Deploying services across both Alibaba Cloud and AWS fragments security asset management, making it difficult to maintain a unified security view and hindering efficient risk discovery and response. By connecting your AWS account to Cloud Security Center, you can centrally manage security for core AWS assets, such as EC2, RDS, and S3. This lets you monitor the security posture of your multi-cloud assets, discover configuration risks, detect security events, and establish consistent cross-cloud security policies.
Choose an onboarding plan
Choose an onboarding method based on your security requirements, supported features, and environment type. Two options are available: the quick configuration plan and the manual configuration plan.
|
Item |
Quick plan |
Manual plan |
|
Authorization account type |
This plan uses the root user's AccessKey pair only for initial authorization. |
This plan uses an IAM user with least-privilege access. |
|
Supported features |
Supports only Host. |
|
|
Configuration complexity |
Simple |
Medium |
Method 1: Quick configuration (for host assets only)
Step 1: Create a root user access key
Use the root user's access key pair only for the initial authorization. This allows Security Center to automatically create a dedicated IAM user with limited permissions in your AWS account. The username of the IAM user is prefixed with AlibabaSasSubAccount_. After the authorization is successful, you must immediately delete the root user's access key pair.
-
Sign in to the AWS console
Sign in to the AWS IAM console. On the dashboard, click My Security Credentials.
ImportantOnly the root user can configure My Security Credentials.
-
Create an access key
On the My Security Credentials page, configure the following settings and then click Create access key.
-
Use case: Select a use case based on your business scenario. If none of the options are suitable, select Other.
-
Set description tag (optional): The tag can be up to 256 characters long and can contain letters, digits, spaces, and the following special characters: _ . : / = + - @.
-
-
Save the key pair
After you create the key pair, go to the Retrieve access key page to view and save the access key (Access Key ID) and secret access key (Secret Access Key).
NoteYou can click Download .csv file to save the key pair to your computer.
Step 2: Complete onboarding in Security Center
-
Go to the authorization page:
Start the AWS asset onboarding process from one of the following locations:
-
Recommended path:
-
Log on to the Security Center console.
-
In the left-side navigation pane, choose . In the upper-left corner of the console, select your asset region: Chinese Mainland or Outside Chinese Mainland.
-
On the tab, click Grant Permission, and then select AWS.
-
-
Other paths:
On the following pages, find the Multi-cloud Service Access or Add Multi-cloud Asset area, and click the Provision or Grant button below the
icon: -
-
-
Configure access credentials:
-
In the Add Assets Outside Cloud panel, select Quick Configuration, select the features to enable, and click Next.
-
On the Submit AccessKey Pair page, enter the credentials that you created in AWS.
-
Access Key ID and Secret Access Key: Enter the credentials from Step 1: Create a root user access key.
-
Provisioning Region: Select an available AWS region. Security Center uses this region to verify asset accessibility.
-
Domain: Set this based on your selected Provisioning Region. If your region is in AWS China, select China. Otherwise, select International.
-
-
After you enter the information, click Next. Security Center automatically verifies the credentials and permissions.
NoteIf the verification fails, see What do I do if the automatic credential and permission verification fails after I enter the access key pair?
-
-
Configure the synchronization policy:
-
Select region: Select the regions that contain the AWS assets you want to onboard.
NoteThe synchronized asset data is stored in the data center that corresponds to the region selected in the upper-left corner of the Security Center console.
-
Chinese Mainland: Data centers are in the Chinese Mainland.
-
Outside Chinese Mainland: The data center is in Singapore.
-
-
Region Management: We recommend that you select this option. This option automatically synchronizes assets from any new regions added to this AWS account.
-
Host Asset Synchronization Frequency: Sets the interval for automatically synchronizing AWS host (EC2) assets. To disable synchronization, set this parameter to Off.
-
AK Service Status Check: Sets the interval for Security Center to automatically check the validity of the AWS account's access key pair. Set to Off to disable this check.
-
-
After you complete the configuration, click Synchronize Assets. Security Center then synchronizes the host assets from your AWS account.
ImportantAfter you complete these steps, Security Center automatically creates an IAM user in AWS with a username prefixed with
AlibabaSasSubAccount_to authorize the connection. Do not delete or disable this IAM user or its access key pair. Otherwise, asset onboarding and security monitoring will be interrupted.
Step 3: Delete the AWS root access key
After successfully onboarding your assets, immediately delete the root user's access key pair used for the initial authorization to reduce security risks.
-
Sign in to the AWS IAM console as the root user. On the dashboard, click My Security Credentials.
-
In the AccessKey Pair section, locate the access key pair that you used for this authorization. In the Actions column, click Delete and follow the prompts to confirm.
Method 2: Manual configuration
This method onboards your assets by creating a least-privilege IAM user in AWS, offering high security and full feature support.
