All Products
Search
Document Center

Elastic Compute Service:Enforce HTTPS-only access to ECS OpenAPI

Last Updated:May 15, 2026

Enforce HTTPS for ECS OpenAPI to protect AccessKey credentials and sensitive data from interception and man-in-the-middle attacks.

Security risks

HTTP transmits ECS OpenAPI requests as plaintext. Any intermediate node, such as routers, switches, or network carriers, can read the entire content. This exposes the following security risks:

  1. Credential and data breach: API requests contain identity credentials (AccessKey), instance IDs, and disk data. Over HTTP, this information is exposed in plaintext. An attacker can intercept it through network sniffing, leading to account compromise.

  2. Man-in-the-middle (MitM) attack: An attacker can eavesdrop and impersonate both you and the Alibaba Cloud server to tamper with communication. For example, an attacker can replace your instance creation request with a malicious instruction to delete a core business instance, or inject false data into the response.

  3. Identity spoofing and phishing: HTTP cannot verify server authenticity. An attacker can forge a DNS record or set up a fake server to redirect your API requests and steal your credentials.

Best practices

The SDK enables SSL/TLS certificate validation by default. If your environment lacks the required certificates, a validation error occurs.

To ensure communication security, set IgnoreSSL = false to enable certificate validation.

Language

V 2.0

V 1.0

Java

HTTPS request configuration

HTTPS request configuration

Python

Configure HTTPS and TLS settings in the SDK

HTTPS configuration

PHP

HTTPS request configuration

HTTPS request configuration

Node.js/TypeScript

HTTPS request configuration

.NET

HTTPS request configuration

HTTPS request configuration

Go

Configure HTTPS and TLS settings in the SDK

SSL validation

Compliance

Block non-HTTPS ECS OpenAPI requests

Use a RAM policy at the organization or account level to block non-HTTPS ECS OpenAPI requests.

  • For enterprise users:

    1. Log on to the Resource Directory console with your Alibaba Cloud account. In the left-side navigation pane, click Control Policies. Create a custom policy with the following JSON content:

      {
        "Statement": [
          {
            "Action": "ecs:*",
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
              "Bool": {
                "acs:SecureTransport": "true"
              }
            }
          }
        ],
        "Version": "1"
      }
    2. In the Resource Directory console, select the target folder and attach the policy. This blocks non-HTTPS requests from accounts in the folder.

  • For non-enterprise users:

    1. Log on to the RAM console with your Alibaba Cloud account. In the left-side navigation pane, click Permission Policy and create a custom policy with the same content.

    2. Attach the policy to a RAM user, RAM user group, or RAM role. See Manage policy authorizations.