Account Risk Control Workbench

Scenarios

The account risk control workbench displays the overall identity security risk status through three modules: Access Key Leak, Unsafe Settings, and Alerts.

• Access Key Leak: SecMaster collects statistics on AK and SK leakage risks by analyzing attack data. The data is sourced from recorded AK and SK leakage incidents on the Attacks tab within the Alerts module.
• Unsafe Settings: SecMaster collects statistics on unsafe baseline settings of Account, IAM, and Agency resources.
• Alerts: SecMaster collects statistics on the alert or attack type distribution from the identity defense line on the Alerts module, unhandled incidents converted from identity defense line alerts, and the number of visitor IP addresses in CTS logs.

Prerequisites

• Access Key Leak: SecMaster collects statistics on AK and SK leakage risks by analyzing attack data. The data is sourced from recorded AK and SK leakage alerts on the Attacks tab within the Alerts module. The data source also includes the alerts generated due to AK and SK leakage in GitHub, OBS, and RDS.
  • Alerts generated due to AK and SK leakage in OBS and RDS: To use this function, you need to enable the DSC service and the auto alert conversion of DSC logs on the SecMaster console. For details about how to connect DSC alarm logs to SecMaster, see Enabling Log Access.
  • Alerts generated due to AK/SK leakage in GitHub:
    • SecMaster requires the iam:credentials:listCredentials (for querying all permanent access keys) and iam:users:listUsers (for querying the user list) permissions to query keys. For details about how to view SecMaster agency, see Checking the Agency Authorization. If SecMaster does not have iam:credentials:listCredentials or iam:users:listUsers permissions, create an agency by referring to (Optional) Creating and Agency.
    • You also need to enable the Access Key Leak playbook. This playbook scans GitHub at 00:00 every day for leaked AK/SK pairs. If there are leaked AK/SK pairs, SecMaster automatically adds an attack alert of the AK/SK risk type. For more details about the playbook, see Abnormal AccessKey Leakage Risk Scanning.
    • Only SecMaster professional edition supports this function.

• The Access Key Leak module depends on Data Security Center (DSC). To use this function, ensure that Large Model Data Security Protection you buy in DSC is still valid. For details about how to buy DSC, see Buying DSC.
• To use the Alerts module, you need to enable SecMaster professional edition.
• To use the Alerts and Top 10 Visitor IP Addresses modules, you need to enable Account risk control logs and Auto Alert Conversion for SecMaster on the Cloud Service Access page.

Checking the Agency Authorization

1. Log in to the SecMaster console.
2. Click in the upper left corner of the page and choose Management & Governance > Identity and Access Management.
3. In the navigation pane on the left, choose Agencies. On the page displayed, click SecMaster_Agency. The Basic Information page of SecMaster_Agency is displayed by default.
4. Click the Permissions tab and view the permissions granted to SecMaster. If the iam:credentials:listCredentials (for querying all permanent access keys) and iam:users:listUsers (for querying the user list) permissions are included, you do not need to add agency authorization. Otherwise, grant permissions by referring to (Optional) Creating and Agency.

(Optional) Creating and Agency

SecMaster needs to obtain the iam:credentials:listCredentials (for querying all permanent access keys) and iam:users:listUsers (for querying the user list) permissions to query keys. You need to create an agency for SecMaster.

1. Log in to the SecMaster console.
2. Click in the upper left corner of the page and choose Management & Governance > Identity and Access Management.
3. Add a custom policy.
   1. In the navigation pane on the left, choose Permissions > Policies/Roles. In the upper right corner of the displayed page, click Create Custom Policy.
   2. Configure the policy.
      • Policy Name: Enter a policy name.
      • Policy View: Select JSON.
      • Policy Content: Copy the following content and paste it in the text box.

        1 2 3 4 5 6 7 8 9 10 11 12

        { "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "iam:credentials:listCredentials", "iam:users:listUsers" ] } ] }

   3. Click OK.
4. Authorize the agency.
   1. In the navigation pane on the left, choose Agencies. On the page displayed, click SecMaster_Agency. The Basic Information page of SecMaster_Agency is displayed by default.
   2. On the Permissions tab, click Authorize.
   3. On the Select Policy/Role page, search for and select the policy added in 3 and click Next.
   4. Set the authorization scope. Select All resources for Scope. After the setting is complete, click OK.

