Back to Details

alibabacloud-dsc-audit

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Alibaba Cloud Data Security Center Risk Event Query and Handling

阿里云数据安全中心风险事件查询与处理

This skill uses Alibaba Cloud Python Common SDK (generic invocation) to query security risk events from the Data Security Center and handle them.
本skill使用阿里云Python通用SDK(通用调用)从数据安全中心查询安全风险事件并进行处理。

Architecture

架构

User → Python Common SDK → Data Security Center (Sddp) API
                              ├── DescribeRiskRules (Query risk events)
                              └── PreHandleAuditRisk (Handle risk events)
User → Python Common SDK → Data Security Center (Sddp) API
                              ├── DescribeRiskRules (查询风险事件)
                              └── PreHandleAuditRisk (处理风险事件)

Installation

安装

bash
pip3 install -r scripts/requirements.txt
Or install packages individually:
bash
pip3 install alibabacloud_tea_openapi==0.4.3 alibabacloud_credentials==1.0.8 alibabacloud_tea_util==0.3.14 alibabacloud_openapi_util==0.2.4
Pre-check: Aliyun CLI >= 3.3.1 required Run 
aliyun version
to verify >= 3.3.1. If not installed or version too low, see 
references/cli-installation-guide.md
for installation instructions. Then [MUST] run 
aliyun configure set --auto-plugin-install true
to enable automatic plugin installation.
bash
pip3 install -r scripts/requirements.txt
或者单独安装依赖包:
bash
pip3 install alibabacloud_tea_openapi==0.4.3 alibabacloud_credentials==1.0.8 alibabacloud_tea_util==0.3.14 alibabacloud_openapi_util==0.2.4
预检查:要求Aliyun CLI版本 >= 3.3.1 运行 
aliyun version
确认版本不低于3.3.1。如果未安装或版本过低,请查看 
references/cli-installation-guide.md
获取安装指引。 之后[必须]运行 
aliyun configure set --auto-plugin-install true
开启自动插件安装功能。

Authentication

身份认证

Pre-check: Alibaba Cloud Credentials Required
Security Rules:
  • NEVER read, echo, or print AK/SK values (e.g., 
    echo $ALIBABA_CLOUD_ACCESS_KEY_ID
    is FORBIDDEN)
  • NEVER ask the user to input AK/SK directly in the conversation or command line
  • NEVER use 
    aliyun configure set
    with literal credential values
  • ONLY use 
    aliyun configure list
    to check credential status
bash
aliyun configure list
Check the output for a valid profile (AK, STS, or OAuth identity).
If no valid profile exists, STOP here.
  1. Obtain credentials from Alibaba Cloud Console
  2. Configure credentials outside of this session (via 
    aliyun configure
    in terminal or environment variables in shell profile)
  3. Return and re-run after 
    aliyun configure list
    shows a valid profile
预检查:需要阿里云凭证
安全规则:
  • 严禁读取、回显或打印AK/SK的值(例如禁止执行 
    echo $ALIBABA_CLOUD_ACCESS_KEY_ID
  • 严禁要求用户在对话或命令行中直接输入AK/SK
  • 严禁
    aliyun configure set
    命令中使用明文凭证值
  • 仅允许使用 
    aliyun configure list
    检查凭证状态
bash
aliyun configure list
检查输出中是否存在有效的配置文件(AK、STS或OAuth身份)。
如果不存在有效配置文件,请停止后续操作。
  1. 阿里云控制台获取凭证
  2. 在本次会话之外配置凭证(通过终端的
    aliyun configure
    命令或shell配置文件中的环境变量配置)
  3. aliyun configure list
    显示有效配置文件后,返回重新执行操作

RAM Permissions

RAM权限

Before using this skill, ensure the current user has the required RAM permissions. For detailed permission lists and policy configurations, refer to references/ram-policies.md
使用本skill前,请确保当前用户具备所需的RAM权限。详细的权限列表和策略配置请参考 references/ram-policies.md

