Restrict image export and sharing permissions to prevent accidental exposure of credentials, user data, and system traces.
Security risks
Image sharing and export improve deployment efficiency but introduce data security risks. Improper permissions or uncleaned images can leak core code, environment configuration, and sensitive data. For example, an employee might export a production image to obtain credentials, or residual test data and temporary credentials in an image can be exposed when the image is shared. Specific risks include:
-
Static data snapshots: Images and snapshots capture the complete state of an ECS instance at a specific point in time, including the operating system, application files, and sensitive data such as:
-
Identity credentials: SSH private keys, API AccessKeys, database connection strings, and hard-coded application passwords.
-
User data: Company core code, database information, and private user data.
-
System traces: Shell command history (.bash_history), temporary files, and application logs and caches.
-
-
Risk of permission divergence: Sharing and exporting extend data access from a controlled environment to a broader, sometimes uncontrollable scope. If an image with sensitive information is shared with the wrong account or exported to an offline environment, the data can be misused by malicious actors.
Best practices
Image creation
Before you create an image, log on to the instance and remove sensitive information. If an image contains logon credentials such as SSH keys, these credentials persist in new instances created from the image — even if you attach a new key pair or set a new password during instance creation.
-
Clean up user password information:
-
Linux: Remove unnecessary user entries from /etc/shadow and /etc/passwd.
-
Windows: Run System Preparation (Sysprep) to generalize the image. This resets the SID, clears user information, and requires a new account or administrator password on next startup. Also delete unnecessary local accounts in Local Users and Groups (lusrmgr.msc).
-
-
Delete all SSH keys:
-
Linux: Delete key files (especially id_rsa and authorized_keys) from /root/.ssh and all user home directories (/home/*/.ssh).
-
Windows: Delete key files from C:\Users\Administrator\.ssh and all user home directories (C:\Users\*\\.ssh). Also clear cached credentials in Credential Manager.
-
-
Clear Shell history:
-
Linux: Run history -c and delete .bash_history from /root/ and all user home directories (/home/*/).
-
Windows: Run Clear-History to clear the current PowerShell session history. Then delete the PowerShell history file for all users, typically located at AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt.
-
-
Clean up temporary files and logs:
-
Linux: Clear /tmp and /var/tmp. Review and clean up logs in /var/log.
-
Windows: Run Disk Cleanup (cleanmgr.exe) to clear system temporary files, the recycle bin, and other items. Use the wevtutil cl <LogName> command (for example, wevtutil cl System) or Event Viewer to clear all major Windows Event logs, such as application, security, and system logs.
-
-
Remove hard-coded credentials: Check application code and configuration files for hard-coded sensitive information such as database passwords or API keys.
-
Clean up business data and application caches: Clear business data and cache directories from web servers, databases, and other applications.
Compliance capabilities
Block image export and image/snapshot sharing
For RAM users or user groups with low trust levels, use a Deny policy to prohibit high-risk operations on core image assets — specifically image export, image sharing, and snapshot sharing. At the organization or account level, use a RAM policy to enforce these restrictions.
-
For enterprise users:
-
Log on to the Resource Directory console with your Alibaba Cloud account. In the left menu bar, click Control Policy, create a custom policy, and paste the following JSON content.
This policy denies image export, image sharing, and snapshot sharing.
{ "Version": "1", "Statement": [ { "Action": [ "ecs:ExportImage", "ecs:ModifyImageSharePermission" ], "Resource": "*", "Effect": "Deny" }, { "Action": [ "resourcesharing:CreateResourceShare", "resourcesharing:AssociateResourceShare" ], "Resource": "*", "Condition": { "StringEquals": { "resourcesharing:RequestedResourceType": [ "Snapshot", "Image" ] } }, "Effect": "Deny" } ] } -
In Resource Directory, select a node and attach the policy. The policy blocks the specified operations for all accounts under that node.
-
-
For non-enterprise users:
-
Log on to the RAM console with your Alibaba Cloud account. In the left navigation pane, click Permission Policy. Create a custom policy with the same content.
-
Attach the policy to a RAM user, RAM user group, or RAM role. See Manage access policy authorization.
-