Help Center/ SecMaster/ User Guide/ Risk Prevention/ Policy Management/ Adding or Editing an Emergency Policy
Updated on 2024-06-07 GMT+08:00
View PDF

Adding or Editing an Emergency Policy

Scenario

SecMaster can create blacklist policies for CFW/WAF/VPC security groups/IAM.

An emergency policy is used to quickly block attacks. You can select a block type based on the alert source to block attackers. Table 1 lists recommended settings. You can also block a single attack source based on the comprehensive investigation of multiple alerts.

Table 1 Recommended blocking policies

Alert Type

Defense Layer

Recommended Policy

HSS alerts

Server protection

VPC policies are recommended to block traffic.

WAF alerts

Application protection

WAF policies are recommended to block traffic.

CFW alerts

Network protection

CFW policies are recommended to block traffic.

IAM alerts

Identity authentication

IAM policies are recommended to block traffic.

OBS and DBSS alerts

Data protection

You can use VPC or CFW policies based on actual attack scenarios and investigation results to disconnect attack sources from protected resources.

This topic describes how to add or edit an emergency policy.

Limitations and Constraints

  • A maximum of 300 emergency policies that support block aging can be added for a single workspace you have. A maximum of 1,300 emergency policies can be added for a single workspace you have. Limits on blocked objects at a time are as follows:
    • When a policy needs to be delivered to CFW or WAF, each time a maximum of 50 IP addresses can be added for each account.
    • When a policy needs to be delivered to CFW, each time a maximum of 20 IP addresses can be added as blocked objects within 1 minute for each account.
    • When a policy needs to be delivered to IAM, each time a maximum of 50 IAM users can be added as blocked objects for each account.
  • If an IP address or IP address range or an IAM user is added to the blacklist, CFW/WAF/VPC/IAM will block requests from that IP address without checking whether the requests are malicious.
  • Once an emergency policy is added, its blocked object type and blocked objects, such as IP addresses, IP address ranges, or IAM user names, cannot be modified.

Prerequisites

If the blocked object is an IAM user, you need to create a SecMaster agency before adding an emergency policy. For details, see Creating a SecMaster Agency.

Adding an Emergency Policy

  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
  3. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

    Figure 1 Workspace management page

  4. In the navigation pane on the left, choose Risk Prevention > Policy management. Then, click the Emergency strategy tab to go to the emergency policy page.

    Figure 2 Emergency Policies

  5. On the Emergency strategy page, click Add. The page for adding policies slides out from the right of the page.
  6. On the Add page, configure policy information.

    Table 2 Emergency policy parameters

    Parameter

    Description

    Blocked Object Type

    Type of the object you want to block. You can select IP or IAM.

    Block Object
    • If you select IP for Blocked Object Type, enter one or more IP addresses or IP address ranges you want to block. If there are multiple IP addresses or IP address ranges, separate them with commas (,).
    • If you select IAM for Blocked Object Type, enter IAM user names.
    • There are some restrictions on delivery of blocked objects:
      • When a policy needs to be delivered to CFW or WAF, each time a maximum of 50 IP addresses can be added for each account.
      • When a policy needs to be delivered to CFW, each time a maximum of 20 IP addresses can be added as blocked objects within 1 minute for each account.
      • When a policy needs to be delivered to IAM, each time a maximum of 50 IAM users can be added as blocked objects for each account.

    Label

    Label of a custom emergency policy.

    Operation Connection

    Select the operation connection for the policy.

    Block Aging

    Check whether the policy needs to be stopped.

    • If you select Yes, set the aging time of the policy. For example, if you set the aging time to 180 days, the policy is valid within 180 days after the setting. After 180 days, the IP address or IP address range will not be blocked.
    • If you select No, the policy is always valid and blocks the specified IP address or IP address range.

    Reason Description

    Description of the custom policy.

  7. Click OK.

Editing an Emergency Policy

Once an emergency policy is added, its blocked object type and blocked objects, such as IP addresses, IP address ranges, or IAM user names, cannot be modified.

  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
  3. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

    Figure 3 Workspace management page

  4. In the navigation pane on the left, choose Risk Prevention > Policy management. Then, click the Emergency strategy tab to go to the emergency policy page.

    Figure 4 Emergency Policies

  5. On the emergency policy management page, locate the row that contains the policy you want to edit and click Edit in the Operation column.
  6. On the edit policy page, modify the policy information.

    Table 3 Editing an emergency policy

    Parameter

    Description

    Blocked Object Type

    After an emergency policy is added, its blocked object cannot be modified.

    Blocked Object

    After an emergency policy is added, its blocked object cannot be modified.

    Label

    Label of a custom emergency policy.

    Operation Connection

    Select the operation connection for the policy.

    Block Aging

    Check whether the policy needs to be stopped.

    • If you select Yes, set the aging time of the policy. For example, if you set the aging time to 180 days, the policy is valid within 180 days after the setting. After 180 days, the IP address or IP address range will not be blocked.
    • If you select No, the policy is always valid and blocks the specified IP address or IP address range.

    Reason Description

    Description of the custom policy.

  7. Click OK.

Creating a SecMaster Agency

If the blocked object is an IAM user, you need to create a SecMaster agency before adding an emergency policy. Perform the following steps:

  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Management & Governance > Identity and Access Management.
  3. Add a custom policy.

    1. In the navigation pane on the left, choose Permissions > Policies/Roles. In the upper right corner of the displayed page, click Create Custom Policy.
    2. Configure a policy.
      • Policy Name: Enter a policy name.
      • Policy View: Select JSON.
      • Policy Content: Copy the following content and paste it in the text box.
        {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:users:updateUser"
            ]
        }
    ]
}
      1. Click OK.

  4. Create an agency.

    1. In the navigation pane on the left, choose Agencies. On the page displayed, click SecMaster_Agency. The Basic Information page of SecMaster_Agency is displayed by default.
    2. On the Permissions tab page, click Authorize.
    3. On the Select Policy/Role page, search for and select the policy added in 3 and click Next.
    4. Set the authorization scope. Select All resources for Scope. After the setting is complete, click OK.

Parent topic: Policy Management