessControl",
                "waf:PostAttackDownloadTask"
            ],
            "effect": "allow",
            "resource": [
                "*"
            ]
        },
        {
            "action": [
                "ckafka:DescribeDatahubGroupOffsets",
                "ckafka:DescribeGroup",
                "ckafka:DescribeGroupInfo",
                "ckafka:DescribeGroupOffsets",
                "ckafka:CreateDatahubGroup",
                "ckafka:ModifyDatahubGroupOffsets",
                "ckafka:ListConsumerGroup"
            ],
            "effect": "allow",
            "resource": [
                "*"
            ]
        },
        {
            "action": [
                "cam:GetUser",
                "cam:CheckSubAccountName",
                "cam:CheckUserPolicyAttachment",
                "cam:GetAccountSummary",
                "cam:GetPolicy",
                "cam:GetPolicyVersion",
                "cam:ListAllGroupsPolicies",
                "cam:ListAttachedGroupPolicies",
                "cam:ListAttachedRolePolicies",
                "cam:ListAttachedUserAllPolicies",
                "cam:ListAttachedUserPolicies",
                "cam:ListGroupsPolicies",
                "cam:ListPolicies",
                "cam:ListUsers"
            ],
            "effect": "allow",
            "resource": [
                "*"
            ]
        }
    ],
    "version": "2.0"
}

  5. On the Quick Create User page, click Create User.

Step 2: Create an API key for the sub-account

For more information, see Manage the access keys of a sub-account.

  1. In the Tencent Cloud console, go to the User List page and click the name of the sub-account you created. On the User Details page, go to the API Key tab and click Create Key.

  2. In the Create SecretKey dialog box, click Download CSV File or Copy to save the SecretId and SecretKey, and then click OK.

Step 3: Configure feature permissions and submit the API key

  1. Log on to the Security Center console.

  2. In the navigation pane on the left, select System Settings > Feature Settings. In the upper-left corner of the console, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland.

  3. On the Multi-cloud Configuration Management > Multi-cloud Assets tab, click Grant Permission and select Tencent Cloud from the drop-down list.

    You can also open the Add Assets Outside Cloud panel from one of the following entry points:

    • On the Assets > Host page, move the pointer over the Add Multi-cloud Asset area image and click Tencent Cloud below Add.

    • On the Risk Governance > Cloud Security Posture Management page, go to the Cloud Service Configuration Risk tab, move the pointer over the Multi-cloud Service Integration area image and click Tencent Cloud below Add.

    • On the Agentic SOC > Service Integration page, move the pointer over the Multi-cloud Service Access area image and click Tencent Cloud below Grant Permission.

  4. In the Add Assets Outside Cloud panel, keep Manual Configuration selected by default. In the Permission Description section, select the features you want to use, and then click Next.

    • Host: Select this option if you want Security Center to automatically synchronize your Tencent Cloud host assets.

    • CSPM: Select this option if you want to use Cloud Security Posture Management to scan Tencent Cloud product configurations and manage configuration risks.

    • Agentic SOC: Select this option if you want to use Agentic SOC to perform response actions, such as blocking malicious IP addresses, on your Tencent Cloud assets.

  5. On the Submit AccessKey Pair wizard page, enter the API key created in Step 2 and click Next.

    The account name is used to distinguish assets from different accounts under the same cloud provider. We recommend that you set a meaningful name based on the account's purpose.

    Important

    Do not delete or disable the sub-user or the API key. Otherwise, the connection may be interrupted.

Step 4 (Optional): Configure audit logs

If you select Cloud Security Posture Management in the Permission Description section and you want Security Center to ingest system activity or operation logs from Tencent Cloud for more comprehensive detection, complete the configuration on the Log Audit Settings wizard page and then click Next. If you do not need to ingest audit logs, click Skip.

Important

The Kafka and log collection data configured for audit logs are used for Cloud Infrastructure Entitlement Management (CIEM) detection in Cloud Security Posture Management. If you do not configure audit logs, Security Center cannot detect CIEM-related check items.

  1. Go to the Tencent Cloud Log Service (CLS) console and create a log topic. For more information, see Log topic.

    We recommend that you select the same region for the log service as your cloud products.

  2. Go to the Tencent Cloud Cloud Audit console and configure a trail to deliver logs. For more information, see Use a trail to deliver logs.

