Onboard AWS assets via access key

更新时间:
复制 MD 格式

Deploying services across both Alibaba Cloud and AWS fragments security asset management, making it difficult to maintain a unified security view and hindering efficient risk discovery and response. By connecting your AWS account to Cloud Security Center, you can centrally manage security for core AWS assets, such as EC2, RDS, and S3. This lets you monitor the security posture of your multi-cloud assets, discover configuration risks, detect security events, and establish consistent cross-cloud security policies.

Choose an onboarding plan

Choose an onboarding method based on your security requirements, supported features, and environment type. Two options are available: the quick configuration plan and the manual configuration plan.

Item

Quick plan

Manual plan

Authorization account type

This plan uses the root user's AccessKey pair only for initial authorization.

This plan uses an IAM user with least-privilege access.

Supported features

Supports only Host.

  • Host

  • CSPM

  • Agentless Detection

Configuration complexity

Simple

Medium

Method 1: Quick configuration (for host assets only)

Step 1: Create a root user access key

Warning

Use the root user's access key pair only for the initial authorization. This allows Security Center to automatically create a dedicated IAM user with limited permissions in your AWS account. The username of the IAM user is prefixed with AlibabaSasSubAccount_. After the authorization is successful, you must immediately delete the root user's access key pair.

  1. Sign in to the AWS console

    Sign in to the AWS IAM console. On the dashboard, click My Security Credentials.

    Important

    Only the root user can configure My Security Credentials.

  2. Create an access key

    On the My Security Credentials page, configure the following settings and then click Create access key.

    • Use case: Select a use case based on your business scenario. If none of the options are suitable, select Other.

    • Set description tag (optional): The tag can be up to 256 characters long and can contain letters, digits, spaces, and the following special characters: _ . : / = + - @.

  3. Save the key pair

    After you create the key pair, go to the Retrieve access key page to view and save the access key (Access Key ID) and secret access key (Secret Access Key).

    Note

    You can click Download .csv file to save the key pair to your computer.

Step 2: Complete onboarding in Security Center

  1. Go to the authorization page:

    Start the AWS asset onboarding process from one of the following locations:

    • Recommended path:

      1. Log on to the Security Center console.

      2. In the left-side navigation pane, choose System Settings > Feature Settings. In the upper-left corner of the console, select your asset region: Chinese Mainland or Outside Chinese Mainland.

      3. On the Multi-cloud Configuration Management > Multi-cloud Assets tab, click Grant Permission, and then select AWS.

    • Other paths:

      On the following pages, find the Multi-cloud Service Access or Add Multi-cloud Asset area, and click the Provision or Grant button below the image icon:

      • Assets > Host

      • Risk Governance > CSPM > Cloud Service Configuration Risk

      • Agentic SOC > Service Integration

      • Protection Configuration > Host Protection > Agentless Detection

  2. Configure access credentials:

    1. In the Add Assets Outside Cloud panel, select Quick Configuration, select the features to enable, and click Next.

    2. On the Submit AccessKey Pair page, enter the credentials that you created in AWS.

      • Access Key ID and Secret Access Key: Enter the credentials from Step 1: Create a root user access key.

      • Provisioning Region: Select an available AWS region. Security Center uses this region to verify asset accessibility.

      • Domain: Set this based on your selected Provisioning Region. If your region is in AWS China, select China. Otherwise, select International.

    3. After you enter the information, click Next. Security Center automatically verifies the credentials and permissions.

  3. Configure the synchronization policy:

    • Select region: Select the regions that contain the AWS assets you want to onboard.

      Note

      The synchronized asset data is stored in the data center that corresponds to the region selected in the upper-left corner of the Security Center console.

      • Chinese Mainland: Data centers are in the Chinese Mainland.

      • Outside Chinese Mainland: The data center is in Singapore.

    • Region Management: We recommend that you select this option. This option automatically synchronizes assets from any new regions added to this AWS account.

    • Host Asset Synchronization Frequency: Sets the interval for automatically synchronizing AWS host (EC2) assets. To disable synchronization, set this parameter to Off.

    • AK Service Status Check: Sets the interval for Security Center to automatically check the validity of the AWS account's access key pair. Set to Off to disable this check.

