Alibabacloud Sas Multiaccount Manage
by @sdk-team
Manage multiple Alibaba Cloud accounts and batch-export Security Center (SAS) baseline and vulnerability reports via the aliyun CLI and Python scripts. Suppo...
clawhub install alibabacloud-sas-multiaccount-manage📖 About This Skill
name: alibabacloud-sas-multiaccount-manage description: Manage multiple Alibaba Cloud accounts and batch-export Security Center (SAS) baseline and vulnerability reports via the aliyun CLI and Python scripts. Supports account list refresh, enable/disable, concurrent batch export of cloud platform configuration check (baselineCspm), system baseline risk (exportHcWarning), Linux/Windows/application/emergency vulnerability results across all managed accounts. Use this skill when users need to manage SAS multi-account settings, export baseline or vulnerability compliance data, or merge multi-account security reports into a single file.
Alibaba Cloud Security Center Multi-Account Management and Baseline Report Export
Use aliyun CLI and Python scripts to manage multiple Alibaba Cloud accounts in a resource directory and batch-export Security Center baseline reports for each account.
Prerequisites and Environment Setup
1. Install Alibaba Cloud CLI
# macOS
brew install aliyun-cliOr download from GitHub: https://github.com/aliyun/aliyun-cli/releases
Check credentials:
aliyun sts get-caller-identity
If the call fails, instruct the user to run aliyun configure and set up credentials (interactive step, must be completed by the user).
1.1 Configure AI mode and plugin mode (required)
This skill requires aliyun CLI plugin mode commands (kebab-case) and a fixed User-Agent declaration.
# Keep plugins up to date
aliyun plugin updateInstall required product plugins if missing
aliyun plugin install --names aliyun-cli-sts,aliyun-cli-sasEnable AI mode and set required UA segment
aliyun configure ai-mode enable
aliyun configure ai-mode set-user-agent --user-agent AlibabaCloud-Agent-SkillsOptional checks / rollback
aliyun configure ai-mode show
aliyun configure ai-mode disable
2. Install Python ≥ 3.6
# Check version
python3 --version # Requires 3.6+, 3.9+ recommended
3. Create Virtual Environment and Install Dependencies
Create a virtual environment in and install dependencies declared in pyproject.toml:
cd scripts/Option A: use venv
python3 -m venv .venv
.venv/bin/pip install -e .Option B: use uv (optional)
uv syncOption C: if current Python version is unsupported, install as system dependencies
pip install -r requirements.txt
4. Run Commands
All scripts must be executed with Python from the virtual environment (whether created via venv, uv, conda, etc.). This document uses .venv/bin/python in examples; replace it with your actual virtual environment path.
Working Directory
accounts.json and exported Excel files are saved in the agent's current working directory (the directory where the command is executed). Script files themselves are located in . Do not switch into the scripts directory when running commands, or accounts.json location may shift unexpectedly.
# Example: run from any directory
.venv/bin/python /path/to/scripts/accounts.py refresh
Feature 1: Account Management (accounts.py)
Workflow
1. First use: run refresh to fetch account list from the resource directory.
2. Filter as needed: use search to find target accounts and get AccountId.
3. Enable/disable control: use enable / disable to decide which accounts participate in batch export.
Quick Start
#### Refresh account list
Fetch the latest account list from Alibaba Cloud resource directory and write to accounts.json. Existing enable states are preserved; new accounts are enabled by default.
.venv/bin/python accounts.py refresh
#### List all accounts
.venv/bin/python accounts.py list
Sample output:
1225574417218097 cwx [enabled]
1234567890123456 prod-account [disabled]
#### Search accounts
Fuzzy-search by DisplayName, returning AccountId and enable status.
.venv/bin/python accounts.py search cwx
.venv/bin/python accounts.py search prod
#### Enable / disable accounts
Control whether an account participates in subsequent batch exports.
