Back to Details

alibabacloud-sas-multiaccount-manage

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Alibaba Cloud Security Center Multi-Account Management and Baseline Report Export

阿里云安全中心多账号管理与基线报告导出

Use aliyun CLI and Python scripts to manage multiple Alibaba Cloud accounts in a resource directory and batch-export Security Center baseline reports for each account.
通过aliyun CLI和Python脚本管理资源目录中的多个阿里云账号,并批量导出每个账号的安全中心基线报告。

Prerequisites and Environment Setup

前提条件与环境配置

1. Install Alibaba Cloud CLI

1. 安装阿里云CLI

bash
undefined
bash
undefined

macOS

macOS

brew install aliyun-cli
brew install aliyun-cli

Or download from GitHub: https://github.com/aliyun/aliyun-cli/releases

或从GitHub下载:https://github.com/aliyun/aliyun-cli/releases


Check credentials:

```bash
aliyun sts get-caller-identity
If the call fails, instruct the user to run 
aliyun configure
and set up credentials (interactive step, must be completed by the user).

检查凭证:

```bash
aliyun sts get-caller-identity
如果调用失败,请指导用户运行
aliyun configure
并设置凭证(交互式步骤,必须由用户完成)。

1.1 Configure AI mode and plugin mode (required)

1.1 配置AI模式与插件模式(必填)

This skill requires aliyun CLI plugin mode commands (kebab-case) and a fixed User-Agent declaration.
bash
undefined
此技能需要使用aliyun CLI插件模式命令(短横线命名风格),并声明固定的User-Agent。
bash
undefined

Keep plugins up to date

保持插件更新

aliyun plugin update
aliyun plugin update

Install required product plugins if missing

安装缺失的必需产品插件

aliyun plugin install --names aliyun-cli-sts,aliyun-cli-sas
aliyun plugin install --names aliyun-cli-sts,aliyun-cli-sas

Enable AI mode and set required UA segment

启用AI模式并设置必需的UA段

aliyun configure ai-mode enable aliyun configure ai-mode set-user-agent --user-agent AlibabaCloud-Agent-Skills
aliyun configure ai-mode enable aliyun configure ai-mode set-user-agent --user-agent AlibabaCloud-Agent-Skills

Optional checks / rollback

可选检查/回滚

aliyun configure ai-mode show aliyun configure ai-mode disable
undefined
aliyun configure ai-mode show aliyun configure ai-mode disable
undefined

2. Install Python ≥ 3.6

2. 安装Python ≥ 3.6

bash
undefined
bash
undefined

Check version

检查版本

python3 --version # Requires 3.6+, 3.9+ recommended
undefined
python3 --version # 要求3.6+,推荐3.9+
undefined

3. Create Virtual Environment and Install Dependencies

3. 创建虚拟环境并安装依赖

Create a virtual environment in 
<skill-path>/scripts/
and install dependencies declared in 
pyproject.toml
:
bash
cd scripts/
<skill-path>/scripts/
目录下创建虚拟环境,并安装
pyproject.toml
中声明的依赖:
bash
cd scripts/

Option A: use venv

选项A:使用venv

python3 -m venv .venv .venv/bin/pip install -e .
python3 -m venv .venv .venv/bin/pip install -e .

Option B: use uv (optional)

选项B:使用uv(可选)

uv sync
uv sync

Option C: if current Python version is unsupported, install as system dependencies

选项C:如果当前Python版本不支持,安装为系统依赖

pip install -r requirements.txt
undefined
pip install -r requirements.txt
undefined

4. Run Commands

4. 运行命令

All scripts must be executed with Python from the virtual environment (whether created via venv, uv, conda, etc.). This document uses 
.venv/bin/python
in examples; replace it with your actual virtual environment path.
所有脚本必须使用虚拟环境中的Python执行(无论是通过venv、uv、conda等创建的环境)。本文档示例中使用
.venv/bin/python
,请替换为你实际的虚拟环境路径。