  4. After you complete the configuration, click Synchronize Assets. Security Center then synchronizes the host assets from your AWS account.

    Important

    After you complete these steps, Security Center automatically creates an IAM user in AWS with a username prefixed with AlibabaSasSubAccount_ to authorize the connection. Do not delete or disable this IAM user or its access key pair. Otherwise, asset onboarding and security monitoring will be interrupted.

Step 3: Delete the AWS root access key

After successfully onboarding your assets, immediately delete the root user's access key pair used for the initial authorization to reduce security risks.

  1. Sign in to the AWS IAM console as the root user. On the dashboard, click My Security Credentials.

  2. In the AccessKey Pair section, locate the access key pair that you used for this authorization. In the Actions column, click Delete and follow the prompts to confirm.

Method 2: Manual configuration

This method onboards your assets by creating a least-privilege IAM user in AWS, offering high security and full feature support.

Step 1: Create IAM credentials in AWS

Create an IAM user with the minimum permissions for Security Center integration and get its access key.

Note

For more information, see the official AWS documentation: Creating IAM users and Adding IAM permissions.

  1. Sign in to the AWS Management Console

    Sign in to the AWS IAM console. In the left-side navigation pane, choose Users. On the Users page, click Create user.

  2. Specify user details

    • User name: Enter a descriptive name, such as aliyun-security-center-user.

    • Provide user access to the AWS Management Console: Do not select this option. This user is for API access only.

  3. Set permissions

    • Select Attach policies directly.

    • Select the permission policies that correspond to the features you plan to use in Security Center.

      Feature

      AWS policy

      Notes

      Host

      AmazonEC2ReadOnlyAccess
      IAMReadOnlyAccess

      None

      CSPM (CSPM)

      ReadOnlyAccess

      IAMReadOnlyAccess

      To perform comprehensive risk detection based on audit logs, see Configure AWS service audit logs for CSPM to configure audit logs for the relevant services in AWS.

      Agentless Detection

      You must manually create a custom policy.

      You need to create a log delivery pipeline in AWS that consists of CloudTrail, S3, and SQS. For detailed steps, see Create a custom policy for Agentless Detection.

      image

  4. Review and create

    Review the user details and permission policies and click Create user.

  5. Create and save the access key

    1. After the user is created, return to the Users list and click the new user's name to open the details page.

    2. In the Summary section, click Create access key and configure the key as follows:

      1. Use case: Select the use case that matches your business scenario. If none of the options apply, select Others.

      2. Description tag: You can leave this blank or enter a custom tag, such as for-aliyun-sasc.

    3. Click Create access key. On the Retrieve access keys page, view and save the Access key (Access Key ID) and Secret access key.

    image

Step 2: Complete onboarding in Security Center

After creating an access key for the IAM user in AWS, return to the Security Center console to complete the onboarding configuration.

  1. Go to the authorization page

    Note

    For information about other entry points, see Other entry points.

    1. Log on to the Security Center console.

    2. In the left-side navigation pane, choose System Settings > Feature Settings. In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.

    3. On the Multi-cloud Configuration Management > Multi-cloud Assets tab, click Grant Permission, and then select AWS.

  2. Configure access credentials

    1. In the Add Assets Outside Cloud panel, select Manual Configuration, select the features to enable, and then click Next.

      • Host: Automatically discovers and synchronizes your AWS EC2 host assets.

      • CSPM: Scans the configurations of your AWS cloud products to discover and manage configuration risks.

      • Agentless Detection: Scans your AWS assets for vulnerabilities and risks.

    2. On the Submit AccessKey Pair page, enter the credentials you created in AWS.

      • Access key ID and Secret access key: Enter the credentials you created in Step 1: Create IAM credentials in AWS.

      • Provisioning Region: Select an available AWS region. Security Center uses this region to verify asset accessibility.

      • Domain: Set this based on your selected Provisioning Region. If your region is in AWS China, select China. Otherwise, select International.

    3. After entering the information, click Next. The system then automatically verifies the credentials and permissions.

  3. Configure audit logs (Optional)

    If you want to use the Cloud Security Posture Management (CSPM) audit log feature, complete the configuration in this step. Otherwise, click Skip.

