Cloud security posture management (CSPM) helps you discover and manage security risks across your cloud assets through automated risk checks, baseline scanning, and attack path analysis. This feature detects security issues such as cloud product misconfigurations and server configuration flaws, and provides recommendations to remediate these risks.
Use cases
Run security checks on cloud assets
Scenario: To perform security checks on all your cloud resources, you can use a combination of cloud product configuration risk check and baseline risk check.
Instructions:
Initial assessment: Use the 100+ free check items to run an initial risk scan on your cloud products and servers.
In-depth scan and remediation: After you activate a paid edition (pay-as-you-go or subscription), you can use all check items for in-depth scans and remediate the detected risks.
Meet compliance or internal standards
Scenario: To meet specific security standards, such as MLPS 2.0, or your organization's internal security baseline requirements, you can use the baseline risk check feature for automated compliance auditing and continuous monitoring.
Instructions: This feature includes built-in compliance check packages for mainstream standards like MLPS 2.0 and CIS, and supports custom policies, making it the preferred option for automated compliance auditing.
Analyze and block internal attack paths
Scenario: Use the attack path analysis feature to analyze and block paths that attackers can use to pivot from compromised resources to other critical assets.
Instructions: This feature intelligently connects scattered configuration risks and visualizes the complete attack path. For example:
Publicly accessible ECS→Bound to a high-privilege RAM role→Can control all core OSS buckets.
Core features
Cloud configuration risk check
The CSPM feature scans the configurations of cloud assets to promptly discover and fix security vulnerabilities and compliance deficiencies caused by misconfigurations, such as overly permissive ECS security group rules or publicly accessible OSS buckets.
The following figure shows the workflow. For more information, see Cloud product configuration risk check.
System Baseline Risks check
The System Baseline Risks feature performs in-depth checks on host (server) operating systems based on industry standards and security specifications. It identifies and fixes issues such as weak passwords, insecure configurations, or missing important patches to help you meet compliance requirements.
The following figure shows the workflow. For more information, see Baseline risk check.
Attack path analysis
Attack Path comprehensively scans and analyzes access paths between cloud products, such as an ECS instance controlling an OSS bucket through a granted RAM role, and provides visualized results. These results help you clearly understand the connections and potential risks between different cloud services, identify unnecessary access permissions, and discover weak links that can be exploited.
The following figure shows the workflow. For more information, see Attack path analysis.
Limitations
Region restrictions
Chinese Mainland
Supported regions
Region name | Region ID |
China (Fuzhou) | cn-fuzhou |
China (Qingdao) | cn-qingdao |
China (Beijing) | cn-beijing |
China (Zhangjiakou) | cn-zhangjiakou |
China (Hohhot) | cn-huhehaote |
China (Ulanqab) | cn-wulanchabu |
China (Hangzhou) | cn-hangzhou |
China (Shanghai) | cn-shanghai |
China (Shenzhen) | cn-shenzhen |
China (Heyuan) | cn-heyuan |
China (Guangzhou) | cn-guangzhou |
China (Chengdu) | cn-chengdu |
China (Nanjing) | cn-nanjing |
China (Hong Kong) | cn-hongkong |
China (Hangzhou) Finance | cn-hangzhou-finance |
China (Beijing) Finance | cn-beijing-finance-1 |
China (Shanghai) Finance | cn-shanghai-finance-1 |
China (Shenzhen) Finance | cn-shenzhen-finance-1 |
China (Beijing) GovCloud | cn-north-2-gov-1 |
China (Heyuan) Cloud Box | cn-heyuan-acdr-1 |
Region-specific product limitations
Product name | Unsupported regions |
ECS | cn-wulanchabu-acdr-ut-1 |
RAM | cn-hangzhou-acdr-ut-1 |
AnalyticDB for PostgreSQL | cn-qingdao |
NAS | cn-shanghai-finance-1 |
Lingjun Intelligent Computing Service | cn-huhehaote, cn-chengdu-ant, cn-wulanchabu-acdr-1, cn-shanghai-finance-1, cn-hangzhou-acdr-ut-1 |
Message Queue for Apache RocketMQ 4.0 | cn-guangzhou, cn-heyuan-acdr-1 |
Outside Chinese Mainland
Supported regions
Region name | Region ID |
Global | global-virtual |
Korea (Seoul) | ap-northeast-2 |
Singapore | ap-southeast-1 |
