🎁 Get the FREE AI Skills Starter GuideSubscribe →
BytesAgainBytesAgain
🦀 ClawHub

Alibabacloud Sas Multiaccount Manage

by @sdk-team

Manage multiple Alibaba Cloud accounts and batch-export Security Center (SAS) baseline and vulnerability reports via the aliyun CLI and Python scripts. Suppo...

Versionv0.0.1
Downloads354
TERMINAL
clawhub install alibabacloud-sas-multiaccount-manage

📖 About This Skill


name: alibabacloud-sas-multiaccount-manage description: Manage multiple Alibaba Cloud accounts and batch-export Security Center (SAS) baseline and vulnerability reports via the aliyun CLI and Python scripts. Supports account list refresh, enable/disable, concurrent batch export of cloud platform configuration check (baselineCspm), system baseline risk (exportHcWarning), Linux/Windows/application/emergency vulnerability results across all managed accounts. Use this skill when users need to manage SAS multi-account settings, export baseline or vulnerability compliance data, or merge multi-account security reports into a single file.

Alibaba Cloud Security Center Multi-Account Management and Baseline Report Export

Use aliyun CLI and Python scripts to manage multiple Alibaba Cloud accounts in a resource directory and batch-export Security Center baseline reports for each account.

Prerequisites and Environment Setup

1. Install Alibaba Cloud CLI

# macOS
brew install aliyun-cli

Or download from GitHub: https://github.com/aliyun/aliyun-cli/releases

Check credentials:

aliyun sts get-caller-identity

If the call fails, instruct the user to run aliyun configure and set up credentials (interactive step, must be completed by the user).

1.1 Configure AI mode and plugin mode (required)

This skill requires aliyun CLI plugin mode commands (kebab-case) and a fixed User-Agent declaration.

# Keep plugins up to date
aliyun plugin update

Install required product plugins if missing

aliyun plugin install --names aliyun-cli-sts,aliyun-cli-sas

Enable AI mode and set required UA segment

aliyun configure ai-mode enable aliyun configure ai-mode set-user-agent --user-agent AlibabaCloud-Agent-Skills

Optional checks / rollback

aliyun configure ai-mode show aliyun configure ai-mode disable

2. Install Python ≥ 3.6

# Check version
python3 --version  # Requires 3.6+, 3.9+ recommended

3. Create Virtual Environment and Install Dependencies

Create a virtual environment in /scripts/ and install dependencies declared in pyproject.toml:

cd scripts/

Option A: use venv

python3 -m venv .venv .venv/bin/pip install -e .

Option B: use uv (optional)

uv sync

Option C: if current Python version is unsupported, install as system dependencies

pip install -r requirements.txt

4. Run Commands

All scripts must be executed with Python from the virtual environment (whether created via venv, uv, conda, etc.). This document uses .venv/bin/python in examples; replace it with your actual virtual environment path.


Working Directory

accounts.json and exported Excel files are saved in the agent's current working directory (the directory where the command is executed). Script files themselves are located in /scripts/. Do not switch into the scripts directory when running commands, or accounts.json location may shift unexpectedly.

# Example: run from any directory
.venv/bin/python /path/to/scripts/accounts.py refresh

Feature 1: Account Management (accounts.py)

Workflow

1. First use: run refresh to fetch account list from the resource directory. 2. Filter as needed: use search to find target accounts and get AccountId. 3. Enable/disable control: use enable / disable to decide which accounts participate in batch export.

Quick Start

#### Refresh account list

Fetch the latest account list from Alibaba Cloud resource directory and write to accounts.json. Existing enable states are preserved; new accounts are enabled by default.

.venv/bin/python accounts.py refresh

#### List all accounts

.venv/bin/python accounts.py list

Sample output:

1225574417218097    cwx                     [enabled]
1234567890123456    prod-account            [disabled]

#### Search accounts

Fuzzy-search by DisplayName, returning AccountId and enable status.

.venv/bin/python accounts.py search cwx
.venv/bin/python accounts.py search prod

#### Enable / disable accounts

Control whether an account participates in subsequent batch exports.

.venv/bin/python accounts.py enable 1225574417218097
.venv/bin/python accounts.py disable 1234567890123456

accounts.json Structure

[
  {
    "AccountId": "1225574417218097",
    "DisplayName": "cwx",
    "FolderId": "r-1Q4pqB",
    "IsMaAccount": "NO",
    "SasVersion": "0",
    "enable": true
  }
]


Feature 2: Batch Baseline Export (baseline.py)

Launch export tasks concurrently for all accounts with enable=true. After polling completion, files are downloaded, extracted, and merged into a single Excel file.

