API credentials, also AccessKey pairs, are unique and important identity credentials. API credentials are authentication key pairs that are generated by using asymmetric key algorithms. API credentials are used to encrypt communication and authenticate identities of users when the users call the API operations of a specific Alibaba Cloud service. Users can use API credentials to access the required cloud resources.

API credentials are equivalent to passwords in other scenarios. API credentials are used to call Alibaba Cloud APIs by using command lines, while passwords are used to log on to the consoles of cloud services.

On Alibaba Cloud, users can use an AccessKey pair to construct an API request or use Alibaba Cloud SDKs to manage resources. An AccessKey pair consists of an AccessKey ID and an AccessKey secret. The AccessKey ID is used to verify the identity of a user, while the AccessKey secret is the key used to verify the validity of the user. You must keep your AccessKey secret strictly confidential. Create an AccessKey pair
Note If AccessKey pairs are leaked, users are exposed to risks such as data breaches.

Automatic closed-loop security check of AccessKey pairs

Security Center provides comprehensive detection to prevent accidental AccessKey pair leaks and ensure the security of services on Alibaba Cloud. The detection includes configuration checks, leak behavior detection, and detection of abnormal calls.

Alibaba Cloud has cooperated with GitHub to implement the token scan mechanism. GitHub is the largest open source code management provider.

Security Center provides the automatic closed-loop security check of AccessKey pairs to detect the AccesKey pair leaks on GitHub. Alibaba Cloud notifies users and responds within a few seconds after code that includes AccessKey pairs is submitted to GitHub. This minimizes impacts on users after AccessKey pairs are leaked.

  • Configuration check: configuration assessment
    To prevent exceptions when you use Alibaba Cloud services, log on to the Security Center console and choose Precaution > Config Assessment in the left-side navigation pane. On the Cloud Platform Configuration Assessment page, you can check whether the configuration items of your Alibaba Cloud services are at risk. Cloud Platform Configuration Assessment
    • Make sure that the audit logs of Alibaba Cloud services are in the Enabled state. In this situation, you can check whether abnormal calls exist.
    • Make sure that the AccessKey pair of a RAM user is used, instead of that of the Alibaba Cloud account. Also, abide by the principle of least privilege. This way, if the AccessKey pair is leaked, the control permissions of the Alibaba Cloud account are not completely lost.
    • Make sure that multi-factor authentication TOTP is enabled for the Alibaba Cloud account. This reduces the risks of unauthorized access due to password leaks.
      Note Multi-factor authentication (MFA) is now renamed TOTP.
  • Leak behavior detection: detection of AccessKey pair leaks
    You can log on to the Security Center console and choose Detection > AccessKey Leak in the left-side navigation pane. On the AccessKey Leak Detection page, you can view the details of AccessKey pair leaks. AccessKey Leak
  • Abnormal calls: Alerts > Cloud threat detection

    You can log on to the Security Center console and view the alerts of the Cloud threat detection type on the Alerts page. If Security Center detects an abnormal call that includes an AccessKey pair, it generates alerts and notifies users. This way, the leak can be detected in a timely manner.

Security suggestions

In addition to the aforementioned detection and response measures for AccessKey pair leaks, we recommend that you conform to the following security specifications when you use Alibaba Cloud services. This reduces the impacts of AccessKey pair leaks.

  • Do not embed AccessKey pairs in code.

    AccessKey pairs embedded in code may be ignored. We recommend that you store AccessKey pairs in databases or separate files to facilitate management.

  • Change AccessKey pairs on a regular basis.

    We recommend that you regularly change the existing AccessKey pairs in code. This ensures that the leaks of original code do not affect online business.

  • Revoke unnecessary AccessKey pairs on a regular basis.

    You can view the last access time to AccessKey pairs in the console. We recommend that you disable unnecessary AccessKey pairs.

  • Abide by the principle of least privilege and use RAM users.

    You must grant the read and write permissions to RAM users based on business requirements and use the AccessKey pairs of different RAM users for business.

  • Enable log audit and deliver the logs to Object Storage Service (OSS) and Log Service for long-term storage and audit.

    Operation logs stored in OSS provide a fixed evidence if exceptions occur. If you have a large number of logs, you can deliver the logs to Log Service, where you can search for specific logs in an efficient manner.