All Products
Search
Document Center

Data Security Center:Risk details and disposition

Last Updated:Jun 20, 2026

The Detection and Response service in Data Security Center (DSC) detects data leaks. This document explains how to view and handle the resulting risk events.

Prerequisites

Risk events and disposition

View the number of risk events by risk level and event operation statistics.

  1. Log on to the Data Security Center console.

  2. In the left-side navigation pane, choose Data Detection and Response > Data Leak.

  3. On the Security Event tab, view the Event Impact Statistics, Event Operation Statistics, and Risk Details.

    • Event Impact Statistics: Displays the Total Events detected in the last year, categorized as High-risk Items, Medium-risk Items, and Low-risk Items events. Click the count for a risk level to filter the Risk Details list.

    • Event Operation Statistics: Shows the status of risk events from the last year, with counts for Added to Whitelist, Disposed, and Pending events.

    • Risk Details: Lists risk events by type, such as All Types, AccessKey Pair Leak, Database Account Leak, Shared Account, and Public Storage of Sensitive Information.

      Note

      You can click a statistic or a Risk Type to filter the Risk Details list.

Risk event details and disposition

DSC classifies detected risk events into four basic types. If you have enabled the detection feature for the corresponding risk types, you can view the details of the events and handle them accordingly in the Risk Details list after they occur.

AccessKey pair leak

DSC detects active AccessKey pair leaks from various intelligence sources, including GitHub, public plaintext storage, private plaintext storage, threat intelligence, and custom intelligence. You can view details of the buckets accessed by the leaked AccessKey pair. Recommended actions include rotating the AccessKey pair through Key Management Service (KMS) and whitelisting the event. For the file containing the leak, you can delete or whitelist it.

  1. In the Risk Type area, click AccessKey Pair Leak.

  2. In the Actions column for the target risk event, click Details.

    Important

    You must complete asset authorization to view risk event details.

  3. On the Details page, view the event details and handle the risk.

    AccessKey pair information

    View information such as AccessKey ID, Account of AccessKey Pair, AccessKey Pair Status, First Detection Time, Latest Detection Time, and Intelligence Source.

    1. Click Handle.

    2. In the Manage AccessKey Pair panel, select Disable or Rotate.

    AccessKey pair leak details

    View the leak details, which vary by intelligence source. You can then handle or whitelist the risk event accordingly.

    • GitHub Leak Amount: The AccessKey pair information is found in public source code on GitHub.

      This list includes a Time column (which shows the last detection time, first detection time, and file update time) and a Status column.

      • Click a File Name, Username, or Repository Name to navigate to the corresponding page on GitHub.

      • In the Actions column, click Add to Whitelist to add the target file to the whitelist. Whitelisted files no longer generate AccessKey pair leak risk events.

    • Public Plaintext Storage/Private Plaintext Storage: This event is triggered when an AccessKey pair is found in a plaintext file within an authorized OSS bucket.

      The table on the Public Plaintext Storage tab includes columns such as Bucket name, File Name, File path, Time (including last detection time, first detection time, and file update time), File ACL, File deletion status, Status, and Actions.

      • Modify ACL: Click the drop-down arrow in the File ACL column to modify the ACL of the corresponding file.

      • Delete: In the Actions column, click Delete File to remove the corresponding file from the bucket.

      • Whitelist: In the Actions column, click Add to Whitelist to add the target file to the whitelist. Whitelisted files no longer generate AccessKey pair leak risk events.

    • For leak events from threat intelligence or Self-managed Intelligence sources, you can whitelist the related threat source or the user who entered the intelligence.

    Note
    • The day after a file is deleted (T+1), the Status is automatically updated to Deleted, and the event Status is updated to Disposed.

    • The day after a file is whitelisted (T+1), the event Status is automatically updated to Added to Whitelist.

    Accessed bucket details

    If a leaked AccessKey pair accessed a bucket, you can view the list of accessed files, configure bucket access permissions, and set a POP gateway blocking policy to protect your data.

    This page displays alert records in a table with columns for AccessKey ID, Bucket name/Sensitivity level, Actions, Alert Time, Owning account, and File count/Sensitivity level.

    • Threat Tracing: Click the target AccessKey ID or Bucket Name/Sensitivity Level to view a visualization of the access path for the AccessKey pair and bucket.

    • ViewFiles: In the Actions column of a target record, click Files to view information about the accessed files. You can also directly modify the file ACL.

    • Handle: In the Actions column of a target record, click Handle to configure bucket access permissions and set a POP gateway blocking policy.

      The bucket ACL supports three permission options: Public Read, Public Read/Write, and Private.

      • Bucket Permission Configuration: Click Configure to set the bucket ACL and block public network requests, and then click OK.

      • POP Gateway Blocking Policy: Click Configure to go to the RAM console and create a custom policy to restrict access based on IP addresses and permissions for sensitive files. For more information, see Create a custom policy.

Database credential leak

DSC scans authorized OSS buckets for ApsaraDB RDS or PolarDB credentials, such as connection addresses, ports, accounts, and passwords. It identifies the associated database instances, including self-managed instances and those from threat intelligence sources, and tracks risky access behaviors with these credentials to generate risk events. Recommended actions include rotating the credentials through KMS and whitelisting the event. For the file containing the credentials, you can delete or whitelist it.

Note

A risk event is classified as a database credential leak only when a bucket file contains the database credentials, connection address, and port number.

  1. In the Risk Type area, click Database Account Leak.

  2. In the Actions column for the target risk event, click Details.

    Important

    You must complete asset authorization to view risk event details.