Workflow

1. Concurrent submission: submit export-record requests for all enabled accounts (QPS ≤ 5). 2. Concurrent polling: poll describe-export-info for each account until export completes. 3. Download and extract: download zip and extract xlsx. 4. Merge output: merge all account xlsx files into one file via merge.py, appending a “Resource Directory Account” column. 5. Cleanup temporary files: delete per-account temporary xlsx files after merge.

Prerequisites

  • accounts.py refresh has been executed and account enable/disable configuration is complete.
  • aliyun CLI is configured with valid credentials and has SAS export-record and describe-export-info permissions.
  • Accounts must have Security Center purchased (free edition accounts are skipped automatically).
  • Export cloud platform configuration check results (CSPM)

    Export baselineCspm results for all enabled accounts and merge into baseline-cspm-merged-{date}.xlsx.

    # Export for all enabled accounts
    .venv/bin/python baseline.py export-cspm

    Export for one specific account

    .venv/bin/python baseline.py export-cspm --account-id 1225574417218097

    Export system baseline risk list

    Export exportHcWarning risk list (high/medium/low, all statuses) for all enabled accounts and merge into system-warning-merged-{date}.xlsx.

    # Export for all enabled accounts
    .venv/bin/python baseline.py export-system-warning

    Export for one specific account

    .venv/bin/python baseline.py export-system-warning --account-id 1225574417218097

    Output Files

    | File | Description | |------|------| | baseline-cspm-merged-{date}.xlsx | Merged cloud platform configuration check results, including “Resource Directory Account” column | | system-warning-merged-{date}.xlsx | Merged system baseline risk list, including “Resource Directory Account” column |

    Error Handling

    | Scenario | Behavior | |------|------| | FreeVersionNotPermit | Silently skip this account and continue others | | NoPermission / Forbidden | Silently skip this account | | Export failed (server-side error) | Print [failed] message and continue with other accounts | | All accounts skipped | Print message and exit without output file |


    Feature 3: Batch Vulnerability Export (vuln.py)

    Launch vulnerability export tasks concurrently for all accounts with enable=true. Supports four vulnerability types. After polling completion, files are downloaded, extracted, and merged automatically.

    Workflow

    1. Concurrent submission: submit export-vul --force requests for all enabled accounts (QPS ≤ 5). 2. Concurrent polling: poll describe-vul-export-info --force for each account until export completes. 3. Download and extract: download zip and extract xlsx. 4. Merge output: merge all account xlsx files into one file via merge.py, appending a “Resource Directory Account” column. 5. Cleanup temporary files: delete per-account temporary xlsx files after merge.

    > When the current account is the same as the caller's primary account, --ResourceDirectoryAccountId is omitted automatically.

    Prerequisites

  • accounts.py refresh has been executed and account enable/disable configuration is complete.
  • aliyun CLI is configured with valid credentials and has SAS export-vul and describe-vul-export-info permissions.
  • Accounts must have Security Center purchased (free edition accounts are skipped automatically).
  • Export Linux software vulnerabilities (CVE)

    Export unresolved Linux software vulnerabilities (high/medium/low priority) for all enabled accounts and merge into vul-cve-merged-{date}.xlsx.

    # Export for all enabled accounts
    .venv/bin/python vuln.py export-cve

    Export for one specific account

    .venv/bin/python vuln.py export-cve --account-id 1225574417218097

    Export Windows system vulnerabilities

    Export unresolved Windows system vulnerabilities (high/medium/low priority) for all enabled accounts and merge into vul-sys-merged-{date}.xlsx.

    .venv/bin/python vuln.py export-sys
    .venv/bin/python vuln.py export-sys --account-id 1225574417218097
    

    Export application vulnerabilities (including SCA)

    Export unresolved application vulnerabilities (ECS + container, including software composition analysis) for all enabled accounts and merge into vul-app-merged-{date}.xlsx.

    .venv/bin/python vuln.py export-app
    .venv/bin/python vuln.py export-app --account-id 1225574417218097
    

    Export emergency vulnerabilities

    Export emergency vulnerabilities (at-risk status) for all enabled accounts and merge into vul-emg-merged-{date}.xlsx.

