Alibaba Cloud Security Center Multi-Account Management and Baseline Report Export
Use aliyun CLI and Python scripts to manage multiple Alibaba Cloud accounts in a resource directory and batch-export Security Center baseline reports for each account.
Prerequisites and Environment Setup
1. Install Alibaba Cloud CLI
bash
# macOS
brew install aliyun-cli
# Or download from GitHub: https://github.com/aliyun/aliyun-cli/releases
Check credentials:
bash
aliyun sts get-caller-identity
If the call fails, instruct the user to run
and set up credentials (interactive step, must be completed by the user).
1.1 Configure AI mode and plugin mode (required)
This skill requires aliyun CLI plugin mode commands (kebab-case) and a fixed User-Agent declaration.
bash
# Keep plugins up to date
aliyun plugin update
# Install required product plugins if missing
aliyun plugin install --names aliyun-cli-sts,aliyun-cli-sas
# Enable AI mode and set required UA segment
aliyun configure ai-mode enable
aliyun configure ai-mode set-user-agent --user-agent AlibabaCloud-Agent-Skills
# Optional checks / rollback
aliyun configure ai-mode show
aliyun configure ai-mode disable
2. Install Python ≥ 3.6
bash
# Check version
python3 --version # Requires 3.6+, 3.9+ recommended
3. Create Virtual Environment and Install Dependencies
Create a virtual environment in
and install dependencies declared in
:
bash
cd scripts/
# Option A: use venv
python3 -m venv .venv
.venv/bin/pip install -e .
# Option B: use uv (optional)
uv sync
# Option C: if current Python version is unsupported, install as system dependencies
pip install -r requirements.txt
4. Run Commands
All scripts must be executed with
Python from the virtual environment (whether created via venv, uv, conda, etc.). This document uses
in examples; replace it with your actual virtual environment path.
Working Directory
and exported Excel files are saved in the
agent's current working directory (the directory where the command is executed). Script files themselves are located in
. Do not switch into the
directory when running commands, or
location may shift unexpectedly.
bash
# Example: run from any directory
.venv/bin/python /path/to/scripts/accounts.py refresh
Feature 1: Account Management ()
Workflow
- First use: run to fetch account list from the resource directory.
- Filter as needed: use to find target accounts and get AccountId.
- Enable/disable control: use / to decide which accounts participate in batch export.
Quick Start
Refresh account list
Fetch the latest account list from Alibaba Cloud resource directory and write to
. Existing
states are preserved; new accounts are enabled by default.
bash
.venv/bin/python accounts.py refresh
List all accounts
bash
.venv/bin/python accounts.py list
Sample output:
1225574417218097 cwx [enabled]
1234567890123456 prod-account [disabled]
Search accounts
Fuzzy-search by DisplayName, returning AccountId and enable status.
bash
.venv/bin/python accounts.py search cwx
.venv/bin/python accounts.py search prod
Enable / disable accounts
Control whether an account participates in subsequent batch exports.
bash
.venv/bin/python accounts.py enable 1225574417218097
.venv/bin/python accounts.py disable 1234567890123456
Structure
json
[
{
"AccountId": "1225574417218097",
"DisplayName": "cwx",
"FolderId": "r-1Q4pqB",
"IsMaAccount": "NO",
"SasVersion": "0",
"enable": true
}
]
Feature 2: Batch Baseline Export ()
Launch export tasks concurrently for all accounts with
. After polling completion, files are downloaded, extracted, and merged into a single Excel file.
Workflow
- Concurrent submission: submit requests for all enabled accounts (QPS ≤ 5).
- Concurrent polling: poll for each account until export completes.
- Download and extract: download zip and extract xlsx.
- Merge output: merge all account xlsx files into one file via , appending a “Resource Directory Account” column.
- Cleanup temporary files: delete per-account temporary xlsx files after merge.
Prerequisites
- has been executed and account enable/disable configuration is complete.
- aliyun CLI is configured with valid credentials and has SAS and permissions.
- Accounts must have Security Center purchased (free edition accounts are skipped automatically).