    Important

    Before you proceed, you must complete the required configurations in the AWS Management Console. For more information, see Configure AWS service audit logs for CSPM.

    • AWS Region: Enter the ID of the region where the SQS queue is located. For a list of region IDs, see AWS Region IDs.

    • SQS Queue Name: Enter the name of the SQS queue that you created.

  4. Configure Synchronization Policy

    On the Policy Configuration page, configure the following settings as needed:

    • Select region: Select the AWS regions that contain the assets you want to onboard.

      Note

      The asset data is stored in the data center for the region selected in the upper-left corner of the Security Center console.

      • Chinese Mainland: Chinese mainland data center.

      • Outside Chinese Mainland: Singapore data center.

    • Region Management: Recommended. If selected, assets in new regions for this AWS account are automatically synchronized.

    • Host Asset Synchronization Frequency: Set the automatic synchronization interval for AWS host (EC2) assets. To disable synchronization, set this to "Off".

      Note

      This parameter is available only if you enabled the Host feature.

    • Cloud Service Synchronization Frequency: Set the automatic synchronization interval for AWS cloud product configurations. To disable synchronization, set this to "Off".

      Note

      This parameter is available only if you enabled the Cloud Security Posture Management feature.

    • AK Service Status Check: Set the interval for Security Center to automatically check the validity of the access key for the AWS account. Select "Off" to disable this check.

  5. After completing the configuration, click Synchronize Assets to start synchronizing data from your AWS account to Security Center.

Manage provisioned assets

Host assets

Go to the Assets > Host page. In the Add Multi-cloud Asset area, click the image icon to view your provisioned AWS hosts. Follow the steps below to manage your AWS EC2 hosts and enhance their protection.

Note

For more information, see host assets.

  1. Install the client: Install the Security Center client on your AWS hosts. When you run the installation command, select AWS as the Service Provider. For more information, see Install the client.

  2. Upgrade to a paid edition for protection: The default Free Edition provides only basic security detection. To obtain comprehensive security capabilities, such as anti-virus, vulnerability remediation, and intrusion prevention, apply a paid edition (Anti-virus Edition or later) to your AWS hosts. For more information, see Manage security authorizations for hosts and containers.

Cloud security posture management (CSPM)

On the Security Center console, go to the Assets > Cloud Product page. In the All Alibaba Cloud Services navigation pane on the left, click AWS to view your provisioned AWS assets. You can use the following CSPM features on these assets:

Note

For more information, see View cloud product information.

  1. Run a configuration risk check: Check your AWS products for configuration risks. For more information, see Set up and run a cloud platform configuration risk check policy.

  2. Handle risk items: Based on the check results, view and remediate failed risk check items to improve the compliance and security of your cloud assets. For more information, see View and handle failed cloud platform configuration risk check items.

Agentless detection

On the Security Center console, go to the Protection Configuration > Host Protection > Agentless Detection page. In the Add Multi-cloud Asset area, click the image icon to view the number of provisioned AWS assets. After the assets are provisioned, you can use the Agentless Detection feature to scan your AWS hosts for vulnerabilities, baseline issues, and more.

AWS advanced configuration (for Agentless Detection and CSPM)

Create a custom policy for Agentless Detection

Note

For more information, see the AWS documentation about creating a user and adding permissions.

