By default, Alibaba Cloud Network Detection and Response (NDR) lets you view and download the details of sensitive data and related packet payloads. To prevent sensitive data leaks, you can restrict permissions to view and export this data. This topic describes how to use Resource Access Management (RAM) to create policies that prevent a RAM user from viewing and exporting sensitive data.
Supported sensitive data types
A hyphen (-) in the table indicates an empty cell.
|
No. |
Type |
No. |
Type |
No. |
Type |
No. |
Type |
No. |
Type |
No. |
Type |
|
1 |
Debit card |
9 |
ID card (the Chinese mainland) |
17 |
AccessKeyId |
25 |
Mainland Travel Permit for Hong Kong and Macao Residents |
33 |
Passport number (the Chinese mainland) |
41 |
Officer ID card |
|
2 |
Private key |
10 |
ID card (Hong Kong, China) |
18 |
Name (Simplified Chinese) |
26 |
Address (the Chinese mainland) |
34 |
Mobile phone number (the Chinese mainland) |
42 |
|
|
3 |
License plate number (the Chinese mainland) |
11 |
Landline number (the Chinese mainland) |
19 |
Gender |
27 |
Ethnicity |
35 |
Province (the Chinese mainland) |
43 |
City (the Chinese mainland) |
|
4 |
Name (Traditional Chinese) |
12 |
Name (English) |
20 |
ID card number (Malaysia) |
28 |
ID card number (Singapore) |
36 |
International Bank Account Number (SWIFT code) |
44 |
U.S. Social Security Number (SSN) |
|
5 |
Landline number (United States) |
13 |
Religious belief |
21 |
MAC address |
29 |
JDBC connection string |
37 |
PEM certificate |
45 |
AccessKeySecret |
|
6 |
IMEI |
14 |
MEID |
22 |
Linux passwd file |
30 |
Linux shadow file |
38 |
Business license number |
46 |
Tax registration certificate number |
|
7 |
Organization code |
15 |
Unified Social Credit Identifier |
23 |
Vehicle Identification Number (VIN) |
31 |
Alibaba Cloud AccessKey pair |
39 |
Password |
47 |
LegacyOpenaiApiKey |
|
8 |
ProjectOpenaiApiKey |
16 |
BailianApiKey |
24 |
HuggingFaceApiKey |
32 |
GroqApiKey |
40 |
PaiEasToken |
48 |
— |
Prerequisites
-
You have a RAM user. For more information, see Create a RAM user.
-
The management account must have the required permissions to use Resource Access Management (RAM), create RAM users, and manage policies.
Sensitive data permissions
|
Permission |
Description |
|
|
Decrypt sensitive data |
|
|
View packet payloads of sensitive data transmissions |
|
|
Export data |
Procedure
Create custom policies
-
In the left-side navigation pane, choose Permissions > Policies. Click Create Policy and select the JSON tab.
-
On the JSON tab, paste the following policy, and then click OK.
{ "Version": "1", "Statement": [ { "Action": "yundun-cloudfirewall:DescribeDecryptData", "Resource": "*", "Effect": "Deny" }, { "Action": "yundun-cloudfirewall:DescribeAssetRiskDataPublicLogPayload", "Resource": "*", "Effect": "Deny" } ] } -
In the Create Policy dialog box, set the policy name to
DenyViewingSensitiveDataand click OK. -
On the Policies page, click Create Policy. On the JSON tab, paste the following policy, and then click OK.
{ "Version": "1", "Statement": [ { "Action": "yundun-cloudfirewall:CreateExportTask", "Resource": "*", "Effect": "Deny" } ] } -
In the Create Policy dialog box, set the Name to
DenyExportingData, set the Note toDenies permission to export data, and then click OK.
Configure policies
-
In the left-side navigation pane, choose Identities > Users. Find the target user and click Add Permissions in the Actions column.
-
Select the required policies to deny viewing sensitive data and exporting data, along with the necessary system policies for Network Detection and Response (NDR). In the Add Permissions panel, set Authorized Scope to account-level, and then search for and select the required policies in the Select Policy section.
Policy name
Description
AliyunYundunCloudFirewallReadOnlyAccessGrants read-only access to Cloud Firewall.
AliyunYundunCloudFirewallFullAccessGrants full access to manage Cloud Firewall.
DenyViewingSensitiveData
Denies a RAM user permission to view sensitive data.
DenyExportingData
Denies a RAM user permission to export data.
NoteYou can add policies that deny viewing sensitive data and exporting data to both read-only and administrative permissions for Cloud Firewall.
-
Click OK.
Verify the policies
-
Sign in to the Agentic NDR Console.
-
In the left-side navigation pane, choose Risks.
-
Click the Logon Activity tab. On the Privileged Accounts, Weak Passwords, Plaintext Credential, and Leaked AK/SK tabs, verify the following restrictions:
-
Click Sensitive Information. The action should be denied and a notification should appear.
-
Click the export icon
. The action should be denied and a notification should appear. -
In the Actions column of an entry, click Details. In the Details panel, verify the following:
Verify that both clicking View payload and clicking the export icon
are denied.
-
-
Click the Sensitive Data tab.
-
At the top right of the list, click the export icon
. The action should be denied and a notification should appear. -
In the Actions column of an entry, click Details. In the Details panel, verify the following:
-
Clicking a number in the Sensitive Information Items column or clicking View payload should be denied.
-
Clicking the export icon
should be denied.
-
-