Release date

October 30, 2024 (UTC+8)

Content

Alibaba Cloud is committed to improving the security of cloud services and provides support in safeguarding the security of your accounts and assets. An AccessKey pair is a credential used by an application to access Alibaba Cloud resources over APIs. If you do not rotate your AccessKey for a long period of time, your AccessKey may be leaked. Starting October 30, 2024, Alibaba Cloud automatically disables AccessKeys that are not used for more than two years. If the AccessKeys are improperly stored and leaked, the related assets are exposed to risks, unexpected fees may be generated, and even ransomware attacks may be launched.

Disabled objects

AccessKeys that last used more than 2 years ago, or AccessKeys that were created two years ago but never used, have not been updated in the last 7 days, and are in enabled state, including the AccessKeys of Alibaba Cloud accounts and Resource Access Management (RAM) users.

Disabling method

If an AccessKey meets the preceding conditions, the system automatically changes the status of the AccessKey pair to disabled.

Release plan

On October 30, 2024, Alibaba Cloud initiates a canary release for specific Alibaba Cloud accounts based on the IDs of the Alibaba Cloud accounts. Two weeks before the official release, Alibaba Cloud notifies the contacts of the required Alibaba Cloud accounts by text message, email, or internal message.

After the account is officially enabled for this function, the AccessKeys that meet the relevant conditions will be disabled first. If there are a large number of AKs that meet the conditions, the execution will be carried out over several days. After the existing AccessKeys are executed, the AccessKeys that meet the relevant conditions will also be disabled from the early morning of the next day. The execution records of the disabling can be queried in the ActionTrail event.

If you want to use a disabled AccessKey, we recommend that you create a new AccessKey to replace the disabled AccessKey. If you strictly require the disabled AccessKey, you can contact an administrator to re-enable it. Then, access the AccessKey at least once within seven days to prevent the Accesskey from being disabled again.

If you have any questions or need further assistance, feel free to submit a ticket or call our hotline to obtain technical support. Thank you for your understanding and trust.