All Products
Search
Document Center

Elastic Compute Service:Avoid using preset logon credentials in custom images

Last Updated:Jun 21, 2026

When you create an ECS instance, use new, unique logon credentials, such as an SSH key pair. Avoid using any preset logon credentials in a custom image.

Security risks

When you create a new ECS instance from a custom image, the new instance inherits any preset logon passwords or SSH keys from that image. Public images do not contain default passwords. These credentials, often set by image creators for convenience during development or testing, pose significant security risks:

  • Uncontrolled credential exposure: Custom images come from various sources, and their built-in default passwords or keys may have been distributed to multiple users or even accidentally published in public code repositories or technical forums. Attackers continuously scan cloud platforms for these known, public credentials. A successful login gives them full control of your server.

  • Bypassed security measures: If an attacker obtains the preset credentials, they can bypass all other security protections and log on directly to the system.

Best practices

  1. When you create a custom image, do not include preset passwords or SSH keys.

    • Delete the passwords for all users (passwd -d <username>).

    • Ensure that the /root/.ssh/authorized_keys file and the corresponding files for other users are empty.

    • Clear the bash history (history -c && history -w).

  2. When you create an instance from a custom image, avoid using the image's preset password.

    This action reconfigures the logon credentials (password or key pair) only for the root or ecs-user. It does not clear the logon credentials of other users. To clear them, follow the steps in Remediation.

    Linux instances

    When you create an instance from a custom image, use a key pair instead of the image's preset password.

    Console

    When you create an instance from a custom image or shared image, avoid selecting Use Predefined Password. Instead, use a Key Pair.

    In the Management Settings section, for Logon Credentials, select Key Pair. The Login Name defaults to root. Select an existing key pair from the Key Pair drop-down list, or click Create Key Pair to create a new one.

    API

    When you call the RunInstances or CreateInstance operation, set the PasswordInherit parameter to false.

    Windows instances

    When you create an instance from a custom image or shared image, avoid selecting Use Predefined Password. Set a strong custom password. Key pairs are not supported.

    In the Logon Credentials section, select the Custom Password tab. The logon name is administrator. The password must be 8 to 30 characters long and contain uppercase letters, lowercase letters, and numbers. It can also contain the following special characters: ()~!@#$%^&*-_+=|{}[];'<>,.?/. Do not use common, publicly known passwords such as P@ssw0rd.

Compliance

Check for non-compliant instances

Log on to a Linux instance using Workbench to perform the following checks.

  • Check for suspicious user accounts: View the /etc/passwd file to identify any unknown users that you did not create or that are not default system users.

    cat /etc/passwd
  • Check SSH authorized public keys: Check the authorized_keys files in critical system locations to see which public keys are configured for password-free logon.

    # Check the authorized public keys for the root user.
    cat /root/.ssh/authorized_keys
    
    # Check the authorized public keys for another user, such as 'admin'.
    cat /home/admin/.ssh/authorized_keys

    Carefully review the public keys in the files to ensure they correspond to the private keys that you use. Immediately remove any suspicious or unrecognized public keys.

Block: Prevent using preset passwords

At the organization or account level, use a RAM policy to proactively block the creation of instances that use an image's preset password.

  • For enterprise users:

    1. Log on to the Resource Directory console using your Alibaba Cloud account. In the left-side navigation pane, click Control Policies. Then, create a custom permission policy with the following JSON content.

      This policy denies the permission to inherit the default password from an image when you create an instance or replace a system disk.
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": [
                      "ecs:RunInstances",
                      "ecs:CreateInstance",
                      "ecs:ReplaceSystemDisk"
                  ],
                  "Resource": "*",
                  "Condition": {
                      "Bool": {
                          "ecs:PasswordInherit": [
                              "true"
                          ]
                      }
                  },
                  "Effect": "Deny"
              }
          ]
      }
    2. In Resource Directory, attach the policy to the appropriate node. The policy is then enforced on all accounts under that node.

  • For non-enterprise users:

    1. Log on to the RAM console using your Alibaba Cloud account. In the left-side navigation pane, click Permission Policy, and create a custom policy with the same content as in the preceding section.

    2. Grant permissions by attaching policies to RAM users, RAM user groups, or RAM roles.

Remediation: Fix instances with preset passwords

  1. Set new logon credentials

    • Linux instances: Bind a new key pair

      1. Go to the ECS console - Instances page, select a region and resource group, and then click the target instance ID to open its details page.

      2. Click All Operations > Bind Key Pair, select an existing key pair, and then click OK. The new key pair takes effect after you restart the instance.

    • Windows instances: Reset the password

      1. Go to the ECS console - Instances page, select a region and resource group, and then click the target instance ID to go to its details page.

      2. Click All Operations > Reset Password, set a strong password as prompted, and then click OK.

  2. Remove original preset credentials (Linux)

    1. Log on to the ECS instance with your new credentials. Use the new key pair or password that you just configured.

    2. Delete old public keys: Carefully inspect all authorized_keys files and clear any old public keys.

      # Edit the authorized_keys file for the root user and delete all unwanted public keys.
      vi /root/.ssh/authorized_keys
      
      # Perform the same operation for all other users.
      vi /home/<username>/.ssh/authorized_keys
    3. Disable password authentication: After confirming that you can successfully log on using the key pair, modify the SSH configuration to disable password authentication. This ensures that only key pair authentication is allowed.

      # 1. Edit the SSH configuration file.
      sudo vi /etc/ssh/sshd_config
      
      # 2. Find and modify the following lines.
      PasswordAuthentication no
      PubkeyAuthentication yes
      
      # 3. Restart the SSH service for the changes to take effect.
      sudo systemctl restart sshd
  3. Clean up unnecessary system users and files

    Check the /etc/passwd and /etc/shadow files to remove any unnecessary user accounts left over from the image creation process. Also, delete any temporary files or scripts that might contain sensitive information, such as old passwords or keys.