Working Directory

工作目录

accounts.json
and exported Excel files are saved in the agent's current working directory (the directory where the command is executed). Script files themselves are located in 
<skill-path>/scripts/
. Do not switch into the 
scripts
directory when running commands, or 
accounts.json
location may shift unexpectedly.
bash
undefined
accounts.json
和导出的Excel文件将保存到Agent的当前工作目录(即执行命令的目录)。脚本文件本身位于
<skill-path>/scripts/
。运行命令时请勿切换到
scripts
目录,否则
accounts.json
的位置可能会意外改变。
bash
undefined

Example: run from any directory

示例:从任意目录运行

.venv/bin/python /path/to/scripts/accounts.py refresh
undefined
.venv/bin/python /path/to/scripts/accounts.py refresh
undefined

Feature 1: Account Management (
accounts.py
)

功能1:账号管理(
accounts.py

Workflow

工作流程

  1. First use: run 
    refresh
    to fetch account list from the resource directory.
  2. Filter as needed: use 
    search
    to find target accounts and get AccountId.
  3. Enable/disable control: use 
    enable
    / 
    disable
    to decide which accounts participate in batch export.
  1. 首次使用:运行
    refresh
    从资源目录获取账号列表。
  2. 按需筛选:使用
    search
    查找目标账号并获取AccountId。
  3. 启用/禁用控制:使用
    enable
    /
    disable
    决定哪些账号参与批量导出。

Quick Start

快速开始

Refresh account list

刷新账号列表

Fetch the latest account list from Alibaba Cloud resource directory and write to 
accounts.json
. Existing 
enable
states are preserved; new accounts are enabled by default.
bash
.venv/bin/python accounts.py refresh
从阿里云资源目录获取最新账号列表并写入
accounts.json
。保留现有
enable
状态;新账号默认启用。
bash
.venv/bin/python accounts.py refresh

List all accounts

列出所有账号

bash
.venv/bin/python accounts.py list
Sample output:
1225574417218097    cwx                     [enabled]
1234567890123456    prod-account            [disabled]
bash
.venv/bin/python accounts.py list
示例输出:
1225574417218097    cwx                     [enabled]
1234567890123456    prod-account            [disabled]

Search accounts

搜索账号

Fuzzy-search by DisplayName, returning AccountId and enable status.
bash
.venv/bin/python accounts.py search cwx
.venv/bin/python accounts.py search prod
按DisplayName模糊搜索,返回AccountId和启用状态。
bash
.venv/bin/python accounts.py search cwx
.venv/bin/python accounts.py search prod

Enable / disable accounts

启用/禁用账号

Control whether an account participates in subsequent batch exports.
bash
.venv/bin/python accounts.py enable 1225574417218097
.venv/bin/python accounts.py disable 1234567890123456
控制账号是否参与后续批量导出。
bash
.venv/bin/python accounts.py enable 1225574417218097
.venv/bin/python accounts.py disable 1234567890123456

accounts.json
Structure

accounts.json
结构

json
[
  {
    "AccountId": "1225574417218097",
    "DisplayName": "cwx",
    "FolderId": "r-1Q4pqB",
    "IsMaAccount": "NO",
    "SasVersion": "0",
    "enable": true
  }
]
json
[
  {
    "AccountId": "1225574417218097",
    "DisplayName": "cwx",
    "FolderId": "r-1Q4pqB",
    "IsMaAccount": "NO",
    "SasVersion": "0",
    "enable": true
  }
]

Feature 2: Batch Baseline Export (
baseline.py
)

功能2:批量基线导出(
baseline.py

Launch export tasks concurrently for all accounts with 
enable=true
. After polling completion, files are downloaded, extracted, and merged into a single Excel file.
为所有
enable=true
的账号并发启动导出任务。轮询完成后,下载、提取文件并合并为单个Excel文件。