Step 1: Create IAM credentials in AWS
Create an IAM user with the minimum permissions for Security Center integration and get its access key.
For more information, see the official AWS documentation: Creating IAM users and Adding IAM permissions.
-
Sign in to the AWS Management Console
Sign in to the AWS IAM console. In the left-side navigation pane, choose Users. On the Users page, click Create user.
-
Specify user details
-
User name: Enter a descriptive name, such as
aliyun-security-center-user. -
Provide user access to the AWS Management Console: Do not select this option. This user is for API access only.
-
-
Set permissions
-
Select Attach policies directly.
-
Select the permission policies that correspond to the features you plan to use in Security Center.
Feature
AWS policy
Notes
Host
AmazonEC2ReadOnlyAccessIAMReadOnlyAccessNone
CSPM (CSPM)
ReadOnlyAccessIAMReadOnlyAccessTo perform comprehensive risk detection based on audit logs, see Configure AWS service audit logs for CSPM to configure audit logs for the relevant services in AWS.
Agentless Detection
You must manually create a custom policy.
You need to create a log delivery pipeline in AWS that consists of CloudTrail, S3, and SQS. For detailed steps, see Create a custom policy for Agentless Detection.

-
-
Review and create
Review the user details and permission policies and click Create user.
-
Create and save the access key
-
After the user is created, return to the Users list and click the new user's name to open the details page.
-
In the Summary section, click Create access key and configure the key as follows:
-
Use case: Select the use case that matches your business scenario. If none of the options apply, select Others.
-
Description tag: You can leave this blank or enter a custom tag, such as
for-aliyun-sasc.
-
-
Click Create access key. On the Retrieve access keys page, view and save the Access key (Access Key ID) and Secret access key.

-
Step 2: Complete onboarding in Security Center
After creating an access key for the IAM user in AWS, return to the Security Center console to complete the onboarding configuration.
-
Go to the authorization page
NoteFor information about other entry points, see Other entry points.
-
Log on to the Security Center console.
-
In the left-side navigation pane, choose . In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
-
On the tab, click Grant Permission, and then select AWS.
-
-
Configure access credentials
-
In the Add Assets Outside Cloud panel, select Manual Configuration, select the features to enable, and then click Next.
-
Host: Automatically discovers and synchronizes your AWS EC2 host assets.
-
CSPM: Scans the configurations of your AWS cloud products to discover and manage configuration risks.
-
Agentless Detection: Scans your AWS assets for vulnerabilities and risks.
-
-
On the Submit AccessKey Pair page, enter the credentials you created in AWS.
-
Access key ID and Secret access key: Enter the credentials you created in Step 1: Create IAM credentials in AWS.
-
Provisioning Region: Select an available AWS region. Security Center uses this region to verify asset accessibility.
-
Domain: Set this based on your selected Provisioning Region. If your region is in AWS China, select China. Otherwise, select International.
-
-
After entering the information, click Next. The system then automatically verifies the credentials and permissions.
NoteIf the verification fails, see What do I do if the automatic credential and permission verification fails after I provide the access key?
-
-
Configure audit logs (Optional)
If you want to use the Cloud Security Posture Management (CSPM) audit log feature, complete the configuration in this step. Otherwise, click Skip.
ImportantBefore you proceed, you must complete the required configurations in the AWS Management Console. For more information, see Configure AWS service audit logs for CSPM.
-
AWS Region: Enter the ID of the region where the SQS queue is located. For a list of region IDs, see AWS Region IDs.
-
SQS Queue Name: Enter the name of the SQS queue that you created.
-
-
Configure Synchronization Policy
On the Policy Configuration page, configure the following settings as needed:
-
Select region: Select the AWS regions that contain the assets you want to onboard.
NoteThe asset data is stored in the data center for the region selected in the upper-left corner of the Security Center console.
-
Chinese Mainland: Chinese mainland data center.
-
Outside Chinese Mainland: Singapore data center.
-
-
Region Management: Recommended. If selected, assets in new regions for this AWS account are automatically synchronized.
-
Host Asset Synchronization Frequency: Set the automatic synchronization interval for AWS host (EC2) assets. To disable synchronization, set this to "Off".
NoteThis parameter is available only if you enabled the Host feature.
-
Cloud Service Synchronization Frequency: Set the automatic synchronization interval for AWS cloud product configurations. To disable synchronization, set this to "Off".
NoteThis parameter is available only if you enabled the Cloud Security Posture Management feature.
-
AK Service Status Check: Set the interval for Security Center to automatically check the validity of the access key for the AWS account. Select "Off" to disable this check.
-
-
After completing the configuration, click Synchronize Assets to start synchronizing data from your AWS account to Security Center.
Manage provisioned assets
Host assets
Go to the page. In the Add Multi-cloud Asset area, click the
icon to view your provisioned AWS hosts. Follow the steps below to manage your AWS EC2 hosts and enhance their protection.
