Enforce HTTPS for ECS OpenAPI to protect AccessKey credentials and sensitive data from interception and man-in-the-middle attacks.
Security risks
HTTP transmits ECS OpenAPI requests as plaintext. Any intermediate node, such as routers, switches, or network carriers, can read the entire content. This exposes the following security risks:
Credential and data breach: API requests contain identity credentials (AccessKey), instance IDs, and disk data. Over HTTP, this information is exposed in plaintext. An attacker can intercept it through network sniffing, leading to account compromise.
Man-in-the-middle (MitM) attack: An attacker can eavesdrop and impersonate both you and the Alibaba Cloud server to tamper with communication. For example, an attacker can replace your instance creation request with a malicious instruction to delete a core business instance, or inject false data into the response.
Identity spoofing and phishing: HTTP cannot verify server authenticity. An attacker can forge a DNS record or set up a fake server to redirect your API requests and steal your credentials.
Best practices
The SDK enables SSL/TLS certificate validation by default. If your environment lacks the required certificates, a validation error occurs.
To ensure communication security, set IgnoreSSL = false to enable certificate validation.Language | V 2.0 | V 1.0 |
Java | ||
Python | ||
PHP | ||
Node.js/TypeScript | ||
.NET | ||
Go |
Compliance
Block non-HTTPS ECS OpenAPI requests
Use a RAM policy at the organization or account level to block non-HTTPS ECS OpenAPI requests.
For enterprise users:
Log on to the Resource Directory console with your Alibaba Cloud account. In the left-side navigation pane, click Control Policies. Create a custom policy with the following JSON content:
{ "Statement": [ { "Action": "ecs:*", "Effect": "Allow", "Resource": "*", "Condition": { "Bool": { "acs:SecureTransport": "true" } } } ], "Version": "1" }In the Resource Directory console, select the target folder and attach the policy. This blocks non-HTTPS requests from accounts in the folder.
For non-enterprise users:
Log on to the RAM console with your Alibaba Cloud account. In the left-side navigation pane, click Permission Policy and create a custom policy with the same content.
Attach the policy to a RAM user, RAM user group, or RAM role. See Manage policy authorizations.