Export cloud platform configuration check results (CSPM)
Export
results for all enabled accounts and merge into
baseline-cspm-merged-{date}.xlsx
.
bash
# Export for all enabled accounts
.venv/bin/python baseline.py export-cspm
# Export for one specific account
.venv/bin/python baseline.py export-cspm --account-id 1225574417218097
Export system baseline risk list
Export
risk list (high/medium/low, all statuses) for all enabled accounts and merge into
system-warning-merged-{date}.xlsx
.
bash
# Export for all enabled accounts
.venv/bin/python baseline.py export-system-warning
# Export for one specific account
.venv/bin/python baseline.py export-system-warning --account-id 1225574417218097
Output Files
| File | Description |
|---|
baseline-cspm-merged-{date}.xlsx
| Merged cloud platform configuration check results, including “Resource Directory Account” column |
system-warning-merged-{date}.xlsx
| Merged system baseline risk list, including “Resource Directory Account” column |
Error Handling
| Scenario | Behavior |
|---|
| Silently skip this account and continue others |
| / | Silently skip this account |
| Export failed (server-side error) | Print message and continue with other accounts |
| All accounts skipped | Print message and exit without output file |
Feature 3: Batch Vulnerability Export ()
Launch vulnerability export tasks concurrently for all accounts with
. Supports four vulnerability types. After polling completion, files are downloaded, extracted, and merged automatically.
Workflow
- Concurrent submission: submit requests for all enabled accounts (QPS ≤ 5).
- Concurrent polling: poll
describe-vul-export-info --force
- Download and extract: download zip and extract xlsx.
- Merge output: merge all account xlsx files into one file via , appending a “Resource Directory Account” column.
- Cleanup temporary files: delete per-account temporary xlsx files after merge.
When the current account is the same as the caller's primary account,
--ResourceDirectoryAccountId
is omitted automatically.
Prerequisites
- has been executed and account enable/disable configuration is complete.
- aliyun CLI is configured with valid credentials and has SAS and permissions.
- Accounts must have Security Center purchased (free edition accounts are skipped automatically).
Export Linux software vulnerabilities (CVE)
Export unresolved Linux software vulnerabilities (high/medium/low priority) for all enabled accounts and merge into
vul-cve-merged-{date}.xlsx
.
bash
# Export for all enabled accounts
.venv/bin/python vuln.py export-cve
# Export for one specific account
.venv/bin/python vuln.py export-cve --account-id 1225574417218097
Export Windows system vulnerabilities
Export unresolved Windows system vulnerabilities (high/medium/low priority) for all enabled accounts and merge into
vul-sys-merged-{date}.xlsx
.
bash
.venv/bin/python vuln.py export-sys
.venv/bin/python vuln.py export-sys --account-id 1225574417218097
Export application vulnerabilities (including SCA)
Export unresolved application vulnerabilities (ECS + container, including software composition analysis) for all enabled accounts and merge into
vul-app-merged-{date}.xlsx
.
bash
.venv/bin/python vuln.py export-app
.venv/bin/python vuln.py export-app --account-id 1225574417218097
Export emergency vulnerabilities
Export emergency vulnerabilities (at-risk status) for all enabled accounts and merge into
vul-emg-merged-{date}.xlsx
.
bash
.venv/bin/python vuln.py export-emg
.venv/bin/python vuln.py export-emg --account-id 1225574417218097
Output Files
| File | Description |
|---|
vul-cve-merged-{date}.xlsx
| Merged Linux software vulnerability list, including “Resource Directory Account” column |
vul-sys-merged-{date}.xlsx
| Merged Windows system vulnerability list, including “Resource Directory Account” column |
vul-app-merged-{date}.xlsx
| Merged application vulnerability list (including SCA), including “Resource Directory Account” column |
vul-emg-merged-{date}.xlsx
| Merged emergency vulnerability list, including “Resource Directory Account” column |
Export Parameter Details
| Type | parameters |
|---|
| --Type cve --Necessity asap,later,nntf --Dealed n
|
| --Type sys --Necessity asap,later,nntf --Dealed n
|
| --Type app --Necessity asap,later,nntf --AttachTypes sca --AssetType ECS,CONTAINER --Dealed n
|
| --Type emg --RiskStatus y --Dealed n
|
Error Handling
| Scenario | Behavior |
|---|
| Silently skip this account and continue others |
| / | Silently skip this account |
| Export failed (server-side error) | Print message and continue with other accounts |
| All accounts skipped | Print message and exit without output file |
Notes
- Scripts must run in a virtual environment. Examples use ; replace with your actual virtual environment path.
- Manage aliyun CLI credentials with ; do not hardcode AK/SK.
- SAS API supports only two endpoints: (China mainland) and (outside China mainland).