    Key configurations when creating the trail:

    • Management Event Type: Select All.

    • Resource Type: Select All resource types.

    • Delivery Location: Select CLS, configure the log topic to the one you created in the previous step, and select Backfill events for the last 3 months (90 days).

  3. Create a custom policy named ciemPolicy and attach it to the sub-account that needs to connect to Security Center. For more information, see Create a custom policy by using policy syntax.

    The custom policy content is as follows:

    ciemPolicy content

    {
    "statement": [
        {
            "action": [
                "cls:OpenKafkaConsumer"
            ],
            "effect": "allow",
            "resource": [
                "qcs::cls:${CLS_Region_ID}:uin/${Root_Account_ID}:topic/${CLS_Topic_ID}",
                "qcs::cls:${CLS_Region_ID}:uin/${Root_Account_ID}:logset/${CLS_Logset_ID}"
            ]
        }
    ],
    "version": "2.0"
}

    Go to the Basic Information page of the log topic to obtain the details and replace the placeholders in the policy above.

    • ${CLS_Topic_ID}: Enter the Log Topic ID.

    • ${CLS_Logset_ID}: Enter the Logset ID.

    • ${CLS_Region_ID}: Enter the region ID corresponding to the Region.

    • ${Root_Account_ID}: Click your profile picture in the upper-right corner of the console to obtain the root account ID.

  4. Obtain the Kafka topic name, Kafka public endpoint, and Logset ID from the log topic to connect to Security Center.

    • Go to the Basic Information page of the log topic to obtain the Logset ID.

    • Go to the Kafka Protocol Consumption page to obtain the Kafka topic name and Kafka public endpoint. For more information, see Kafka protocol consumption.

  5. In the Add Assets Outside Cloud panel in the Security Center console, on the Log Audit Settings wizard, enter the Kafka Topic Name, Kafka Service Address, and Log Set ID obtained from the previous steps, and then click Next.

Step 5: Configure onboarding policies

  1. In the Add Assets Outside Cloud panel in the Security Center console, on the Policy Configuration wizard, configure the region and data synchronization frequency for the Tencent Cloud assets to be onboarded, and then click OK.

    Parameter

    Description

    Select region

    Select the region where the assets to be onboarded reside. Security Center connects the asset data to the corresponding data management center based on the data management center you selected in the upper-left corner of the console (China or Outside China).

    Region Management

    If you select this option, Security Center automatically connects asset data from any new regions under the current Tencent Cloud account to the current data management center.

    If you do not select this option, new regions will not be connected to Security Center.

    Host Asset Synchronization Frequency

    Select the interval at which Security Center automatically synchronizes Tencent Cloud host assets. If you select Close, synchronization is disabled.

    Note

    This parameter is required when Permission Description is set to Host.

    Cloud Service Synchronization Frequency

    Select the interval at which Security Center automatically synchronizes Tencent Cloud products. If you select Close, synchronization is disabled.

    Note

    This parameter is required when Permission Description is set to Cloud Security Posture Management.

    AK Service Status Check

    Select the interval at which Security Center automatically checks the validity of the Tencent Cloud account API key. If you select Close, the check is disabled.

  2. Click Synchronize Assets to synchronize all assets from your Tencent Cloud account to Security Center.

Quick configuration (host assets only)

Step 1: Create an API key for the root account

For more information, see Manage the access keys of the root account.

  1. Log on to the Tencent Cloud console and go to the API Key Management page. On the API Key Management page, click Create Key Pair.

  2. In the Create SecretKey dialog box, click Download CSV File or Copy to save the SecretId and SecretKey, and then click OK.

Step 2: Submit the root account API key

  1. Log on to the Security Center console.

  2. In the navigation pane on the left, select System Settings > Feature Settings. In the upper-left corner of the console, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland.

  3. On the Multi-cloud Configuration Management > Multi-cloud Assets tab, click Grant Permission and select Tencent Cloud from the drop-down list.

    You can also open the Add Assets Outside Cloud panel from one of the following entry points:

    • On the Assets > Host page, move the pointer over the Add Multi-cloud Asset area image and click Tencent Cloud below Add.

    • On the Risk Governance > Cloud Security Posture Management page, go to the Cloud Service Configuration Risk tab, move the pointer over the Multi-cloud Service Integration area image and click Tencent Cloud below Add.

