Security Center detects the source code stored on GitHub in real time to check whether the usernames and passwords of your assets are leaked. Security Center generates alerts if leaks are detected, which helps you detect and handle potential AccessKey pair leaks.

Background information

Employees of an enterprise can upload source code to GitHub. This may cause the leak of sensitive data, such as the endpoints and passwords of enterprise databases and the passwords of enterprise servers.

The AccessKey leak detection feature uses the threat intelligence collection system to detect source code on GitHub. In most cases, source code is uploaded and open to public by employees of an enterprise. Security Center determines whether the source code contains the usernames and passwords of your assets. The assets include Elastic Compute Service (ECS) instances, ApsaraDB RDS instances, and ApsaraDB RDS for MySQL instances. Security Center generates alerts upon potential leaks in real time to help you minimize risks.

Note By default, the AccessKey pair leak detection feature is enabled for all users of Security Center.

Configure alert notifications for AccessKey pair leaks

If an alert is generated, Security Center sends alert notifications to users by using text messages, emails, or internal messages.

By default, the AccessKey pair leak detection feature is enabled for all users of Security Center. You can also perform the following operations to customize the notification time period and method: Log on to the Security Center console. Open the Settings page and click the Notifications tab. In the Notification Settings section, configure the Notify At and Notify By parameters for AccessKey leakage info. After you configure the parameters, you will receive the notifications only during the time period that you specify. For more information, see Notifications.
Notice
  • If a AccessKey pair leak is detected beyond the time period that you specify in the alert notifications, you cannot receive notifications at the earliest opportunity.
  • After you receive notifications for AccessKey pair leaks, you must delete all information involving your AccessKey pairs on Github and handle the alert by selecting a method on the console in a timely manner. To handle the alert, select Deleted manually, Manually disable AK, or Whitelist. Otherwise, Security Center will continue to send you the alert notifications.

View and handle AccessKey pair leaks

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Detection > AccessKey Leak.
  3. On the Leak Detection by AccessKey page, perform the following operations:
    • View information about AccessKey pair leaks
      You can view the information about AccessKey pair leaks that Security Center detects. The information includes the number of AccessKey pair leaks, the number of alerts on suspicious calls of an AccessKey pair, the alert list, and the platform where the detection is performed.View information about AccessKey pair leaks
    • Search for a specific AccessKey pair leak
      Enter the AccessKey ID in the search box to search for the leak.Search for a specific AccessKey pair leak
    • View details of an AccessKey pair leak
      Select a leak and click Details in the Operation column to view details.View details of an AccessKey pair leak
    • Handle an AccessKey pair leak
      On the Leak Detection by AccessKey page, find the leak, click Processing in the Operation column, and then select a method to handle the leak. You can perform the following operations:
      • Log on to the Log Service console. Search for the access logs of the required server and determine whether AccessKey pairs are leaked. For example, you can search for web access logs by setting the URL field to the file path that contains the AccessKey application file.
      • In the Related recommendation section on the details page of an AccessKey pair leak, view the suggestions on how to handle the leak. You must select a method in the Processing Method section. In the Processing Method section, you can select Deleted manually, Manually disable AK, or Whitelist.
        Note After you delete all information involving your AccessKey pair and select a method in the Processing Method section, the status of this AccessKey pair leak changes to Handled, and Security Center no longer sends alert notifications for the leak.
        Handle AccessKey pair leaks

        If you add the AccessKey pair leak to the whitelist, the status of the AccessKey pair leak changes to Whitelisted and is added to the Handled list.

        If you want to remove the AccessKey pair leak from the whitelist, find the record in the Handled list, go to the details page, and then click Cancel the whitelist.

        Remove an AccessKey pair leak from the whitelist
    • Export the detection report of the AccessKey pair leak

      On the Leak Detection by AccessKey page, click the Download icon icon in the upper-right corner of the AccessKey pair leak detection list. After the report is exported, the Done message appears in the upper-right corner. Click Download to download and save the report as an Excel file to your computer.

      Download

References

Best practices to prevent AccessKey pair and password leak

Configure alert notifications