Configure the logon mask and session duration for your account.
Account security best practices
Alibaba Cloud provides multiple layers of security. For a defense-in-depth security posture, use a combination of the following measures based on your requirements.
Security measure | Core function | Use cases |
Highly recommended. Adds a second layer of authentication to your password, providing strong protection against unauthorized access. | All accounts must be secured, especially those that hold important assets. | |
Follows the principle of least privilege by creating separate Resource Access Management (RAM) users for different members and grant them limited permissions. This avoids sharing your Alibaba Cloud account credentials and effectively isolates risks. | All scenarios that involve team collaboration or permission delegation. | |
Restricts logons to specific static public IP addresses, providing a high level of access control. Incorrect configuration may lock you out of your account. Use with extreme caution. | Companies or individuals with long-term static public IP addresses who have high security requirements. | |
Balances operational convenience with security risks. Shortening the session duration on public devices reduces the risk of session hijacking. | All users. Adjust dynamically based on the network environment, such as a public network or a corporate internal network. |
Set an IP address whitelist for account logon (logon mask)
How it works
A logon mask restricts console logons (including password and SSO) to specified public IP addresses or CIDR blocks. After you configure a logon mask, only users with source IP addresses in the whitelist can log on to the Alibaba Cloud Management Console.
To prevent accidental lockouts, include a backup, trusted static IP address in your logon mask. Recovery through a support ticket typically takes three business days.
Procedure
Log on to the Alibaba Cloud Account Center. On the Security Settings page, in the Other Settings section, click Set on the Logon Mask card.
In the Logon Mask text box, enter the target IP address or CIDR block. Use a semicolon (;) to separate multiple addresses. For example, enter
42.120.66.0/24;42.120.74.98. This means that you can only log on to the Alibaba Cloud website from these IP addresses. Then click Confirm.
After saving, attempts to log on from an IP address not in the whitelist will be blocked.
Recover from an IP whitelist lockout
If you cannot log on to the console because of an IP configuration error—for example, if the public IP address of your network has changed—submit a ticket to request that all IP whitelist settings be cleared.
How to submit a ticket: See Virtual MFA unavailable or logon restricted by IP mask and submit an account recovery ticket.
The ticket review process usually takes three business days. Plan accordingly.
Set the account session duration
The session duration is the maximum time your browser session remains active after you log on to the Alibaba Cloud management console. The system automatically logs you out after this time expires.
Duration:
Valid values: 1 to 72 hours
Default value: 48 hours
Scope:
Applies to: Browser-based console sessions for Alibaba Cloud accounts only.
Does not apply to: RAM user logon sessions or API or SDK calls made with an AccessKey pair. To configure the session duration for RAM users, see Manage RAM user security settings.
Procedure
Log on to the Alibaba Cloud Account Center. On the Security Settings page, in the Other Settings section, click Modify on the Login Status card.
In the pop-up window, set the Logon Persistence Period and click Save.
Log on again for the setting to take effect.