For more information, see host assets.
-
Install the client: Install the Security Center client on your AWS hosts. When you run the installation command, select AWS as the Service Provider. For more information, see Install the client.
-
Upgrade to a paid edition for protection: The default Free Edition provides only basic security detection. To obtain comprehensive security capabilities, such as anti-virus, vulnerability remediation, and intrusion prevention, apply a paid edition (Anti-virus Edition or later) to your AWS hosts. For more information, see Manage security authorizations for hosts and containers.
Cloud security posture management (CSPM)
On the Security Center console, go to the page. In the All Alibaba Cloud Services navigation pane on the left, click AWS to view your provisioned AWS assets. You can use the following CSPM features on these assets:
For more information, see View cloud product information.
-
Run a configuration risk check: Check your AWS products for configuration risks. For more information, see Set up and run a cloud platform configuration risk check policy.
-
Handle risk items: Based on the check results, view and remediate failed risk check items to improve the compliance and security of your cloud assets. For more information, see View and handle failed cloud platform configuration risk check items.
Agentless detection
On the Security Center console, go to the page. In the Add Multi-cloud Asset area, click the
icon to view the number of provisioned AWS assets. After the assets are provisioned, you can use the Agentless Detection feature to scan your AWS hosts for vulnerabilities, baseline issues, and more.
AWS advanced configuration (for Agentless Detection and CSPM)
Create a custom policy for Agentless Detection
For more information, see the AWS documentation about creating a user and adding permissions.
-
Log in to the AWS IAM console. On the Policies page, click Create policy.
-
In the Policy editor section, select JSON and paste the following JSON.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DeleteSubnet", "ec2:DeleteVpcEndpoints", "ec2:DeleteInternetGateway", "ec2:TerminateInstances", "ec2:StopInstances", "ec2:DeleteSecurityGroup", "ec2:DeleteVpc" ], "Resource": "*", "Condition": { "StringLike": { "ec2:ResourceTag/Name": "alibaba-cloud-security-scan*" } } }, { "Effect": "Allow", "Action": [ "ec2:DeleteSnapshot" ], "Resource": "*", "Condition": { "StringLike": { "ec2:ResourceTag/Name": "SAS_Agentless*" } } }, { "Effect": "Allow", "Action": [ "ec2:CopySnapshot", "ec2:AuthorizeSecurityGroupIngress", "ec2:DescribeInstances", "ec2:CreateImage", "ec2:CreateVpc", "ec2:AttachInternetGateway", "ec2:CopyImage", "ec2:ModifyImageAttribute", "ec2:DescribeSnapshots", "ec2:ModifySubnetAttribute", "ec2:DescribeInternetGateways", "ec2:ModifySnapshotAttribute", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeAvailabilityZones", "ec2:CreateInternetGateway", "ec2:CreateSecurityGroup", "ec2:DescribeVolumes", "ec2:CreateSnapshot", "ec2:AuthorizeSecurityGroupEgress", "ec2:RunInstances", "ec2:DetachInternetGateway", "ec2:DescribeSecurityGroups", "ec2:DescribeImages", "ec2:CreateVpcEndpoint", "ec2:CreateSnapshots", "ec2:DescribeVpcs", "ec2:DescribeImageAttribute", "ec2:DescribeVpcEndpoints", "ec2:CreateSubnet", "ec2:DescribeSubnets", "ec2:ModifyVpcEndpoint", "ec2:CreateTags", "ec2:DescribeRouteTables", "ec2:CreateRoute", "ec2:DescribeRegions", "kms:Decrypt", "kms:DescribeKey", "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant", "kms:GenerateDataKey", "kms:ReEncrypt*", "iam:GetUser" ], "Resource": "*" } ] }
-
Click Next. Enter a name for the policy, such as
AliyunSASC-AgentlessScan-Policy, and then click Create policy. -
Attach this policy to the IAM user. For instructions, see Set user permissions.
CSPM
Step 1: Create a CloudTrail trail
In this step, you create a trail in AWS CloudTrail to record and store all management operations on your cloud resources within a specific region. These logs provide the data required for CSPM. For more information, see the AWS documentation about creating a trail.
-
Log in to the AWS CloudTrail console
-
Log in to the AWS CloudTrail console. In the region selector in the upper-right corner of the console, select the AWS region that you want to monitor.
-
On the dashboard or in the left navigation pane, choose Trails and then click Create Trail.
-
-
Configure trail attributes
On the Choose trail attributes page, configure the following parameters and then click Next.
-
Trail name: Enter a descriptive name, such as
aliyun-sasc-audit-trail. -
Storage location:
ImportantRecord the bucket name for use in a later step.
-
Create new S3 bucket: Enter a globally unique bucket name in all lowercase letters.