Parameter Confirmation

参数确认

IMPORTANT: Parameter Confirmation — Before executing any command or API call, ALL user-customizable parameters (e.g., RegionId, instance names, CIDR blocks, passwords, domain names, resource specifications, etc.) MUST be confirmed with the user. Do NOT assume or use default values without explicit user approval.
ParameterRequired/OptionalDescriptionDefault
CurrentPage
OptionalCurrent page number1
PageSize
OptionalRecords per page10
HandleStatus
OptionalProcessing status, PROCESSED means handled, UNPROCESSED means not handledUNPROCESSED
RiskId
Required for handlingRisk event ID-
HandleDetail
Required for handlingHandling details description-
重要提示:参数确认 — 在执行任何命令或API调用前,所有用户可自定义参数(例如RegionId、实例名称、CIDR块、密码、域名、资源规格等)必须与用户确认。未经用户明确同意,不得假设或使用默认值。
参数必填/可选描述默认值
CurrentPage
可选当前页码1
PageSize
可选每页记录数10
HandleStatus
可选处理状态,PROCESSED表示已处理,UNPROCESSED表示未处理UNPROCESSED
RiskId
处理操作必填风险事件ID-
HandleDetail
处理操作必填处理详情描述-

Core Workflow

核心工作流

Step 1: Query Unprocessed Security Risk Events

步骤1:查询未处理安全风险事件

Use the 
scripts/query_risk.py
script to query unprocessed security risk events. This is a paginated API that returns the first 20 records by default.
bash
python3 scripts/query_risk.py
Example output:
Found 31 unprocessed security risk events
================================================================================
Risk ID: 75110196
Rule Name: jiangyu_test_mysqldump
Risk Level: High Risk
Product Type: RDS
Alert Count: 20
Asset Count: 2
Rule Category: Database Dump Attack
--------------------------------------------------------------------------------
使用 
scripts/query_risk.py
脚本查询未处理的安全风险事件。这是一个分页API,默认返回前20条记录。
bash
python3 scripts/query_risk.py
输出示例:
Found 31 unprocessed security risk events
================================================================================
Risk ID: 75110196
Rule Name: jiangyu_test_mysqldump
Risk Level: High Risk
Product Type: RDS
Alert Count: 20
Asset Count: 2
Rule Category: Database Dump Attack
--------------------------------------------------------------------------------

Query Result Field Descriptions

查询结果字段说明

The query results return the following key fields. Risk Event ID (RiskId) is a required parameter for handling:
FieldDescription
RiskIdRisk event ID, required for handling
RuleNameRule name
WarnLevelNameRisk level (High Risk/Medium Risk/Low Risk)
ProductCodeProduct type (RDS/OSS, etc.)
AlarmCountAlert count
InstanceCountNumber of affected assets
FirstAlarmTimeFirst discovery time
LastAlarmTimeLast discovery time
查询结果返回以下核心字段。风险事件ID(RiskId)是处理操作的必填参数
字段描述
RiskId风险事件ID,处理操作必填
RuleName规则名称
WarnLevelName风险等级(高风险/中风险/低风险)
ProductCode产品类型(RDS/OSS等)
AlarmCount告警次数
InstanceCount受影响资产数量
FirstAlarmTime首次发现时间
LastAlarmTime最近发现时间

Step 2: Handle Security Risk Events

步骤2:处理安全风险事件

Use the 
scripts/handle_risk.py
script to handle specified risk events.
bash
python3 scripts/handle_risk.py <RiskID> <HandleDetail>
Example:
bash
python3 scripts/handle_risk.py 75110196 "Confirmed as false positive, closing this alert"
Example output:
Handling risk event...
Risk ID: 75110196
Handle Detail: Confirmed as false positive, closing this alert
--------------------------------------------------
✅ Handling successful!
RequestId: C34D813F-A234-5D66-842D-504D84D5C680
使用 
scripts/handle_risk.py
脚本处理指定的风险事件。
bash
python3 scripts/handle_risk.py <RiskID> <HandleDetail>
示例:
bash
python3 scripts/handle_risk.py 75110196 "确认是误报,关闭本次告警"
输出示例:
Handling risk event...
Risk ID: 75110196
Handle Detail: Confirmed as false positive, closing this alert
--------------------------------------------------
✅ 处理成功!
RequestId: C34D813F-A234-5D66-842D-504D84D5C680

Handling Parameter Descriptions

处理参数说明

ParameterDescription
RiskId
Risk event ID, obtained from 
DescribeRiskRules
API
HandleType
Handling type, fixed as 
Manual
(manual handling)
HandleMethod
Handling method, fixed as 
0
HandleDetail
Handling details, requires user to input specific handling description
参数描述
RiskId
风险事件ID,从
DescribeRiskRules
API获取
HandleType
处理类型,固定为
Manual
(手动处理)
HandleMethod
处理方式,固定为
0
HandleDetail
处理详情,需要用户输入具体的处理说明