Malaysia (Kuala Lumpur) | ap-southeast-3 |
Indonesia (Jakarta) | ap-southeast-5 |
Philippines (Manila) | ap-southeast-6 |
Thailand (Bangkok) | ap-southeast-7 |
Saudi Arabia (Riyadh) | me-central-1 |
US (Virginia) | us-east-1 |
US (Silicon Valley) | us-west-1 |
UAE (Dubai) | me-east-1 |
Germany (Frankfurt) | eu-central-1 |
UK (London) | eu-west-1 |
Japan (Tokyo) | ap-northeast-1 |
India (Mumbai) | na-south-1 |
Region-specific product limitations
Product name | Unsupported regions |
ActionTrail | ap-southeast-2 |
RDS | ap-southeast-2 |
RAM | ap-southeast-2 |
AnalyticDB for PostgreSQL | cn-qingdao |
Microservices Engine | me-east-1 |
PolarDB-X | ap-northeast-1 |
Log Service (SLS) | ap-southeast-2 |
API Gateway | ap-southeast-2 |
Data Transmission Service | ap-southeast-2 |
Message Queue for Apache RocketMQ | ap-southeast-2 |
Product version restrictions
Product name | Unsupported versions |
RDS | MySQL 5.1 and 5.5 do not support the high-availability configuration check (ACS_RDS_DBInstanceHAConfig). |
Billing
Billing concepts
Authorization: The billing unit for paid cloud security posture management (CSPM) features. One authorization is consumed for each successful billable operation (scan, verification, or remediation) on an asset instance.
For example, if you have 10 products, each with 15 instances, and you use 5 check items to scan all instances, the task will consume
10 * 15 * 5 = 750authorizations.Asset instance: A specific cloud resource, such as an OSS bucket or an ECS security group.
Check item: Check items are categorized as free or paid.
Free check items: The Cloud Service Configuration Risk feature provides some free check items for basic risk awareness. You can perform an unlimited number of scans and verifications, and authorizations are consumed only for repairs.
ImportantUsers who authorized CSPM (formerly cloud product configuration check) before July 7, 2023, can continue to receive the number of free check items corresponding to their Security Center edition (Anti-virus: 80+, Advanced: 90+, and Enterprise/Ultimate: 250+) until their current edition expires.
Paid check items: You must purchase the corresponding edition or separately enable the CSPM service. The fees are included in the edition's service or consume authorizations.
For more billing information, see Billing.
Billing details
Security Center offers two billing models: subscription and pay-as-you-go. These models cover the cloud product configuration risk check, system baseline risk check, and attack path analysis features. The following tables describe the feature support and billing details for each model.
Before choosing a paid model, you can use the Free edition for basic checks or apply for a 7-day free trial to evaluate the full capabilities of the Enterprise edition.
Free Edition features: The Free Edition of Security Center supports the detection and verification of free check items for the Cloud Service Configuration Risk feature, but does not support Risk Remediation or the Attack Path feature.
7-day free trial (subscription Enterprise edition): You can access all features of the Enterprise edition. For details, see the service description for the Enterprise edition below.
Subscription
This prepaid option is suitable for users with long-term, stable security needs and helps control costs. You can purchase a service edition (such as Advanced, Enterprise, or Ultimate) or the CSPM value-added service to obtain the corresponding detection and protection capabilities.
Purchase an Advanced, Enterprise, or Ultimate edition
ImportantIf you use the Anti-Virus or Value-added Service editions and have not purchased the CSPM value-added service, you can use the free check items to detect and verify Cloud Service Configuration Risk. However, the risk remediation or Attack Path features are not supported.
Feature
Feature details
Authorization consumption
Cloud Service Configuration Risk
Check items: Free check items.
NoteThe Ultimate edition additionally supports KSPM check items.
Operations: Detection and verification are supported. Remediation is not supported.
Does not consume authorizations.
System Baseline Risks
Check items:
Advanced edition: Supports only weak password check items.
Enterprise edition: Supports all check items except for container security check items.
Ultimate edition: Supports all check items.
Operations: Scanning, verification, and remediation are supported.
Included in the edition fee; does not consume authorizations.
