Resource Access Management:Account and credential security

Best practices

• Do not use the Alibaba Cloud account for daily tasks. Instead, create individual RAM users for administrative and operational tasks.

• Enable multi-factor authentication (MFA) for the Alibaba Cloud account. This adds a critical layer of security that requires a second form of authentication in addition to your password. For more information, see Bind or unbind a U2F security key.

• Do not create or use AccessKey pairs for the Alibaba Cloud account. An AccessKey pair for the Alibaba Cloud account provides unrestricted programmatic access to your account, creating a significant security risk if compromised.

Use temporary credentials with RAM roles for programmatic access

For applications running on Alibaba Cloud or elsewhere, avoid using long-term AccessKey pairs. Instead, use RAM roles to obtain temporary security credentials through the Security Token Service (STS). These credentials expire after a short, configurable duration, which dramatically reduces the risk associated with compromised credentials. For more information, see Use RAM roles to access Alibaba Cloud resources.

Manage long-term AccessKey pairs securely

If you must use long-term AccessKey pairs for specific use cases (like development environments), follow these best practices:

• Avoid hard-coding credentials. Never embed AccessKey pairs directly in your application code. This practice creates a high risk of exposure if the code is shared or committed to a public repository. Instead, use secure methods like environment variables or a secrets management service (such as Key Management Service) to store and retrieve credentials.

• Rotate AccessKey pairs regularly. Create two AccessKey pairs for a RAM user: use one for your application and keep the second for rotation. Periodically update your application to use the second AccessKey pair, then disable and delete the first. For more information, see Create an AccessKey pair for a RAM user.

• Restrict AccessKey pair usage by source IP address. As a powerful defense-in-depth measure, you can create a network ACL that restricts an AccessKey pair to be usable only from specific, trusted IP addresses or CIDR blocks. This ensures that even if an AccessKey pair is accidentally exposed, it cannot be used by an attacker from an unauthorized network.

• Remove unused credentials. Regularly audit and delete RAM users and AccessKey pairs that are no longer needed, such as those belonging to former employees. Alibaba Cloud automatically disables RAM users and AccessKey pairs that have been inactive for an extended period as a safety measure.

Enforce strong authentication for console users

For human users who need to access the Alibaba Cloud Management Console, enforce strong authentication mechanisms.

• Prefer single sign-on (SSO). If your organization uses an identity provider (IdP) like Active Directory Domain Services (AD DS), integrate it with RAM for SSO. This allows users to log on with their corporate credentials, centralizes identity management, and eliminates the need to manage separate RAM passwords.

• Enforce multi-factor authentication (MFA). If you are not using SSO, require all RAM users to enable MFA. This ensures that a compromised password alone is not enough to gain access to an account. For more information, see Bind an MFA device.

• Use passkeys for passwordless authentication. Passkeys are a modern, highly secure replacement for passwords. They allow users to log on using their device's built-in authentication methods, such as fingerprint readers, facial recognition, or a PIN. Using a passkey for logon is phishing-resistant and also satisfies MFA requirements. For more information, see Register a passkey or security key.

• Configure a strong password policy. Define requirements for password complexity, length, and expiration to ensure users create strong, secure passwords. For more information, see Configure a password policy for RAM users.