  3. On the Details page, view the event details and handle the risk.

    Database information

    View information such as Database Account, Database Instance, First Detection Time, Latest Detection Time, and Intelligence Source.

    1. Click Handle.

    2. In the Manage Account panel, select Delete or Rotate.

    Credential leak details

    View the leak details, which vary by intelligence source. You can then handle or whitelist the risk event accordingly.

    • Public Plaintext Storage/Private Plaintext Storage: Detects database-related information stored in plaintext in public or private files within an authorized OSS bucket.

      The table on the Private Plaintext Storage tab includes columns such as Bucket name, File Name, File path, Time, File ACL, File deletion status, Status, and Actions. The credential leak details page also has Threat intelligence and Custom intelligence tabs.

      • Modify ACL: Click the drop-down arrow in the File ACL column to modify the ACL of the corresponding file.

      • Delete: In the Actions column, click Delete File to remove the corresponding file from the bucket.

      • Whitelist: In the Actions column, click Add to Whitelist to add the target file to the whitelist. After a file is whitelisted, it no longer generates database credential leak risk events.

    • For leak events from threat intelligence or Self-managed Intelligence sources, you can whitelist the related threat source or the user who entered the intelligence.

    Note
    • The day after a file is deleted (T+1), the Status is automatically updated to Deleted, and the event Status is updated to Disposed.

    • The day after a file is whitelisted (T+1), the event Status is automatically updated to Added to Whitelist.

    Database access details

    You can view the name of the database that the account accessed, the number of access attempts, the access time, and data classification and sensitivity level results. You can also view detailed information about the database, including its tables and sensitive information, and revoke the account's access and modification permissions for the database.

    The data table for database access details includes columns for Database name, Access attempts, Access time, Sensitivity level, and Actions.

    • Details: In the Actions column for the target database, click Details to view detailed information about the database tables.

      If the sensitive data identification result for a column is incorrect, click Column details to correct it.

    • Remove Permission: In the Actions column for the target database, click Remove Permission and then click OK.

      This action revokes all access and modification permissions of the current account for the database.

Shared account

DSC analyzes historical logs to identify machine accounts being used by humans, generating a shared account risk event.

Note

Machine accounts are for programmatic use by software, scripts, or services, not for direct interaction by human users. Examples of suspicious activities include:

  • The account accessed or used objects or tools that it has not previously used, such as databases, SQL statements, client IP addresses, or client tools.

  • The database account's operation frequency is low, which suggests manual human activity. While this behavior might not have caused a data leak, it exposes a vulnerability in account management. To mitigate this risk, you must enforce the principle of human-machine separation by managing human and machine accounts separately.

  1. In the Risk Type area, click Shared Account.

  2. In the Actions column for the target risk event, click Details.

    Important

    You must complete asset authorization to view risk event details.

  3. On the Details page, view the event details and handle the risk.

    Account information

    View information such as Access Account, Instance, First Detection Time, Latest Detection Time, and Intelligence Source.

    1. Click Handle.

    2. In the Manage Account panel, select Delete or Rotate.

    Abnormal statements

    View detailed information about the executed statements, including the database name, table name, access time, access IP address, client, operation type, operation statement, and the number of returned rows.

Public sensitive storage

DSC generates an alert if it detects more than 1,000 files with a sensitivity level of S3 or higher in an authorized and publicly accessible OSS bucket. We recommend setting the bucket to private, deleting the sensitive files, or modifying their access control lists (ACLs).

  1. In the Risk Type area, click Public Storage of Sensitive Information.

  2. In the Actions column for the target risk event, click Details.

    Important

    You must complete asset authorization to view risk event details.

  3. On the Details page, view the event details and handle the risk.

    Bucket information

    View information such as Bucket name, Owner Account, First Detection Time, and Latest Detection Time.

    1. Click Handle.

    2. Configure the bucket's access permissions and set a POP gateway blocking policy.

      • Bucket Permission Configuration: Click Configure to set the bucket ACL and block public network requests, and then click OK.

      • POP Gateway Blocking Policy: Click Configure to go to the RAM console and create a custom policy to restrict access based on IP addresses and permissions for sensitive files. For more information, see Create a custom policy.

    Sensitive file list

    View the details of detected sensitive files, including sensitive data information and threat tracing for file access paths. You can also modify the file ACLs.

    The sensitive file list displays information for each file, including its File Name, File size (Bytes), File type, Classification and grading results, File status, and File ACL.

    • Details: Click Details to view the sensitive information contained in the file.

    • Threat Source Tracing: Click Threat Source Tracing to view a visualization of the file access behavior.

Additional operations

Risk event policy configuration

DSC categorizes detected risk events into four basic types. To monitor a specific type, you must enable it and configure its risk level.

  1. In the left-side navigation pane, choose Data Detection and Response > Data Leak.

  2. On the Policy Management tab, enable the risk event status for the desired risk event types, and then configure the risk level for each type as needed.

    Important
    • By default, the risk event status is enabled. The default risk level for Shared Account events is Medium-risk Items, and for all other types, it is High-risk Items.

    • If you disable a risk event type, no new alerts for it will be generated. This does not affect existing events.

    • If you change the risk level of an event type, the risk level of all existing events of that type is also updated.

  3. After you complete the configuration, click Save.

Managing event status

You can modify the status of a risk event to Whitelisted, Disposed, or Pending.

  • On the Security Event tab, modify the event status in the Risk Details list.

    In the Risk event status column for the target risk event, click the current status value and select the desired status from the drop-down list.

  • Alternatively, on the Details page for the target risk event, modify the event status.

    Select the desired status from the status drop-down list (which might currently show Pending) to the right of the alert name.