Viewing the Identity Security Panel on the Account Risk Control Workbench

1. Log in to the SecMaster console.
2. Click in the upper left corner of the management console and select a region or project.
3. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
   Figure 1 Workspace management page
   

4. In the navigation pane on the left, choose Workbenches > Account Risk Control Workbench. The Identity Security Panel page is displayed.
5. Check identity risks on the Identity Security Panel page. The following table shows the details.

   Table 1 Parameters on the Identity Security Panel page

   Module	Description
   Access Key Leak	This module shows the AK and SK leakage alerts recorded on the Attacks tab within the Alerts module SecMaster collects statistics on AK and SK leakage risks by analyzing attack data recorded on the Attacks tab within the Alerts module. The data source includes the alerts generated due to AK and SK leakage in GitHub, OBS, and RDS. For details about the prerequisites, see Prerequisites. You can check the following details on the Access Key Leak module: Alert Name Status AccessKey Username User ID Account Name Account ID and other information You can click View Details in the upper right corner of the module to go to the Alerts tab and view more details. If the conditions are met and no data is displayed in the Access Key Leak area, there are no leaked AKs or SKs under your accounts.
   Unsafe Settings	The Unsafe Settings area displays baseline risks for Account, IAM User, and Agency resources in all compliance packs on the Baseline Inspection page under the Risk Prevention module. High-Priority Risks: collects statistics on the following risks based on check items. Unhandled Risks: shows the number of failed, to-be-checked, and check-failed check items whose resource type is Account, IAM User, or Agency. Only five unhandled risks are displayed in the check item list, sorted by risk level and latest scan time. Critical: shows the number of failed, to-be-checked, and check-failed check items whose Severity is Critical and resource type is Account, IAM User, or Agency. High: shows the number of failed, to-be-checked, and check-failed check items whose Severity is High and resource type is Account, IAM User, or Agency. Affected Resources: shows statistics on the distribution of resources affected by failed, to-be-checked, and check-failed check items whose resource type is Account, IAM User, or Agency. Risks By Severity: shows the statistics on the number of failed, pending, and failed-to-check items by risk severity (critical high, medium, low, and informational) for the Account, IAM User, and Agency resource types. Baseline Compliance Trend: shows the compliance trends over time for Account, IAM User, and Agency resources. You will see the total number of check items and the number that passed. To view more details, you can click View Details in the upper right corner of the baseline risk module to go to the Check Result tab under the Baseline Inspection page.
   Alerts	Alerts: SecMaster collects statistics on the alert or attack type distribution from the identity defense line on the Alerts module, unhandled critical or high-risk incidents converted from identity defense line alerts, and the number of visitor IP addresses in CTS logs. Alert Handling Log: shows the number of access times in CTS logs. Alerts: shows the number of unhandled alerts and attacks from the identity defense layer on the Alerts page Incidents: shows the total number of unhandled incidents converted from alerts on the Alerts page for the identity defense layer. Top 10 Visitor IP Addresses IP: shows the top 10 IP addresses that have the most access times recorded in CTS logs. Geolocation: shows the geographical locations of the top 10 IP addresses that have the most access times recorded in CTS logs. Alert Distribution: shows the distribution of unhandled alerts and attacks on the Alerts page for the identity defense layer. Incident Risks Unhandled Risks: shows the total number of unhandled incidents converted from alerts on the Alerts page for the identity defense layer. The incident list displays only five risk items. Incidents are sorted by severity and creation time. Incidents with higher severity and those created recently are displayed first. Critical: shows the number of unhandled incidents that are converted from alerts for the identity defense layer and whose Severity is Critical. High: shows the number of unhandled incidents that are converted from alerts for the identity defense layer and whose Severity is High. MITRE Statistics Distribution: shows the number of unhandled alerts and attacks reported from the identity defense layer to the Alerts page under the Threats module, sorted by MITRE ATT&CK tactic. To view more details, you can click View Details in the upper right corner of the module to go to the Alerts tab under the Alerts page.