edit-icon download-icon

Primary account security best practices

Last Updated: Sep 15, 2017

A primary account is equivalent to a root account that controls all of your cloud resources. As such, if the primary account password or API AccessKey is lost or disclosed, this may cause immeasurable loss to your enterprise.

So how to protect the security of your primary account? This document makes a reference for you.

Security best practices

Follow the listed best practices to secure your primary account.

  • Enable account protection for the root account

    • Enable account protection for your root account (for example, Time-based One-time Password, that is, TOTP verification) and do not share the MFA device with others.

    • Enable MFA for RAM users with special operation permissions. Special operation permissions include user management, authorization, instance stopping/release, instance configuration modification, and data deletion.

  • Create different RAM accounts for routine O&M management operations

    • Create RAM user accounts for employees and use them to perform routine O&M management operations.
    • Create independent RAM user accounts for financial employees.
    • Create independent RAM user accounts for RAM administrators.
  • Prohibit creation of an AccessKey for the root account

    AccessKeys have the same permissions as logon passwords. However, AccessKeys are used for program access while logon passwords are used to log on to the console. Because AccessKeys are generally stored in configuration files in cleartext format, there is a high leakage risk.

    Configure RAM user identities for all application systems and follow the minimum authorization rule.

  • Use authorization policies with IP restrictions

    All users that are granted special operation permissions must be configured with IP restrictions (acs:SourceIp).

    Therefore, even if a RAM user’s logon password or AccessKey is disclosed, attackers will be unable to obtain account information as long as they have not penetrated your trusted network.

  • Use authorization policies with MFA restrictions

    All users that are granted special operation permissions must be configured with MFA restrictions (acs:MFAPresent).

    Therefore, even if a RAM user’s logon password or AccessKey is disclosed, attackers will be unable to obtain account information as long as the MFA device is not lost.

There is no such thing as absolute security, but only best practices. In combination with these protection mechanisms, adherence to the best security practice principles will significantly secure your account assets.

Thank you! We've received your feedback.