API credential (AccessKey pair, an authentication key pair based on asymmetric key algorithms) is a unique and important identity credential for Alibaba Cloud users to call cloud service APIs and access cloud resources. It is used for communication encryption and identity authentication when users call APIs.
API credentials are used as passwords in different scenarios. API credentials are used to call Alibaba Cloud APIs by using command lines, while passwords are used to log on to the console.
On Alibaba Cloud, users can use AccessKey pair to construct an API request or to use the Alibaba Cloud SDK to manage resources. An AccessKey pair contains an AccessKey ID and AccessKey Secret, where AccessKey ID identifies a user, and AccessKey Secret is the key used to verify the validity of a user's identity. You must keep your AccessKey Secret strictly confidential.
Automatic closed-loop AccessKey pair security detection provided by Security Center
Security Center provides comprehensive detection to cope with accidental AccessKey pair disclosure and safeguard the security of services in Alibaba Cloud. The detection includes pre-leak configuration check, leak behavior detection, and detection of abnormal calls.
Alibaba Cloud has cooperated with GitHub, the largest open-source code management provider, to implement the token scan mechanism.
The automatic closed-loop AccessKey security detection of Security Center detects the leaked AccessKey pair from GitHub. In real scenarios, Alibaba Cloud notifies users and responds within a few seconds after code that includes AccessKey pair is submitted to GitHub, which minimizes users' losses once the AccessKey pair is leaked.
- Pre-leak configuration check: Cloud Platform Configuration AssessmentTo prevent exceptions when you use Alibaba Cloud, you can log on to the Security Center console, and choose Cloud Platform Configuration Assessement page that appears.in the left-side navigation pane to check whether the configuration items of your Alibaba Cloud services have security risks on the
- The operation audit logs of Alibaba Cloud services must be in the Enabled state. This helps you analyze whether abnormal calls exist.
- You must use the AccessKey pair of a RAM user instead of that of the Alibaba Cloud account and abide by the principle of least privilege. This way, if the AccessKey pair is leaked, the control permission of the Alibaba Cloud account is not completely lost.
- Multi-factor authentication (MFA) must be enabled for the Alibaba Cloud account to reduce unauthorized access due to password leak.
- Leak behavior detection: AccessKey LeakYou can log on to the Security Center console, and choose Leak Detection by AccessKey page that appears.in the left-side navigation pane to check details of AccessKey pair leaks on the
- Abnormal calls:
In addition to pre-leak prevention, you can log on to the Security Center console, click Alerts, filter and view the alerts of the Cloud threat detection type. Security Center generates an alert when it detects an abnormal request containing an AccessKey pair. This way, the leak can be detected in a timely manner.
Security suggestions
In addition to the AccessKey pair leak detection and response measures provided by Security Center, we recommend that you conform to the following security specifications when you use Alibaba Cloud to reduce the impact of AccessKey pair leak:
- Do not embed AccessKey pairs in code.
AccessKey pairs embedded in code are easily ignored. We recommend that you store AccessKey pairs in databases or separate files to facilitate management.
- Change AccessKey pairs regularly.
We recommend that you regularly change existing AccessKey pairs in the code to ensure that the leak of original codes does not affect online businesses.
- Revoke the unnecessary AccessKey pairs regularly.
You can view the last access time to AccessKey pairs in the Alibaba Cloud console. We recommend that you manually disable unnecessary AccessKey pairs.
- Abide by the principle of least privilege and use RAM accounts.
You need to grant the read and write permissions of different RAMs based on business needs and assign AccessKey pairs of different RAMs to different businesses.
- Enable operation log audit and ship it to OSS and SLS for long-term storage and audit.
Operations logs stored in OSS provides a fixed certificate in case of exceptions. If you have a large number of logs, you can ship the logs to SLS to search for specific logs.