Authorize and enable Cloud Security Posture Management features-Security Center(Security Center)-阿里云帮助中心

Authorize access to cloud resources

Before using configuration risk checks, authorize Security Center to access your cloud resources.

Log on to the Security Center console.
In the left-side navigation pane, choose Risk Governance > CSPM. In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
Click Authorize Now.

If you have already enabled the baseline risk check feature, go to the Cloud Service Configuration Risk tab and click Authorize Now.

Note
After authorization, Security Center automatically creates the service-linked role AliyunServiceRoleForSasCspm. This role allows Security Center to access and modify cloud product configurations and provides security best practices for identity authentication, network access control, data security, log auditing, and basic security protection. For more information, see Service-linked roles for Security Center.
After authorization, free configuration risk check items become available. If you have not enabled pay-as-you-go or purchased CSPM scans, only free check items are available. On the Cloud Service Configuration Risk tab, items with a Scan button in the Actions column are free.

Enable the baseline risk check feature

Baseline risk checks support the following billing methods.

Important

If you purchased Security Center Advanced, Enterprise, or Ultimate Edition, you can only use the baseline check items supported by your edition, even if you also purchased paid CSPM features.

For example, if you purchased Security Center Advanced Edition and paid CSPM features, you can only use the weak password check item.

Billing method	Purchase option	Edition	Procedure
The following editions include baseline risk check features at no additional cost. Advanced: Only default policies and weak password check items. Enterprise: All check items except container security. Ultimate: All check items.	Subscription	Advanced Edition, Enterprise Edition, or Ultimate Edition	If you have not activated Security Center, go to the Security Center purchase page. For Billing Method, select Subscription, and then purchase the Advanced Edition, Enterprise Edition, or Ultimate Edition. For more information, see Purchase Security Center. If you are using the Security Center Basic or Anti-virus Edition: Log on to the Security Center console. On the Overview page, click Buy Now or Upgrade Now to purchase the Advanced Edition, Enterprise Edition, or Ultimate Edition of Security Center.
	Pay-as-you-go	Enable Container Guard and authorize the Advanced Edition, Enterprise Edition, or Ultimate Edition	Go to the Security Center purchase page. For Billing Method, select Pay-as-you-go. For Host and Container Security, select Yes. The Enterprise Edition is enabled by default. For more information, see Purchase Security Center. Use the Quota Management feature to adjust the protection edition for your hosts and containers. Manage authorizations for Container Guard.
After you purchase paid CSPM features, you can use the baseline risk check feature and all check items. Billing is based on the number of authorizations consumed — the total count of scans, verifications, and successful remediations for baseline risk check items.	Subscription	Anti-virus Edition or purchasing value-added services only	See Subscription in Enable paid CSPM features below.
	Pay-as-you-go	Enable Container Guard and authorize the Anti-virus Edition	See Pay-as-you-go in Enable paid CSPM features below.
	Pay-as-you-go	Do not enable Container Guard	See Pay-as-you-go in Enable paid CSPM features below.

Enable paid CSPM features

Enable paid CSPM features to access all check items for configuration risk checks and baseline risk checks, plus attack path analysis.

Important

Each Alibaba Cloud account can use only one billing method for CSPM.

Subscription

Go to the Security Center purchase page. For Billing Method, select Subscription. For CSPM, select Yes. Set the Quantity and Subscription Duration (in months or years). Purchase other features as needed. For more information, see Purchase Security Center.
Note
- If you already have a subscription instance, go to the Overview page of the Security Center console. In the Subscription section, click Change > Upgrade Now to purchase the CSPM feature.
- Scans, verifications, and successful remediations all consume authorizations. Purchase at least 20× your instance count in authorizations to prevent scan failures.
After you enable the feature, go to the CSPM > Cloud Service Configuration Risk tab to view the Remaining Quota for Cloud Security Posture Management.

Pay-as-you-go

Go to the Security Center purchase page. For Billing Method, select Pay-as-you-go. For CSPM, select Yes. Enable other features as needed. For more information, see Purchase Security Center.

Note
If you already have a pay-as-you-go instance, turn on the CSPM switch in the Pay-as-you-go section on the Overview page of the Security Center console.
After you enable the feature, go to the CSPM > Cloud Service Configuration Risk tab to view the Used Quota for Cloud Security Posture Management.

Unsubscribe from CSPM

If you no longer need CSPM, you can disable it.

Subscription:
- Procedure: Go to the order upgrade or downgrade page. On the Order Downgrade tab, in the CSPM section, set the Purchase or Not to No. For more information, see Downgrade or upgrade configurations.
  
  Note
  The refund amount is shown on the downgrade page. Refund credit routing is covered in Refund rules.
- Data processing:
  - Cloud product configuration check:
    - Only results for free check items are retained. Results for paid check items are deleted immediately.
    - Periodic scan policies, whitelist policies, and custom check items are not deleted.
  - System baseline:
    - Baseline check results cannot be viewed in the console. Backend data is retained for 30 days and then automatically deleted.
      
      Note
      If your Subscription instance (Advanced, Enterprise, or Ultimate) has not expired and you have not unsubscribed from it, the check results for that edition continue to be retained. After the instance expires or you unsubscribe from it, backend data is retained for 30 days and then automatically deleted.
    - Scan policies are deleted immediately. Whitelist policies are not deleted.
Pay-as-you-go:
- Procedure: On the Overview page of the Security Center console, in the Pay-as-you-go section, turn off the CSPM switch.
- Data processing:
  - Cloud product configuration check:
    - Check results are not deleted after you disable the feature.
    - Periodic scan policies, whitelist policies, and custom check items are not deleted.
  - System baseline:
    - Baseline check results cannot be viewed in the console. Backend data is retained for 30 days and then automatically deleted.
      
      Note
      If your Subscription instance (Advanced, Enterprise, or Ultimate) has not expired and you have not unsubscribed from it, the check results for that edition continue to be retained. After the instance expires or you unsubscribe from it, backend data is retained for 30 days and then automatically deleted.
    - Scan policies are deleted immediately. Whitelist policies are not deleted.

What's next

Set up Cloud product configuration risk checks.
Set up Baseline risk checks.
To use the attack path analysis feature, see Attack path analysis.