Workflow

工作流程

  1. Concurrent submission: submit 
    export-record
    requests for all enabled accounts (QPS ≤ 5).
  2. Concurrent polling: poll 
    describe-export-info
    for each account until export completes.
  3. Download and extract: download zip and extract xlsx.
  4. Merge output: merge all account xlsx files into one file via 
    merge.py
    , appending a “Resource Directory Account” column.
  5. Cleanup temporary files: delete per-account temporary xlsx files after merge.
  1. 并发提交:为所有启用的账号提交
    export-record
    请求(QPS ≤ 5)。
  2. 并发轮询:为每个账号轮询
    describe-export-info
    直到导出完成。
  3. 下载与提取:下载压缩包并提取xlsx文件。
  4. 合并输出:通过
    merge.py
    将所有账号的xlsx文件合并为一个文件,添加“资源目录账号”列。
  5. 清理临时文件:合并后删除每个账号的临时xlsx文件。

Prerequisites

前提条件

  • accounts.py refresh
    has been executed and account enable/disable configuration is complete.
  • aliyun CLI is configured with valid credentials and has SAS 
    export-record
    and 
    describe-export-info
    permissions.
  • Accounts must have Security Center purchased (free edition accounts are skipped automatically).
  • 已执行
    accounts.py refresh
    并完成账号启用/禁用配置。
  • aliyun CLI已配置有效凭证,且拥有SAS的
    export-record
    describe-export-info
    权限。
  • 账号必须已购买安全中心(免费版账号将自动跳过)。

Export cloud platform configuration check results (CSPM)

导出云平台配置检查结果(CSPM)

Export 
baselineCspm
results for all enabled accounts and merge into 
baseline-cspm-merged-{date}.xlsx
.
bash
undefined
导出所有启用账号的
baselineCspm
结果,并合并到
baseline-cspm-merged-{date}.xlsx
bash
undefined

Export for all enabled accounts

导出所有启用账号的结果

.venv/bin/python baseline.py export-cspm
.venv/bin/python baseline.py export-cspm

Export for one specific account

导出单个指定账号的结果

.venv/bin/python baseline.py export-cspm --account-id 1225574417218097
undefined
.venv/bin/python baseline.py export-cspm --account-id 1225574417218097
undefined

Export system baseline risk list

导出系统基线风险列表

Export 
exportHcWarning
risk list (high/medium/low, all statuses) for all enabled accounts and merge into 
system-warning-merged-{date}.xlsx
.
bash
undefined
导出所有启用账号的
exportHcWarning
风险列表(高/中/低风险,所有状态),并合并到
system-warning-merged-{date}.xlsx
bash
undefined

Export for all enabled accounts

导出所有启用账号的结果

.venv/bin/python baseline.py export-system-warning
.venv/bin/python baseline.py export-system-warning

Export for one specific account

导出单个指定账号的结果

.venv/bin/python baseline.py export-system-warning --account-id 1225574417218097
undefined
.venv/bin/python baseline.py export-system-warning --account-id 1225574417218097
undefined

Output Files

输出文件

FileDescription
baseline-cspm-merged-{date}.xlsx
Merged cloud platform configuration check results, including “Resource Directory Account” column
system-warning-merged-{date}.xlsx
Merged system baseline risk list, including “Resource Directory Account” column
文件描述
baseline-cspm-merged-{date}.xlsx
合并后的云平台配置检查结果,包含“资源目录账号”列
system-warning-merged-{date}.xlsx
合并后的系统基线风险列表,包含“资源目录账号”列

Error Handling

错误处理

ScenarioBehavior
FreeVersionNotPermit
Silently skip this account and continue others
NoPermission
/ 
Forbidden
Silently skip this account
Export failed (server-side error)Print 
[failed]
message and continue with other accounts
All accounts skippedPrint message and exit without output file
场景行为
FreeVersionNotPermit
自动跳过该账号,继续处理其他账号
NoPermission
/ 
Forbidden
自动跳过该账号
导出失败(服务器端错误)打印
[failed]
信息,继续处理其他账号
所有账号都被跳过打印提示信息并退出,不生成输出文件