.venv/bin/python accounts.py enable 1225574417218097
.venv/bin/python accounts.py disable 1234567890123456
accounts.json Structure
[
{
"AccountId": "1225574417218097",
"DisplayName": "cwx",
"FolderId": "r-1Q4pqB",
"IsMaAccount": "NO",
"SasVersion": "0",
"enable": true
}
]
Feature 2: Batch Baseline Export (baseline.py)
Launch export tasks concurrently for all accounts with enable=true. After polling completion, files are downloaded, extracted, and merged into a single Excel file.
Workflow
1. Concurrent submission: submit export-record requests for all enabled accounts (QPS ≤ 5).
2. Concurrent polling: poll describe-export-info for each account until export completes.
3. Download and extract: download zip and extract xlsx.
4. Merge output: merge all account xlsx files into one file via merge.py, appending a “Resource Directory Account” column.
5. Cleanup temporary files: delete per-account temporary xlsx files after merge.
Prerequisites
accounts.py refresh has been executed and account enable/disable configuration is complete.export-record and describe-export-info permissions.Export cloud platform configuration check results (CSPM)
Export baselineCspm results for all enabled accounts and merge into baseline-cspm-merged-{date}.xlsx.
# Export for all enabled accounts
.venv/bin/python baseline.py export-cspmExport for one specific account
.venv/bin/python baseline.py export-cspm --account-id 1225574417218097
Export system baseline risk list
Export exportHcWarning risk list (high/medium/low, all statuses) for all enabled accounts and merge into system-warning-merged-{date}.xlsx.
# Export for all enabled accounts
.venv/bin/python baseline.py export-system-warningExport for one specific account
.venv/bin/python baseline.py export-system-warning --account-id 1225574417218097
Output Files
| File | Description |
|------|------|
| baseline-cspm-merged-{date}.xlsx | Merged cloud platform configuration check results, including “Resource Directory Account” column |
| system-warning-merged-{date}.xlsx | Merged system baseline risk list, including “Resource Directory Account” column |
Error Handling
| Scenario | Behavior |
|------|------|
| FreeVersionNotPermit | Silently skip this account and continue others |
| NoPermission / Forbidden | Silently skip this account |
| Export failed (server-side error) | Print [failed] message and continue with other accounts |
| All accounts skipped | Print message and exit without output file |
Feature 3: Batch Vulnerability Export (vuln.py)
Launch vulnerability export tasks concurrently for all accounts with enable=true. Supports four vulnerability types. After polling completion, files are downloaded, extracted, and merged automatically.
Workflow
1. Concurrent submission: submit export-vul --force requests for all enabled accounts (QPS ≤ 5).
2. Concurrent polling: poll describe-vul-export-info --force for each account until export completes.
3. Download and extract: download zip and extract xlsx.
4. Merge output: merge all account xlsx files into one file via merge.py, appending a “Resource Directory Account” column.
5. Cleanup temporary files: delete per-account temporary xlsx files after merge.
> When the current account is the same as the caller's primary account, --ResourceDirectoryAccountId is omitted automatically.
Prerequisites
accounts.py refresh has been executed and account enable/disable configuration is complete.export-vul and describe-vul-export-info permissions.Export Linux software vulnerabilities (CVE)
Export unresolved Linux software vulnerabilities (high/medium/low priority) for all enabled accounts and merge into vul-cve-merged-{date}.xlsx.
# Export for all enabled accounts
.venv/bin/python vuln.py export-cveExport for one specific account
.venv/bin/python vuln.py export-cve --account-id 1225574417218097
Export Windows system vulnerabilities
Export unresolved Windows system vulnerabilities (high/medium/low priority) for all enabled accounts and merge into vul-sys-merged-{date}.xlsx.
.venv/bin/python vuln.py export-sys
.venv/bin/python vuln.py export-sys --account-id 1225574417218097
Export application vulnerabilities (including SCA)
Export unresolved application vulnerabilities (ECS + container, including software composition analysis) for all enabled accounts and merge into vul-app-merged-{date}.xlsx.
.venv/bin/python vuln.py export-app
.venv/bin/python vuln.py export-app --account-id 1225574417218097
Export emergency vulnerabilities
Export emergency vulnerabilities (at-risk status) for all enabled accounts and merge into vul-emg-merged-{date}.xlsx.
