Logo of Trend Micro

Config Assessment Authorization

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the Config Assessment feature has the permissions to access other Alibaba Cloud product settings in order to help mitigate risks originating from potential service misconfigurations.

Security

Once the Config Assessment feature has the required privileges, Alibaba Cloud Security Center can offer security configuration guidelines across five key areas: identity authentication, network access control, data security, log auditing, and basic security protection. This proactive approach helps mitigate risks associated with errors in cloud product configurations.

Audit

To determine if the Config Assessment is authorized to access other cloud product settings, perform the following operations:

Getting the Config Assessment authorization status via Alibaba Cloud CLI (aliyun) is not currently supported.

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

01 Navigate to Security Center console available at https://yundun.console.aliyun.com/?p=sas#/overview/home.

01 In the top navigation bar, select the region where your servers reside (China or Outside China).

01 In the left navigation panel, under Risk Governance, choose Configuration Assessment.

01 In the Configuration Assessment section, check for the prompt message that is asking for authorization. If the following prompt message is displayed, the Config Assessment feature lacks the permissions to access other Alibaba Cloud product settings:
Prompt Role Name: AliyunServiceRoleForSasCspm
Role Policy: AliyunServiceRolePolicyForSasCspm
Permission description: The cloud security center is allowed to access the cloud product configuration of the account. Using this permission, the cloud security center can provide security configuration practices for you from five dimensions: identity authentication, network access control, data security, log audit, and basic security protection, reducing risks caused by cloud product configuration errors.
Document Link: Service Associated Role Document.

Remediation / Resolution

To ensure that the Config Assessment security feature is authorized to access other cloud product settings, perform the following operations:

Authorizing Config Assessment to access other cloud product settings via Alibaba Cloud CLI (aliyun) is not currently supported.

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Security Center console available at https://yundun.console.aliyun.com/?p=sas#/overview/home.

03 In the top navigation bar, select the region where your servers reside (China or Outside China).

04 In the left navigation panel, under Risk Governance, choose Configuration Assessment.

05 In the Configuration Assessment section, find for the prompt message that is asking for authorization, and choose Authorize Immediately to provide the Config Assessment feature the required permissions to access other Alibaba Cloud product settings. Once the feature has the required privileges, it will start scanning for cloud service misconfigurations.

References

Publication date Apr 30, 2024

Related AlibabaCloud-SLS rules