Attack Path
Not supported
N/A
Purchase the CSPM value-added service
ImportantIf you purchase both a service edition and the CSPM value-added service, feature support is as follows:
Advanced, Enterprise, or Ultimate Edition: The check items and operations supported for System Baseline Risks depend on your current edition. The Cloud Service Configuration Risk and Attack Path features are not affected by the edition, and their details are provided in the following table.
Anti-virus and Value-added Service editions: The System Baseline Risks, Cloud Service Configuration Risk, and Attack Path features are not affected by the product edition. The following table applies.
Feature
Feature details
Authorization consumption
Cloud Service Configuration Risk
Check items: All check items (free + paid).
Operations: Detection, verification, and remediation are supported.
Free check items: One authorization is consumed for each successful remediation.
Paid check items: One authorization is consumed for each successful scan, verification, or remediation.
System Baseline Risks
Check items: All check items.
Operations: Detection, verification, and remediation are supported.
One authorization is consumed for each successful scan, verification, or remediation.
Attack Path
Supported
This feature is a built-in benefit of the paid CSPM service and does not consume extra authorizations.
Pay-as-you-go
This pay-as-you-go plan is ideal for flexible use in short-term or dynamic scaling scenarios. By purchasing the pay-as-you-go feature for CSPM, you gain the corresponding detection and protection capabilities.
If you purchase only the pay-as-you-go feature of Host and Container Security, you can use the free check items to detect and verify Cloud Service Configuration Risk, but the Risk Remediation and Attack Path features are not supported.
Feature | Feature details | Authorization consumption |
Cloud Service Configuration Risk | Check items: All check items (free + paid). Operations: Detection, verification, and remediation are supported. |
|
System Baseline Risks | Check items: All check items. Operations: Detection, verification, and remediation are supported. | One authorization is consumed for each successful scan, verification, or remediation. |
Attack Path | Supported | This feature is a built-in benefit of the paid CSPM service and does not consume extra authorizations. |
Get started
Purchase and activate the service: Purchase Security Center.
Use the product features:
Cloud Service Configuration Risk
Add cloud products: Add cloud products.
Configure and run policies: Policy management.
Handle risk items: Handling risks
System Baseline Risks
Add server assets: Install the agent and add servers.
Configure and run policies: Policy management.
Handle risk items: Handling risks.
Attack Path: Attack path analysis
FAQ
Billing and authorizations
Can I switch from the subscription model to the pay-as-you-go model?
You cannot switch directly. You must wait for your subscription instance to expire or unsubscribe from it before you can activate the pay-as-you-go service.
ImportantAfter you unsubscribe or the subscription expires, any unused authorizations are reset to zero and cannot be transferred.
What happens if I run out of authorizations?
Subscription model: If the remaining authorizations are insufficient to complete an entire scan task, the task stops prematurely. The system displays only the results for checks completed before authorizations ran out. Refer to Upgrade to upgrade your edition or purchase more authorizations.
Pay-as-you-go model: There is no authorization limit. The system continuously bills based on actual usage, ensuring all tasks run to completion.
Feature usage
How do I get started with CSPM for security hardening?
Activation and authorization: Activate the CSPM service and follow the prompts to grant management permissions for your cloud products.
Add assets to check: Add the cloud product instances you want to check, such as ECS and RDS, to Security Center.
Scan and remediate: Configure a check policy and run a scan. After the scan is complete, perform security hardening based on the risk report and remediation suggestions.
How do I use Security Center to improve the configuration security of my databases?
Security Center enhances database security in two ways:
Cloud security posture management (CSPM):
Detection scope: Checks for external configuration risks.
Check examples: Checks if access control whitelists are too permissive or if automatic backup and log audit are enabled.
Baseline risk check:
Detection scope: Checks for internal security flaws on the database's host server.
Check examples: Checks if database login accounts use weak passwords or if server configurations follow security best practices.
Unsubscribe and disable
How do I disable the cloud security posture management (CSPM) feature?
Free edition: No action is required. The Free edition provides only limited detection features and does not involve fees or authorization consumption.
Subscription edition: In the order management center, follow the instructions in Upgrade or downgrade editions to downgrade your Security Center edition to one that does not include CSPM features.
Pay-as-you-go edition: On the Overview page, in the Pay-as-you-go area, turn off the CSPM switch.