API credential (AccessKey pair, an authentication key pair based on asymmetric key algorithms) is a unique and important identity credential for Alibaba Cloud users to call cloud service APIs and access cloud resources. It is used for communication encryption and identity authentication when users call APIs.

API credentials are used as passwords in different scenarios. API credentials are used to call Alibaba Cloud APIs by using command lines, while passwords are used to log on to the console.

On Alibaba Cloud, users can use AccessKey pair to construct an API request or to use the Alibaba Cloud SDK to manage resources. An AccessKey pair contains an AccessKey ID and AccessKey Secret, where AccessKey ID identifies a user, and AccessKey Secret is the key used to verify the validity of a user's identity. You must keep your AccessKey Secret strictly confidential.

Note If API credentials are leaked, user are exposed to risks such as data breaches.

Automatic closed-loop AccessKey pair security detection provided by Security Center

Security Center provides comprehensive detection to cope with accidental AccessKey pair disclosure and safeguard the security of services in Alibaba Cloud. The detection includes pre-leak configuration check, leak behavior detection, and detection of abnormal calls.

Alibaba Cloud has cooperated with GitHub, the largest open-source code management provider, to implement the token scan mechanism.

The automatic closed-loop AccessKey security detection of Security Center detects the leaked AccessKey pair from GitHub. In real scenarios, Alibaba Cloud notifies users and responds within a few seconds after code that includes AccessKey pair is submitted to GitHub, which minimizes users' losses once the AccessKey pair is leaked.

  • Pre-leak configuration check: Cloud Platform Configuration Assessment
    To prevent exceptions when you use Alibaba Cloud, you can log on to the Security Center console, and choose Precaution > Config Assessment in the left-side navigation pane to check whether the configuration items of your Alibaba Cloud services have security risks on the Cloud Platform Configuration Assessement page that appears.
    • The operation audit logs of Alibaba Cloud services must be in the Enabled state. This helps you analyze whether abnormal calls exist.
    • You must use the AccessKey pair of a RAM user instead of that of the Alibaba Cloud account and abide by the principle of least privilege. This way, if the AccessKey pair is leaked, the control permission of the Alibaba Cloud account is not completely lost.
    • Multi-factor authentication (MFA) must be enabled for the Alibaba Cloud account to reduce unauthorized access due to password leak.
  • Leak behavior detection: AccessKey Leak
    You can log on to the Security Center console, and choose Detection > AccessKey Leak in the left-side navigation pane to check details of AccessKey pair leaks on the Leak Detection by AccessKey page that appears.AccessKey Leak
  • Abnormal calls: Alerts > Cloud threat detection

    In addition to pre-leak prevention, you can log on to the Security Center console, click Alerts, filter and view the alerts of the Cloud threat detection type. Security Center generates an alert when it detects an abnormal request containing an AccessKey pair. This way, the leak can be detected in a timely manner.

Security suggestions

In addition to the AccessKey pair leak detection and response measures provided by Security Center, we recommend that you conform to the following security specifications when you use Alibaba Cloud to reduce the impact of AccessKey pair leak:

  • Do not embed AccessKey pairs in code.

    AccessKey pairs embedded in code are easily ignored. We recommend that you store AccessKey pairs in databases or separate files to facilitate management.

  • Change AccessKey pairs regularly.

    We recommend that you regularly change existing AccessKey pairs in the code to ensure that the leak of original codes does not affect online businesses.

  • Revoke the unnecessary AccessKey pairs regularly.

    You can view the last access time to AccessKey pairs in the Alibaba Cloud console. We recommend that you manually disable unnecessary AccessKey pairs.

  • Abide by the principle of least privilege and use RAM accounts.

    You need to grant the read and write permissions of different RAMs based on business needs and assign AccessKey pairs of different RAMs to different businesses.

  • Enable operation log audit and ship it to OSS and SLS for long-term storage and audit.

    Operations logs stored in OSS provides a fixed certificate in case of exceptions. If you have a large number of logs, you can ship the logs to SLS to search for specific logs.