  1. Log in to the AWS IAM console. On the Policies page, click Create policy.

  2. In the Policy editor section, select JSON and paste the following JSON.

    {
        "Version": "2012-10-17",
        "Statement":
        [
            {
                "Effect": "Allow",
                "Action":
                [
                    "ec2:DeleteSubnet",
                    "ec2:DeleteVpcEndpoints",
                    "ec2:DeleteInternetGateway",
                    "ec2:TerminateInstances",
                    "ec2:StopInstances",
                    "ec2:DeleteSecurityGroup",
                    "ec2:DeleteVpc"
                ],
                "Resource": "*",
                "Condition": {
                    "StringLike": {
                        "ec2:ResourceTag/Name": "alibaba-cloud-security-scan*"
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action":
                [
                    "ec2:DeleteSnapshot"
                ],
                "Resource": "*",
                "Condition": {
                    "StringLike": {
                        "ec2:ResourceTag/Name": "SAS_Agentless*"
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action":
                [
                    "ec2:CopySnapshot",
                    "ec2:AuthorizeSecurityGroupIngress",
                    "ec2:DescribeInstances",
                    "ec2:CreateImage",
                    "ec2:CreateVpc",
                    "ec2:AttachInternetGateway",
                    "ec2:CopyImage",
                    "ec2:ModifyImageAttribute",
                    "ec2:DescribeSnapshots",
                    "ec2:ModifySubnetAttribute",
                    "ec2:DescribeInternetGateways",
                    "ec2:ModifySnapshotAttribute",
                    "ec2:DescribeInstanceTypeOfferings",
                    "ec2:DescribeAvailabilityZones",
                    "ec2:CreateInternetGateway",
                    "ec2:CreateSecurityGroup",
                    "ec2:DescribeVolumes",
                    "ec2:CreateSnapshot",
                    "ec2:AuthorizeSecurityGroupEgress",
                    "ec2:RunInstances",
                    "ec2:DetachInternetGateway",
                    "ec2:DescribeSecurityGroups",
                    "ec2:DescribeImages",
                    "ec2:CreateVpcEndpoint",
                    "ec2:CreateSnapshots",
                    "ec2:DescribeVpcs",
                    "ec2:DescribeImageAttribute",
                    "ec2:DescribeVpcEndpoints",
                    "ec2:CreateSubnet",
                    "ec2:DescribeSubnets",
                    "ec2:ModifyVpcEndpoint",
                    "ec2:CreateTags",
                    "ec2:DescribeRouteTables",
                    "ec2:CreateRoute",
                    "ec2:DescribeRegions",
                    "kms:Decrypt",
                    "kms:DescribeKey",
                    "kms:CreateGrant",
                    "kms:ListGrants",
                    "kms:RevokeGrant",
                    "kms:GenerateDataKey",
                    "kms:ReEncrypt*",
                    "iam:GetUser"
                ],
                "Resource": "*"
            }
        ]
    }

    image

  3. Click Next. Enter a name for the policy, such as AliyunSASC-AgentlessScan-Policy, and then click Create policy.

  4. Attach this policy to the IAM user. For instructions, see Set user permissions.

CSPM

Step 1: Create a CloudTrail trail

In this step, you create a trail in AWS CloudTrail to record and store all management operations on your cloud resources within a specific region. These logs provide the data required for CSPM. For more information, see the AWS documentation about creating a trail.

  1. Log in to the AWS CloudTrail console

    1. Log in to the AWS CloudTrail console. In the region selector in the upper-right corner of the console, select the AWS region that you want to monitor.

    2. On the dashboard or in the left navigation pane, choose Trails and then click Create Trail.

  2. Configure trail attributes

    On the Choose trail attributes page, configure the following parameters and then click Next.

    • Trail name: Enter a descriptive name, such as aliyun-sasc-audit-trail.

    • Storage location:

      Important

      Record the bucket name for use in a later step.

      • Create new S3 bucket: Enter a globally unique bucket name in all lowercase letters.

      • Use existing S3 bucket: In the Trail log bucket name section, click Browse and select the target S3 bucket from the dialog box.

    • Log file SSE-KMS encryption: Clear this check box. Use the default server-side encryption with Amazon S3-Managed Keys (SSE-S3) to encrypt log files.

  3. Choose log events

    On the Choose log events page, configure the following settings and then click Next.

    • Event type: Management events.

    • API activity: Read, Write.

  4. Review and create

    On the Review and create page, review your configuration and click Create Trail.

Step 2: Create an SQS message queue

This queue receives S3 event notifications from the S3 bucket and acts as the target message channel for log delivery. For more information, see the AWS documentation about creating a message queue.

  1. Log in to the AWS SQS console.

    Log in to the AWS SQS console, select a region, and then click Create queue.

    Warning

    Ensure the selected region is the same one where you created the CloudTrail trail.

  2. Configure queue details

    • Type: Standard.

    • Name: Enter an easily identifiable queue name, such as aliyun-sasc-log-queue.

      Important

      This queue name is used to generate its unique ARN and for subsequent access policy configuration. Make sure that you enter it correctly.

