This topic describes how to set logon masks and session duration.
Account security recommendations
Alibaba Cloud provides multilayered security measures to protect your Alibaba Cloud account and cloud assets. You can combine the following features based on your security requirements to build a defense in depth system.
Security measure | Core function | Scenarios |
Configure multi-factor authentication (MFA) for your account | Highly recommended. Multi-factor authentication (MFA) adds a layer of dynamic verification codes to your password. This is one of the most effective ways to prevent account theft. | All accounts, especially Alibaba Cloud accounts that manage important assets. |
Follow the principle of least privilege. Create separate Resource Access Management (RAM) users for different members and grant them limited permissions. Avoid sharing your Alibaba Cloud account to effectively isolate risks. | All scenarios that involve team collaboration and permission delegation. | |
Restricts logons to specific static public IP addresses for high-level access control. Improper configuration may lock you out of your account. | For businesses or individuals who have long-term static public IP addresses and high security requirements. | |
Balances operational convenience with security risks. Shorten the session duration on public devices to reduce the risk of session hijacking. | All users. Adjust dynamically based on the network environment, such as a public network or a corporate private network. |
Set an IP whitelist for account logon (logon mask)
To achieve the highest level of logon security, you can set a logon mask. A logon mask is an IP whitelist that restricts logon access to specified public IP addresses or IP address ranges. After you set the mask, you can log on to the Alibaba Cloud Management Console only from a source IP address in the whitelist.
Best practices: To prevent accidental lockouts, add a backup, trusted, static IP address (such as a static IP address from a different network) as an emergency channel. To do this, click Add when you set your primary IP address.
After you set a logon mask, you can log on to the Alibaba Cloud website only from the specified IP addresses or IP address ranges. Logons from any other IP address will be blocked. Proceed with caution.
Procedure
Log on to the Alibaba Cloud Account Center. On the Security Settings page, click Modify next to Logon Mask.
On the Set Logon Mask page, enter a valid Logon Mask and click Save.
Recovery method for being unable to log on due to the IP whitelist
If you cannot log on to the console due to an IP configuration error (for example, the public IP address of your network has changed), you can submit a ticket to request that all IP whitelist settings be cleared.
How to submit a ticket: For more information, see What do I do if my virtual MFA device is unavailable or my logon is restricted by an IP mask? and submit an account appeal.
The manual ticket review process usually takes three business days. Plan accordingly.
Set session duration
Session duration is the maximum length of time a browser session remains active after you log on to the Alibaba Cloud Management Console. After this time elapses, the system automatically logs you out.
Default duration: The default session duration for an Alibaba Cloud account is 3 hours.
Scope:
Applicable: This setting is valid only for browser-based console sessions of an Alibaba Cloud account.
Not applicable: This setting does not affect RAM user logon sessions, which must be configured separately. For more information, see View the AccessKey information of a RAM user. It also does not affect API or software development kit (SDK) calls made using an AccessKey.
Configuration recommendations
Extending the session duration increases convenience but also increases the security risk if your device is accessed without authorization. Choose a duration carefully based on your operating environment.
Recommended duration | Security level | Scenarios |
1 to 8 hours | High | When using public networks, shared devices, or performing highly sensitive operations such as finance or permission management. |
8 to 24 hours | Medium | For daily operations on a trusted personal device in a secure network environment. This is the recommended configuration for most scenarios. |
Procedure
Log on to the Alibaba Cloud Account Center. On the Security Settings page, click Modify next to Logon Status.
Set the Session Duration.
After you successfully set the Session Duration, you must log on again for the setting to take effect.