Allow only HTTPS access to ECS OpenAPI - Elastic Compute Service

Use the encrypted HTTPS protocol to secure the transport of your AccessKey and sensitive data. This prevents data breaches and man-in-the-middle attacks.

Security risks

Using the HTTP protocol to access Elastic Compute Service (ECS) OpenAPI is equivalent to sending plaintext data over the network. Any intermediate node on the path from the client to the Alibaba Cloud server, such as routers, switches, or network carriers, can easily read the entire content. This leads to the following security risks:

Credential and data breach: API requests contain your identity credentials, AccessKey (AK/SK), and sensitive information from operations, such as instance IDs and disk data. When transported over HTTP, this information is completely exposed in plaintext. An attacker can easily intercept it using methods such as network sniffing attacks, which can lead to the theft of your account permissions.
Man-in-the-middle (MitM) attack: An attacker can not only eavesdrop but also impersonate both you and the Alibaba Cloud server to tamper with the communication content. For example, an attacker can replace your request to create an ECS instance with a malicious instruction to delete your core business instance, or inject an error message into the data returned to you.
Identity spoofing and phishing: The HTTP protocol cannot verify that the server to which you are connected is an authentic Alibaba Cloud server. An attacker can forge a DNS record or set up a fake server to trick your API requests into being sent to a malicious address and steal your credentials.

Best practices

When you use the HTTPS protocol to access OpenAPI, the software development kit (SDK) enables SSL/TLS certificate validation by default. If your code environment is not configured with the required certificates, a certificate validation error occurs.

To ensure communication security, set the runtime parameter IgnoreSSL = false to enable certificate validation.

Language	V 2.0	V 1.0
Java	HTTPS request configuration	HTTPS request configuration
Python	Configure an HTTPS request	HTTPS configuration
PHP	HTTPS request configuration	HTTPS request configuration
Node.js/TypeScript	HTTPS request configuration
.NET	HTTPS request configuration	HTTPS request configuration
Go	Configure an HTTPS request	SSL validation

Compliance

Block: Prohibit ECS OpenAPI requests that do not use HTTPS

Use a Resource Access Management (RAM) policy at the organization or account level to prohibit ECS OpenAPI requests that do not use HTTPS.

For enterprise users:
1. Log on to the Resource Directory console with your Alibaba Cloud account. In the navigation pane on the left, click Control Policies. Create a custom policy. Then, paste the following JSON content.
```
{
  "Statement": [
    {
      "Action": "ecs:*",
      "Effect": "Allow",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "acs:SecureTransport": "true"
        }
      }
    }
  ],
  "Version": "1"
}
```
2. In the Resource Directory console, select an appropriate folder and attach the policy. This policy blocks requests from the accounts in the folder.
For non-enterprise users:
1. Log on to the RAM console with your Alibaba Cloud account. In the navigation pane on the left, click Policies and create a custom policy that uses the same content as the policy described above.
2. Attach the policy to a RAM user, RAM user group, or RAM role. For more information, see Manage policy-based authorization.