Feature 3: Batch Vulnerability Export (
vuln.py
)

功能3:批量漏洞导出(
vuln.py

Launch vulnerability export tasks concurrently for all accounts with 
enable=true
. Supports four vulnerability types. After polling completion, files are downloaded, extracted, and merged automatically.
为所有
enable=true
的账号并发启动漏洞导出任务。支持四种漏洞类型。轮询完成后,自动下载、提取并合并文件。

Workflow

工作流程

  1. Concurrent submission: submit 
    export-vul --force
    requests for all enabled accounts (QPS ≤ 5).
  2. Concurrent polling: poll 
    describe-vul-export-info --force
    for each account until export completes.
  3. Download and extract: download zip and extract xlsx.
  4. Merge output: merge all account xlsx files into one file via 
    merge.py
    , appending a “Resource Directory Account” column.
  5. Cleanup temporary files: delete per-account temporary xlsx files after merge.
When the current account is the same as the caller's primary account, 
--ResourceDirectoryAccountId
is omitted automatically.
  1. 并发提交:为所有启用的账号提交
    export-vul --force
    请求(QPS ≤ 5)。
  2. 并发轮询:为每个账号轮询
    describe-vul-export-info --force
    直到导出完成。
  3. 下载与提取:下载压缩包并提取xlsx文件。
  4. 合并输出:通过
    merge.py
    将所有账号的xlsx文件合并为一个文件,添加“资源目录账号”列。
  5. 清理临时文件:合并后删除每个账号的临时xlsx文件。
当当前账号与调用者的主账号相同时,将自动省略
--ResourceDirectoryAccountId
参数。

Prerequisites

前提条件

  • accounts.py refresh
    has been executed and account enable/disable configuration is complete.
  • aliyun CLI is configured with valid credentials and has SAS 
    export-vul
    and 
    describe-vul-export-info
    permissions.
  • Accounts must have Security Center purchased (free edition accounts are skipped automatically).
  • 已执行
    accounts.py refresh
    并完成账号启用/禁用配置。
  • aliyun CLI已配置有效凭证,且拥有SAS的
    export-vul
    describe-vul-export-info
    权限。
  • 账号必须已购买安全中心(免费版账号将自动跳过)。

Export Linux software vulnerabilities (CVE)

导出Linux软件漏洞(CVE)

Export unresolved Linux software vulnerabilities (high/medium/low priority) for all enabled accounts and merge into 
vul-cve-merged-{date}.xlsx
.
bash
undefined
导出所有启用账号中未修复的Linux软件漏洞(高/中/低优先级),并合并到
vul-cve-merged-{date}.xlsx
bash
undefined

Export for all enabled accounts

导出所有启用账号的结果

.venv/bin/python vuln.py export-cve
.venv/bin/python vuln.py export-cve

Export for one specific account

导出单个指定账号的结果

.venv/bin/python vuln.py export-cve --account-id 1225574417218097
undefined
.venv/bin/python vuln.py export-cve --account-id 1225574417218097
undefined

Export Windows system vulnerabilities

导出Windows系统漏洞

Export unresolved Windows system vulnerabilities (high/medium/low priority) for all enabled accounts and merge into 
vul-sys-merged-{date}.xlsx
.
bash
.venv/bin/python vuln.py export-sys
.venv/bin/python vuln.py export-sys --account-id 1225574417218097
导出所有启用账号中未修复的Windows系统漏洞(高/中/低优先级),并合并到
vul-sys-merged-{date}.xlsx
bash
.venv/bin/python vuln.py export-sys
.venv/bin/python vuln.py export-sys --account-id 1225574417218097

Export application vulnerabilities (including SCA)

导出应用漏洞(包含SCA)