    .venv/bin/python vuln.py export-emg
    .venv/bin/python vuln.py export-emg --account-id 1225574417218097
    

    Output Files

    | File | Description | |------|------| | vul-cve-merged-{date}.xlsx | Merged Linux software vulnerability list, including “Resource Directory Account” column | | vul-sys-merged-{date}.xlsx | Merged Windows system vulnerability list, including “Resource Directory Account” column | | vul-app-merged-{date}.xlsx | Merged application vulnerability list (including SCA), including “Resource Directory Account” column | | vul-emg-merged-{date}.xlsx | Merged emergency vulnerability list, including “Resource Directory Account” column |

    Export Parameter Details

    | Type | export-vul parameters | |------|----------------| | export-cve | --Type cve --Necessity asap,later,nntf --Dealed n | | export-sys | --Type sys --Necessity asap,later,nntf --Dealed n | | export-app | --Type app --Necessity asap,later,nntf --AttachTypes sca --AssetType ECS,CONTAINER --Dealed n | | export-emg | --Type emg --RiskStatus y --Dealed n |

    Error Handling

    | Scenario | Behavior | |------|------| | FreeVersionNotPermit | Silently skip this account and continue others | | NoPermission / Forbidden | Silently skip this account | | Export failed (server-side error) | Print [failed] message and continue with other accounts | | All accounts skipped | Print message and exit without output file |


    Notes

  • Scripts must run in a virtual environment. Examples use .venv/bin/python; replace with your actual virtual environment path.
  • Manage aliyun CLI credentials with aliyun configure; do not hardcode AK/SK.
  • SAS API supports only two endpoints: cn-shanghai (China mainland) and ap-southeast-1 (outside China mainland).
  • 💡 Examples

    #### Refresh account list

    Fetch the latest account list from Alibaba Cloud resource directory and write to accounts.json. Existing enable states are preserved; new accounts are enabled by default.

    .venv/bin/python accounts.py refresh
    

    #### List all accounts

    .venv/bin/python accounts.py list
    

    Sample output:

    1225574417218097    cwx                     [enabled]
    1234567890123456    prod-account            [disabled]
    

    #### Search accounts

    Fuzzy-search by DisplayName, returning AccountId and enable status.

    .venv/bin/python accounts.py search cwx
    .venv/bin/python accounts.py search prod
    

    #### Enable / disable accounts

    Control whether an account participates in subsequent batch exports.

    .venv/bin/python accounts.py enable 1225574417218097
    .venv/bin/python accounts.py disable 1234567890123456
    

    accounts.json Structure

    [
      {
        "AccountId": "1225574417218097",
        "DisplayName": "cwx",
        "FolderId": "r-1Q4pqB",
        "IsMaAccount": "NO",
        "SasVersion": "0",
        "enable": true
      }
    ]
    


    ⚙️ Configuration

  • accounts.py refresh has been executed and account enable/disable configuration is complete.
  • aliyun CLI is configured with valid credentials and has SAS export-record and describe-export-info permissions.
  • Accounts must have Security Center purchased (free edition accounts are skipped automatically).
  • Export cloud platform configuration check results (CSPM)

    Export baselineCspm results for all enabled accounts and merge into baseline-cspm-merged-{date}.xlsx.

    # Export for all enabled accounts
    .venv/bin/python baseline.py export-cspm

    Export for one specific account

    .venv/bin/python baseline.py export-cspm --account-id 1225574417218097

    Export system baseline risk list

    Export exportHcWarning risk list (high/medium/low, all statuses) for all enabled accounts and merge into system-warning-merged-{date}.xlsx.

    # Export for all enabled accounts
    .venv/bin/python baseline.py export-system-warning

    Export for one specific account

    .venv/bin/python baseline.py export-system-warning --account-id 1225574417218097

    Output Files

    | File | Description | |------|------| | baseline-cspm-merged-{date}.xlsx | Merged cloud platform configuration check results, including “Resource Directory Account” column | | system-warning-merged-{date}.xlsx | Merged system baseline risk list, including “Resource Directory Account” column |

    Error Handling

    | Scenario | Behavior | |------|------| | FreeVersionNotPermit | Silently skip this account and continue others | | NoPermission / Forbidden | Silently skip this account | | Export failed (server-side error) | Print [failed] message and continue with other accounts | | All accounts skipped | Print message and exit without output file |


    📋 Tips & Best Practices

  • Scripts must run in a virtual environment. Examples use .venv/bin/python; replace with your actual virtual environment path.
  • Manage aliyun CLI credentials with aliyun configure; do not hardcode AK/SK.
  • SAS API supports only two endpoints: cn-shanghai (China mainland) and ap-southeast-1 (outside China mainland).