All Products
Search

This Product

    Elastic Compute Service:Avoid logging on to instances as the root user

    Document Center

    Elastic Compute Service:Avoid logging on to instances as the root user

    Last Updated:Mar 14, 2026

    When you create a Linux instance, do not log on as the root user. Instead, log on as the ecs-user user.

    Security risks

    The root account has the highest permissions in the system. This makes system administration convenient, but it also creates significant security risks. If the root account credentials, such as the password or Secure Shell Protocol (SSH) key, are compromised, an attacker gains full control of your server. This can lead to the following:

    • Data destruction: An attacker can delete all your business data, logs, and backups.

    • Malware installation: An attacker can install malware, such as ransomware, mining programs, or back doors.

    • Sensitive information theft: Core assets, such as business code, customer data, and payment information, can be stolen.

    • Lateral movement attacks: An attacker can use the server as a launchpad to attack other servers in your internal network, causing widespread damage.

    • Erasing operational traces: An attacker can easily modify or delete log files. This makes it much harder to trace and investigate security events after they occur.

    Best practices

    When you create an instance, use ecs-user for daily logon and management. This limits the potential attack surface. This also ensures that all privileged operations are performed using sudo. This leaves a clear, auditable record of operations and clarifies responsibility for each action.

    Console

    When you create an instance on the Instance Buy page, set Username to ecs-user.

    The ecs-user user is supported only on specific versions of Linux images. If your image does not support this user, you must create the ecs-user user and grant sudo permissions to it. For more information, see III. Multi-user remote logon.

    API

    When calling the RunInstances or CreateInstance operation to create an instance, you can set the ImageOptions.LoginAsNonRoot parameter to true. If you set this parameter, the instance uses the ecs-user username instead of root. You cannot reset the password for root .

    If you do not have a key pair, call the CreateKeyPair operation to create one.

    Compliance

    Check: Find Linux instances that use the root account for logon

    1. Go to ECS Insight.

    2. Select the Security tab. Click Use of Non-root Users for Logons to Linux ECS Instances to view the Linux instances that use the root account for logon.

    Block: Prevent the use of the root account for operations such as creating instances

    You can use a Resource Access Management (RAM) policy to block the use of the root account for operations such as creating new Linux instances. You can set the policy at the organization or account level.

    • For enterprise users:

      1. Log on to the Resource Directory console with your Alibaba Cloud account. In the navigation pane on the left, click Control Policies. Create a custom policy and paste the following JSON content.

        This policy denies the use of the root identity for operations such as creating instances, attaching system disks, and replacing system disks.

        {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:RunInstances",
                "ecs:CreateInstance",
                "ecs:ReplaceSystemDisk",
                "ecs:AttachDisk",
                "ecs:InvokeCommand"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "ecs:LoginAsNonRoot": [
                        "false"
                    ]
                }
            },
            "Effect": "Deny"
        }
    ]
}

      2. In Resource Directory, select an appropriate node and attach the policy. The policy then blocks the specified operations for all accounts in the directory.

    • For non-enterprise users:

      1. Log on to the RAM console with your Alibaba Cloud account. In the navigation pane on the left, click Policies. Create a custom policy with the same content as shown above.

      2. Grant permissions by attaching the policy to RAM users, RAM user groups, or RAM roles. For more information, see Manage access policies.

    Fix: Disable root account logon

    1. Create a regular user: Create a regular user to use for SSH logon. For more information, see III. Multi-user remote logon.

    2. Log on to the instance: Use the root user or a regular user.

    3. Disable root account logon: Log on to the instance and run the following script to modify the SSH service configuration file.

      #!/bin/bash
# Back up the original configuration file
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak_$(date +%F)

# Disable SSH logon for the root user: Change the PermitRootLogin parameter to no
sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config

# Restart the SSH service for the configuration to take effect
# Note: The SSH service name may vary by distribution (for example, sshd or ssh). Modify it as needed.
systemctl restart sshd || service sshd restart

    4. Verify the change: After the operation is complete, keep the current session open. Open a new terminal window and try to log on as the root user. Verify that the logon attempt fails. Then, try to log on as your regular user. Confirm that you can log on successfully and run privileged commands using sudo. After successful verification, you can safely disconnect all sessions.

      After you verify the change, the result of the check may not be immediately updated. You can ignore this delay.