    • On the Agentic SOC > Service Integration page, move the pointer over the Multi-cloud Service Access area image and click Tencent Cloud below Grant Permission.

  4. In the Add Assets Outside Cloud panel, select Quick Configuration and click Next.

  5. On the Submit AccessKey Pair wizard page, enter the account API key and account name, and then click Next.

    The account name is used to distinguish assets from different accounts under the same cloud provider. We recommend that you set a meaningful name based on the account's purpose.

Important

After you complete the preceding steps, Security Center automatically creates a sub-user with the prefix AlibabaSasSubAccount_ in the Tencent Cloud console. This sub-user is used to authorize the connection to Security Center. We recommend that you do not delete or disable this sub-user or its API key, as doing so may interrupt the connection of your Tencent Cloud assets.

Step 3: Configure onboarding policies

  1. In the Add Assets Outside Cloud panel in the Security Center console, on the Policy Configuration wizard, configure the region and data synchronization frequency for the Tencent Cloud assets to be onboarded, and then click OK.

    Parameter

    Description

    Select region

    Select the region where the assets to be onboarded reside. Security Center connects the asset data to the corresponding data management center based on the data management center you selected in the upper-left corner of the console (Chinese Mainland or Outside Chinese Mainland).

    Region Management

    If you select this option, Security Center automatically connects asset data from any new regions under the current Tencent Cloud account to the current data management center.

    If you do not select this option, new regions will not be connected to Security Center.

    Host Asset Synchronization Frequency

    Select the interval at which Security Center automatically synchronizes Tencent Cloud host assets. If you select Close, synchronization is disabled.

    AK Service Status Check

    Select the interval at which Security Center automatically checks the validity of the Tencent Cloud sub-account API key. If you select Close, the check is disabled.

  2. Click Synchronize Assets to synchronize all assets from your Tencent Cloud account to Security Center.

Step 4: Delete the root account API key

After the connection is complete, to ensure root account security, we recommend that you delete the root account API key that was used for authorization in the Tencent Cloud console. Security Center uses the automatically created sub-account for authorization, so deleting the root account API key does not affect your use of Security Center features. For more information, see Delete the API key of a root accountconsole.cloud.tencent.com/cam/capi" id="32285a1cb8j0l" props="china" data-init-id="dc7d5c100dzuo">API Key Management page and click Disable in the Actions column for the API key that you submitted in Security Center.

In the confirmation dialog box, click Disable.

On the API Key Management page, click Delete in the Actions column for the API key to complete the deletion.

Verify the connection

Host assets

In the Security Center console, go to the Assets > Host page. In the multi-cloud asset connection section, click the image icon to view the connected Tencent Cloud hosts. For more information, see Server assets.

CSPM

In the Security Center console, go to the Assets > Overview > Cloud Product page to view the list of Tencent Cloud products connected via the API key. For more information, see View cloud service information.

Agentic SOC

In the Security Center console, go to the System Settings > Feature Settings page and go to the Multi-cloud Configuration Management tab. Check the service status of Agentic SOC. If the service status is Normal, the connection is successful.

image

What to do next

Host assets

  1. Install the Security Center agent on your Tencent Cloud hosts. For more information, see Install the agent.

    Important

    When generating the installation command, set Service Provider to Tencent Cloud.

  2. The Free Edition provides only basic detection capabilities and does not offer security protection. You can bind a paid edition (Anti-virus, Advanced, Enterprise, or Ultimate) to your connected Tencent Cloud servers to use the security protection features of Security Center. For more information, see Manage host and container security quotas.

CSPM

  1. Set and run a cloud platform configuration risk check policy to check whether configuration risks exist in your Tencent Cloud products.

  2. View and handle failed cloud platform configuration risk check items.

Agentic SOC

To use threat detection and security event response capabilities provided by Agentic SOC, you must connect logs from Tencent Cloud Web Application Firewall and Cloud Firewall. Follow these steps to connect the logs:

  1. Connect Tencent Cloud logs to Agentic SOC.

    1. Forward logs to the specified cloud product

    2. Bind a third-party cloud provider account and configure a data source

    3. Connect logs from third-party cloud products

  2. Use Agentic SOC features for threat detection and security event response.

Related documentation

Previous:Integrate third-party cloud assetsNext:Onboard Huawei Cloud assets