Success Verification

成功验证

Verify Query Operation

查询操作验证

  1. After executing the query code, check if the returned 
    statusCode
    is 
    200
  2. Check if the returned 
    body
    contains the 
    Items
    list
  3. Verify that 
    TotalCount
    matches the actual number of returned records
  1. 执行查询代码后,检查返回的
    statusCode
    是否为
    200
  2. 检查返回的
    body
    中是否包含
    Items
    列表
  3. 验证
    TotalCount
    与实际返回的记录数一致

Verify Handling Operation

处理操作验证

  1. After executing the handling code, check if the returned 
    statusCode
    is 
    200
  2. Call 
    DescribeRiskRules
    again to query the 
    RiskId
    and confirm the status has changed
  1. 执行处理代码后,检查返回的
    statusCode
    是否为
    200
  2. 再次调用
    DescribeRiskRules
    查询该
    RiskId
    ,确认状态已变更

Cleanup

清理

This skill is primarily used for query and handling operations, does not involve resource creation, and requires no cleanup.
本skill主要用于查询和处理操作,不涉及资源创建,无需清理。

API and Command Reference

API与命令参考

ProductAPI ActionScriptDescription
SddpDescribeRiskRules
scripts/query_risk.py
Query security risk events
SddpPreHandleAuditRisk
scripts/handle_risk.py
Handle security risk events
产品API动作脚本描述
SddpDescribeRiskRules
scripts/query_risk.py
查询安全风险事件
SddpPreHandleAuditRisk
scripts/handle_risk.py
处理安全风险事件

Script Usage

脚本使用说明

ScriptUsageDescription
query_risk.py
python3 scripts/query_risk.py
Execute directly, no parameters required
handle_risk.py
python3 scripts/handle_risk.py <RiskID> <HandleDetail>
Requires Risk ID and handling description
For detailed API information, refer to references/related-apis.md
脚本用法描述
query_risk.py
python3 scripts/query_risk.py
直接执行,无需参数
handle_risk.py
python3 scripts/handle_risk.py <RiskID> <HandleDetail>
需要传入风险ID和处理说明
详细的API信息请参考 references/related-apis.md

Best Practices

最佳实践

  1. Paginated Query: When using paginated APIs, increment the 
    CurrentPage
    parameter until all records are retrieved
  2. Record RiskId: The 
    RiskId
    in query results is a required parameter for handling operations, make sure to record it
  3. Handle Description: Provide a clear 
    HandleDetail
    description when handling for subsequent auditing
  4. Error Handling: Implement retry mechanisms for temporary errors like 
    Throttling
  5. Credential Security: Use 
    CredentialClient
    to manage credentials, do not hardcode AK/SK
  1. 分页查询:使用分页API时,递增
    CurrentPage
    参数直到获取全部记录
  2. 记录RiskId:查询结果中的
    RiskId
    是处理操作的必填参数,请务必记录
  3. 处理说明:处理时提供清晰的
    HandleDetail
    描述,方便后续审计
  4. 错误处理:针对
    Throttling
    等临时错误实现重试机制
  5. 凭证安全:使用
    CredentialClient
    管理凭证,不要硬编码AK/SK

Reference Links

参考链接

Reference DocumentDescription
references/related-apis.mdAPI detailed documentation
references/ram-policies.mdRAM permission configuration
references/cli-installation-guide.mdCLI installation guide
references/acceptance-criteria.mdAcceptance criteria
Generic Invocation DocumentationAlibaba Cloud Python SDK generic invocation documentation
参考文档描述
references/related-apis.mdAPI详细文档
references/ram-policies.mdRAM权限配置
references/cli-installation-guide.mdCLI安装指南
references/acceptance-criteria.md验收标准
通用调用文档阿里云Python SDK通用调用文档

Important Notes

重要注意事项

Warning: This skill only uses the Data Security Center's 
DescribeRiskRules
and 
PreHandleAuditRisk
APIs. If these two APIs cannot be found, report an error. Do NOT call other OpenAPIs without authorization. Do not use Alibaba Cloud CLI tools to call APIs.
警告:本skill使用数据安全中心的
DescribeRiskRules
PreHandleAuditRisk
API。如果找不到这两个API,请上报错误。未经授权请勿调用其他OpenAPI。请勿使用阿里云CLI工具调用API。