Security Center checks the AccessKey pairs of Alibaba Cloud accounts and Resource Access Management (RAM) users in source code that is stored on GitHub in real time. If Security Center detects AccessKey pair leaks, Security Center generates alerts. We recommend that you view and handle AccessKey pair leak events at the earliest opportunity. This topic describes the principles for the detection of AccessKey pair leaks and how to handle AccessKey pair leak events.
Principles
The AccessKey leak detection feature uses the threat intelligence collection system and network crawlers to monitor source code on platforms such as GitHub in real time. In most cases, source code is uploaded and disclosed by enterprise employees. Security Center checks whether the source code contains AccessKey pairs. If the source code contains AccessKey pairs, Security Center sends notifications to help you identify data leaks at the earliest opportunity.
If an employee of an enterprise uploads source code that cannot be disclosed to platforms such as GitHub, the AccessKey pairs of the Alibaba Cloud accounts that are owned by the enterprise may be leaked on the Internet. If the AccessKey pair of an Alibaba Cloud account is leaked, you may lose control of the resources within the account.
An AccessKey pair can be used by third parties only if both the AccessKey ID and AccessKey secret of the AccessKey pair are leaked. When Security Center detects an AccessKey pair leak of an Alibaba Cloud account or a RAM user, Security Center notifies the Alibaba Cloud account or the Alibaba Cloud account to which the RAM user belongs by using different methods based on whether the AccessKey secret is valid. The following methods are supported:
Alerts on the AK leak detection page: Security Center generates an alert if an AccessKey pair leak is detected, regardless of whether the AccessKey secret is valid.
Prompts in the console: Security Center displays a prompt in the Security Center console if an AccessKey pair leak is detected and the AccessKey secret is valid.
Notifications: Security Center sends notifications based on the specified notification settings if an AccessKey pair leak is detected and the AccessKey secret is valid. The notifications can be sent by internal message and email.
Configure alert notifications for AccessKey pair leaks
If an alert is generated for AccessKey pair leaks, Security Center notifies you by email or internal message.
By default, Security Center sends notifications when an alert is generated. You can also perform the following operations to specify a custom notification time range and method: Log on to the Security Center console. Go to the Notification Settings page. Click the Text Message/Email/Internal Message tab. Then, configure Notify At and Notify By for AccessKey leakage info. After you configure the parameters, Security Center sends notifications for AccessKey pair leaks only in the time range that you specify. For more information, see Configure notification settings.
If an AccessKey pair leak is detected beyond the specified time range, Security Center does not immediately send a notification. Security Center sends a notification within the next time range. AccessKey pair leak events can cause serious risks. We recommend that you set Notify At to 24 Hours and select all notification methods. This way, you can receive notifications for AccessKey pair leaks at the earliest opportunity.
If you receive a notification for an AccessKey pair leak, the AccessKey pair of your Alibaba Cloud account or a RAM user is leaked. We recommend that you handle the leaked AccessKey pair at the earliest opportunity. After you handle the leaked AccessKey pair, handle the AccessKey pair leak event in the Security Center console.
View and handle AccessKey pair leak events
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
On the AK leak detection page, view and handle AccessKey pair leak events.
View information about AccessKey pair leak events
You can view information about AccessKey pair leak events that Security Center detects. The information includes Accesskey Leaked, AccessKey Exception Call, and Testing Platform.
Click the number below AccessKey Exception Call to go to the Alerts page and view the generated alerts for suspicious calls of AccessKey pairs. You can view AccessKey Exception Call to check the impact scope of AccessKey pair leaks.
View the details of an AccessKey pair leak event
To view the details of an AccessKey pair leak event, find the leak event and click Details in the Actions column. You can click the value of Username, File Name, or Repository Name in the File Details section to go to GitHub and view the source of the AccessKey pair leak.
Handle an AccessKey pair leak event
Security Center cannot automatically handle a leaked AccessKey pair or enable you to perform quick handling on a leaked AccessKey pair. You must manually handle the AccessKey pair in the RAM console and then log on to the Security Center console to handle the AccessKey pair leak event. You can manually handle a leaked AccessKey pair by using the following methods:
Contact relevant personnel to delete or hide related content on GitHub.
Delete or disable the leaked AccessKey pair. For more information, see Delete an AccessKey pair of a RAM user and Disable an AccessKey pair of a RAM user.
After you manually handle a leaked AccessKey pair, you must find the AccessKey pair leak event on the AK leak detection page and click Handle in the Actions column. In the dialog box that appears, select a handling method and click Process Now.
Valid values for Process Method are Deleted manually, Manually Disable AK, and Whitelist.
NoteAfter you delete the information that involves the AccessKey pair and select a handling method for Process Method, the status of the AccessKey pair leak event changes to Handled.
If you add the AccessKey pair leak event to the whitelist, the status of the event changes to Whitelisted. Then, the event is added to the Handled list.
If you want to remove the AccessKey pair leak event from the whitelist, find the event in the Handled list, go to the details page, and then click Cancel the whitelist.
Export the report of detected leak events on AccessKey pairs
Click the
icon. After the report is exported, the Done message appears. To download and save the report as an Excel file to your computer, click Download.
View AccessKey pair call events
You can view the call events on AccessKey pairs to check whether leaked AccessKey pairs are used by attackers and understand the impact scope of AccessKey pair leak events. You can view AccessKey pair call events in the ActionTrail console.
Log on to the Security Center console, go to the AK leak detection page, and then copy the required AccessKey ID.
Log on to the ActionTrail console.
In the left-side navigation pane, choose .
Select AccessKey ID from the Read/Write Type drop-down list, paste AccessKey ID in the search box, and then select a time range for the query.
In the list of events, find the required event and click View Event Details to view the details of the event.
Suggestions for using AccessKey pairs
Do not use the AccessKey pair of an Alibaba Cloud account.
Do not hard code an AccessKey pair into your code. You can manage your AccessKey pair by configuring environment variables. For more information, see Credential security solutions.