Export unresolved application vulnerabilities (ECS + container, including software composition analysis) for all enabled accounts and merge into 
vul-app-merged-{date}.xlsx
.
bash
.venv/bin/python vuln.py export-app
.venv/bin/python vuln.py export-app --account-id 1225574417218097
导出所有启用账号中未修复的应用漏洞(ECS + 容器,包含软件成分分析),并合并到
vul-app-merged-{date}.xlsx
bash
.venv/bin/python vuln.py export-app
.venv/bin/python vuln.py export-app --account-id 1225574417218097

Export emergency vulnerabilities

导出应急漏洞

Export emergency vulnerabilities (at-risk status) for all enabled accounts and merge into 
vul-emg-merged-{date}.xlsx
.
bash
.venv/bin/python vuln.py export-emg
.venv/bin/python vuln.py export-emg --account-id 1225574417218097
导出所有启用账号中的应急漏洞(存在风险状态),并合并到
vul-emg-merged-{date}.xlsx
bash
.venv/bin/python vuln.py export-emg
.venv/bin/python vuln.py export-emg --account-id 1225574417218097

Output Files

输出文件

FileDescription
vul-cve-merged-{date}.xlsx
Merged Linux software vulnerability list, including “Resource Directory Account” column
vul-sys-merged-{date}.xlsx
Merged Windows system vulnerability list, including “Resource Directory Account” column
vul-app-merged-{date}.xlsx
Merged application vulnerability list (including SCA), including “Resource Directory Account” column
vul-emg-merged-{date}.xlsx
Merged emergency vulnerability list, including “Resource Directory Account” column
文件描述
vul-cve-merged-{date}.xlsx
合并后的Linux软件漏洞列表,包含“资源目录账号”列
vul-sys-merged-{date}.xlsx
合并后的Windows系统漏洞列表,包含“资源目录账号”列
vul-app-merged-{date}.xlsx
合并后的应用漏洞列表(包含SCA),包含“资源目录账号”列
vul-emg-merged-{date}.xlsx
合并后的应急漏洞列表,包含“资源目录账号”列

Export Parameter Details

导出参数详情

Type
export-vul
parameters
export-cve
--Type cve --Necessity asap,later,nntf --Dealed n
export-sys
--Type sys --Necessity asap,later,nntf --Dealed n
export-app
--Type app --Necessity asap,later,nntf --AttachTypes sca --AssetType ECS,CONTAINER --Dealed n
export-emg
--Type emg --RiskStatus y --Dealed n
类型
export-vul
参数
export-cve
--Type cve --Necessity asap,later,nntf --Dealed n
export-sys
--Type sys --Necessity asap,later,nntf --Dealed n
export-app
--Type app --Necessity asap,later,nntf --AttachTypes sca --AssetType ECS,CONTAINER --Dealed n
export-emg
--Type emg --RiskStatus y --Dealed n

Error Handling

错误处理

ScenarioBehavior
FreeVersionNotPermit
Silently skip this account and continue others
NoPermission
/ 
Forbidden
Silently skip this account
Export failed (server-side error)Print 
[failed]
message and continue with other accounts
All accounts skippedPrint message and exit without output file
场景行为
FreeVersionNotPermit
自动跳过该账号,继续处理其他账号
NoPermission
/ 
Forbidden
自动跳过该账号
导出失败(服务器端错误)打印
[failed]
信息,继续处理其他账号
所有账号都被跳过打印提示信息并退出,不生成输出文件

Notes

注意事项

  • Scripts must run in a virtual environment. Examples use 
    .venv/bin/python
    ; replace with your actual virtual environment path.
  • Manage aliyun CLI credentials with 
    aliyun configure
    ; do not hardcode AK/SK.
  • SAS API supports only two endpoints: 
    cn-shanghai
    (China mainland) and 
    ap-southeast-1
    (outside China mainland).
  • 脚本必须在虚拟环境中运行。示例使用
    .venv/bin/python
    ,请替换为你实际的虚拟环境路径。
  • 使用
    aliyun configure
    管理aliyun CLI凭证;请勿硬编码AK/SK。
  • SAS API仅支持两个端点:
    cn-shanghai
    (中国大陆)和
    ap-southeast-1
    (中国大陆以外)。