.venv/bin/python vuln.py export-emg
.venv/bin/python vuln.py export-emg --account-id 1225574417218097
Output Files
| File | Description |
|------|------|
| vul-cve-merged-{date}.xlsx | Merged Linux software vulnerability list, including “Resource Directory Account” column |
| vul-sys-merged-{date}.xlsx | Merged Windows system vulnerability list, including “Resource Directory Account” column |
| vul-app-merged-{date}.xlsx | Merged application vulnerability list (including SCA), including “Resource Directory Account” column |
| vul-emg-merged-{date}.xlsx | Merged emergency vulnerability list, including “Resource Directory Account” column |
Export Parameter Details
| Type | export-vul parameters |
|------|----------------|
| export-cve | --Type cve --Necessity asap,later,nntf --Dealed n |
| export-sys | --Type sys --Necessity asap,later,nntf --Dealed n |
| export-app | --Type app --Necessity asap,later,nntf --AttachTypes sca --AssetType ECS,CONTAINER --Dealed n |
| export-emg | --Type emg --RiskStatus y --Dealed n |
Error Handling
| Scenario | Behavior |
|------|------|
| FreeVersionNotPermit | Silently skip this account and continue others |
| NoPermission / Forbidden | Silently skip this account |
| Export failed (server-side error) | Print [failed] message and continue with other accounts |
| All accounts skipped | Print message and exit without output file |
Notes
.venv/bin/python; replace with your actual virtual environment path.aliyun configure; do not hardcode AK/SK.cn-shanghai (China mainland) and ap-southeast-1 (outside China mainland).💡 Examples
#### Refresh account list
Fetch the latest account list from Alibaba Cloud resource directory and write to accounts.json. Existing enable states are preserved; new accounts are enabled by default.
.venv/bin/python accounts.py refresh
#### List all accounts
.venv/bin/python accounts.py list
Sample output:
1225574417218097 cwx [enabled]
1234567890123456 prod-account [disabled]
#### Search accounts
Fuzzy-search by DisplayName, returning AccountId and enable status.
.venv/bin/python accounts.py search cwx
.venv/bin/python accounts.py search prod
#### Enable / disable accounts
Control whether an account participates in subsequent batch exports.
.venv/bin/python accounts.py enable 1225574417218097
.venv/bin/python accounts.py disable 1234567890123456
accounts.json Structure
[
{
"AccountId": "1225574417218097",
"DisplayName": "cwx",
"FolderId": "r-1Q4pqB",
"IsMaAccount": "NO",
"SasVersion": "0",
"enable": true
}
]
⚙️ Configuration
accounts.py refresh has been executed and account enable/disable configuration is complete.export-record and describe-export-info permissions.Export cloud platform configuration check results (CSPM)
Export baselineCspm results for all enabled accounts and merge into baseline-cspm-merged-{date}.xlsx.
# Export for all enabled accounts
.venv/bin/python baseline.py export-cspmExport for one specific account
.venv/bin/python baseline.py export-cspm --account-id 1225574417218097
Export system baseline risk list
Export exportHcWarning risk list (high/medium/low, all statuses) for all enabled accounts and merge into system-warning-merged-{date}.xlsx.
# Export for all enabled accounts
.venv/bin/python baseline.py export-system-warningExport for one specific account
.venv/bin/python baseline.py export-system-warning --account-id 1225574417218097
Output Files
| File | Description |
|------|------|
| baseline-cspm-merged-{date}.xlsx | Merged cloud platform configuration check results, including “Resource Directory Account” column |
| system-warning-merged-{date}.xlsx | Merged system baseline risk list, including “Resource Directory Account” column |
Error Handling
| Scenario | Behavior |
|------|------|
| FreeVersionNotPermit | Silently skip this account and continue others |
| NoPermission / Forbidden | Silently skip this account |
| Export failed (server-side error) | Print [failed] message and continue with other accounts |
| All accounts skipped | Print message and exit without output file |
📋 Tips & Best Practices
.venv/bin/python; replace with your actual virtual environment path.aliyun configure; do not hardcode AK/SK.cn-shanghai (China mainland) and ap-southeast-1 (outside China mainland).