  3. Configure the access policy

    This policy defines who can send and read messages to and from the queue.

    1. In the Access policy panel, select Advanced.

      Important

      Record the Account ID and queue ARN from the default policy for use in a later step.

      image

    2. Copy the entire JSON template below and paste it into the policy editor, replacing all existing content.

      {
        "Version": "2012-10-17",
        "Id": "__default_policy_ID",
        "Statement": [
          {
            "Sid": "__owner_statement",
            "Effect": "Allow",
            "Principal": {
              "AWS": "arn:aws:iam::${Account ID}:root"
            },
            "Action": "SQS:*",
            "Resource": "${SQS ARN}"
          },
          {
                  "Sid": "example-statement-ID",
                  "Effect": "Allow",
                  "Principal": {
                      "Service": "s3.amazonaws.com"
                  },
                  "Action": [
                      "SQS:SendMessage"
                  ],
                  "Resource": "${SQS ARN}",
                  "Condition": {
                      "ArnLike": {
                          "aws:SourceArn": "arn:aws:s3:*:*:${S3 bucket name}"
                      }
                  }
              }
        ]
      }
    3. Important: Replace the placeholders in the template as described in the following table.

      Placeholder

      Description

      Example

      ${Account ID}

      The Account ID that you saved in the previous step.

      99********1

      ${SQS ARN}

      The queue ARN that you saved in the previous step.

      arn:aws:sqs:ap-northeast-1:123******012:aliyun-sasc-log-queue

      ${S3 bucket name}

      The name of the S3 bucket specified when you created the CloudTrail trail.

      Note

      You can log in to the AWS S3 console, find the bucket in the corresponding region, and view its information on the details page.

      aws-cloudtrail-logs-123******12-abcdef

    4. After you replace the placeholders, scroll to the bottom of the page and click Create queue.

Step 3: Create an S3 event notification

In this step, you configure an S3 event notification for the S3 bucket. This rule automatically sends a notification to the specified SQS queue when a new log file is generated. For more information, see the AWS documentation about Amazon S3 Event Notifications.

  1. Log in to the AWS S3 console

    1. Log in to the AWS S3 console, select a region, and then click General purpose buckets.

      Warning

      Ensure the selected region is the same one where you created the CloudTrail trail.

    2. On the General purpose buckets tab, locate the S3 bucket that you specified when you created the CloudTrail trail and open its details page.

  2. Configure the event notification

    On the Properties tab, in the Event notifications section, click Create event notification. Configure the following settings.

    1. Event types: Select Put.

    2. Destination: Select SQS queue, and specify the SQS queue that you created in Step 2: Create an SQS message queue.

    3. After you complete the configuration, click Save changes.

Step 4: Configure queue read and write permissions

In this step, you grant the dedicated IAM user for Security Center permission to read notification messages from the SQS queue.

  1. Create an SQS policy

    1. Log in to the AWS IAM console. On the Policies page, click Create Policy.

    2. Configure the following settings.

      1. Service: SQS.

      2. Effect: Allow.

      3. Read: Select GetQueueUrl and ReceiveMessage.

      4. Write

      5. Resources: Click Add ARNS. In the Resource ARN field, enter the queue ARN.

        Note

        You can log in to the AWS SQS console, find the queue in the corresponding region, and view its ARN information on the details page.

  2. Attach the policy to the IAM user

    Attach the SQS policy that you created in the previous step to the target IAM user. For instructions, see Set user permissions.

FAQ

  • Why can't I see some of my onboarded AWS resources in Security Center?

    • Region not selected: In the Security Center onboarding configuration, verify that the resource's AWS region is selected.

    • Synchronization delay: Asset synchronization may be delayed after the initial onboarding or a configuration change. Wait for the process to complete.

  • What should I do if the automatic credential and permission verification fails after entering the access key?

    • Permission issue: The IAM user has insufficient permissions. For more information, see Set user permissions. Go to the AWS console to modify or add the required permission policy.

    • Account issue: If you are using the quick configuration plan, the root user must generate the access key. For more information, see Step 1: Create an access key for the root user in AWS. Sign in to the AWS console as the root user and create an access key.

    • Region issue: The selected region is unavailable. Switch to another available region or the corresponding domain, and then resubmit.