-
Use existing S3 bucket: In the Trail log bucket name section, click Browse and select the target S3 bucket from the dialog box.
-
-
Log file SSE-KMS encryption: Clear this check box. Use the default server-side encryption with Amazon S3-Managed Keys (SSE-S3) to encrypt log files.
-
-
Choose log events
On the Choose log events page, configure the following settings and then click Next.
-
Event type: Management events.
-
API activity: Read, Write.
-
-
Review and create
On the Review and create page, review your configuration and click Create Trail.
Step 2: Create an SQS message queue
This queue receives S3 event notifications from the S3 bucket and acts as the target message channel for log delivery. For more information, see the AWS documentation about creating a message queue.
-
Log in to the AWS SQS console.
Log in to the AWS SQS console, select a region, and then click Create queue.
WarningEnsure the selected region is the same one where you created the CloudTrail trail.
-
Configure queue details
-
Type: Standard.
-
Name: Enter an easily identifiable queue name, such as
aliyun-sasc-log-queue.ImportantThis queue name is used to generate its unique ARN and for subsequent access policy configuration. Make sure that you enter it correctly.
-
-
Configure the access policy
This policy defines who can send and read messages to and from the queue.
-
In the Access policy panel, select Advanced.
ImportantRecord the Account ID and queue ARN from the default policy for use in a later step.

-
Copy the entire JSON template below and paste it into the policy editor, replacing all existing content.
{ "Version": "2012-10-17", "Id": "__default_policy_ID", "Statement": [ { "Sid": "__owner_statement", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::${Account ID}:root" }, "Action": "SQS:*", "Resource": "${SQS ARN}" }, { "Sid": "example-statement-ID", "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": [ "SQS:SendMessage" ], "Resource": "${SQS ARN}", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:s3:*:*:${S3 bucket name}" } } } ] } -
Important: Replace the placeholders in the template as described in the following table.
Placeholder
Description
Example
${Account ID}The Account ID that you saved in the previous step.
99********1${SQS ARN}The queue ARN that you saved in the previous step.
arn:aws:sqs:ap-northeast-1:123******012:aliyun-sasc-log-queue${S3 bucket name}The name of the S3 bucket specified when you created the CloudTrail trail.
NoteYou can log in to the AWS S3 console, find the bucket in the corresponding region, and view its information on the details page.
aws-cloudtrail-logs-123******12-abcdef -
After you replace the placeholders, scroll to the bottom of the page and click Create queue.
-
Step 3: Create an S3 event notification
In this step, you configure an S3 event notification for the S3 bucket. This rule automatically sends a notification to the specified SQS queue when a new log file is generated. For more information, see the AWS documentation about Amazon S3 Event Notifications.
-
Log in to the AWS S3 console
-
Log in to the AWS S3 console, select a region, and then click General purpose buckets.
WarningEnsure the selected region is the same one where you created the CloudTrail trail.
-
On the General purpose buckets tab, locate the S3 bucket that you specified when you created the CloudTrail trail and open its details page.
-
-
Configure the event notification
On the Properties tab, in the Event notifications section, click Create event notification. Configure the following settings.
-
Event types: Select Put.
-
Destination: Select SQS queue, and specify the SQS queue that you created in Step 2: Create an SQS message queue.
-
After you complete the configuration, click Save changes.
-
Step 4: Configure queue read and write permissions
In this step, you grant the dedicated IAM user for Security Center permission to read notification messages from the SQS queue.
-
Create an SQS policy
-
Log in to the AWS IAM console. On the Policies page, click Create Policy.
-
Configure the following settings.
-
Service: SQS.
-
Effect: Allow.
-
Read: Select GetQueueUrl and ReceiveMessage.
-
Write
-
Resources: Click Add ARNS. In the Resource ARN field, enter the queue ARN.
NoteYou can log in to the AWS SQS console, find the queue in the corresponding region, and view its ARN information on the details page.
-
-
-
Attach the policy to the IAM user
Attach the SQS policy that you created in the previous step to the target IAM user. For instructions, see Set user permissions.
FAQ
-
Why can't I see some of my onboarded AWS resources in Security Center?
-
Region not selected: In the Security Center onboarding configuration, verify that the resource's AWS region is selected.
-
Synchronization delay: Asset synchronization may be delayed after the initial onboarding or a configuration change. Wait for the process to complete.
-
-
What should I do if the automatic credential and permission verification fails after entering the access key?
-
Permission issue: The IAM user has insufficient permissions. For more information, see Set user permissions. Go to the AWS console to modify or add the required permission policy.
-
Account issue: If you are using the quick configuration plan, the root user must generate the access key. For more information, see Step 1: Create an access key for the root user in AWS. Sign in to the AWS console as the root user and create an access key.
-
Region issue: The selected region is unavailable. Switch to another available region or the corresponding domain, and then resubmit.
-

