All Products
Search

This Product

    Elastic Compute Service:Avoid using preset logon credentials in custom images

    Document Center

    Elastic Compute Service:Avoid using preset logon credentials in custom images

    Last Updated:Mar 14, 2026

    When you create Elastic Compute Service (ECS) instances, use new, separate authentication credentials, such as Secure Shell (SSH) key pairs. Avoid using any preset logon credentials that might exist in a custom image.

    Security risks

    When you create a new ECS instance from a custom image, the new instance inherits any preset logon passwords or SSH keys from that image. Public images do not contain default passwords. These credentials are often set for the convenience of the image creator or for early user testing, but they introduce security risks:

    • Uncontrolled credential exposure: Custom images come from various sources. Their built-in default passwords or keys may have been distributed to multiple users. They might even be accidentally published in public code repositories or technical forums. Attackers constantly scan cloud platforms and try to log on using these known public credentials. If successful, they can gain full control of your server.

    • Bypassed security measures: Once attackers have the default credentials, they can bypass all other security measures and log on directly to the server.

    Best practices

    1. When you create a custom image, remove any preset passwords or SSH keys to prevent them from being exposed.

      • Delete the passwords for all users (passwd -d <username>).

      • Ensure that the /root/.ssh/authorized_keys file and the authorized_keys files for other users are empty.

      • Clear the bash history (history -c && history -w).

    2. When you create an instance from a custom image, avoid using the preset password from the image.

      This operation reconfigures the logon credentials (password or key pair) for the root or ecs-user. It does not clear the logon credentials of other users. For more information about how to clear the logon credentials of other users, see the steps in the Fix issues section.

      Linux instances

      When you create an instance from a custom image, avoid using the preset password from the image. Use a key pair instead.

      Console

      When you create an instance from a custom image, do not select Image Password Preset. Instead, use a Key Pair.

      API

      When you create an instance by calling the RunInstances or CreateInstance operation, set the PasswordInherit parameter to false.

      Windows instances

      When you create an instance from a custom image, do not select Image Password Preset. Instead, set a strong custom password. Key pairs are not supported.

    Compliance

    Check: Check for non-compliant instances

    Log on to a Linux instance using Workbench to perform the checks.

    • Check for suspicious user accounts: View the /etc/passwd file to check for unknown users that you did not create or that are not default system users.

      cat /etc/passwd

    • Check SSH authorized public keys: Check the authorized_keys file in important system locations to check for public keys that are configured for password-free logon.

      # Check the authorized public keys for the root user
cat /root/.ssh/authorized_keys

# Check the authorized public keys for other users, such as 'admin'
cat /home/admin/.ssh/authorized_keys

      Carefully review the public keys in the file. Make sure they all correspond to the private keys you currently use. Immediately remove any suspicious or unrecognized public keys.

    Block: Prevent instance creation that uses preset image passwords

    Use a Resource Access Management (RAM) policy at the organization or account level to proactively block the creation of instances that use preset image passwords.

    • For enterprise users:

      1. Log on to the Resource Directory console with your Alibaba Cloud account. In the navigation pane on the left, click Control Policies. Then, create a custom policy and paste the following JSON content.

        This policy denies the permission to inherit the default password from an image when you create an instance or replace a system disk.
        {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:RunInstances",
                "ecs:CreateInstance",
                "ecs:ReplaceSystemDisk"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "ecs:PasswordInherit": [
                        "true"
                    ]
                }
            },
            "Effect": "Deny"
        }
    ]
}

      2. In Resource Directory, select an appropriate node and attach the policy. The policy will block the action for all accounts under that node.

    • For individual users:

      1. Log on to the RAM console with your Alibaba Cloud account. In the navigation pane on the left, click Policies and create a custom policy that contains the same content as shown above.

      2. Attach the policy to RAM users, RAM user groups, or RAM roles. For more information, see Grant permissions using a policy.

    Fix issues: Fix risks from instances with preset image passwords

    1. Set new logon credentials

      • Linux instances: Bind a new key pair

        1. Go to ECS console - Instance. Select a region and resource group. Then, click the ID of the target instance to go to the instance details page.

        2. Click All Actions > Bind Key Pair. Select an existing key pair and click OK. Restart the instance for the change to take effect.

      • Windows instances: Reset the password

        1. Go to ECS console - Instance. Select a region and resource group. Then, click the ID of the target instance to go to the instance details page.

        2. Click All Actions > Reset Instance Password. Set a strong password as prompted and click OK.

    2. Clear the original preset credentials from the image (Linux)

      1. Log on to the ECS instance using the new key pair that you bound or the new password.

      2. Delete old public keys: Carefully check and clear all old public keys from all authorized_keys files.

        # Edit the authorized_keys file for the root user and delete all unwanted public keys
vi /root/.ssh/authorized_keys

# Perform the same operation for all other users
vi /home/<username>/.ssh/authorized_keys

      3. Disable password-based logon: After you confirm that you can successfully log on with the key pair, modify the SSH service configuration to completely disable password-based logon. Allow only key pair-based logon.

        # 1. Edit the SSH configuration file
sudo vi /etc/ssh/sshd_config

# 2. Find and modify the following lines
PasswordAuthentication no
PubkeyAuthentication yes

# 3. Restart the SSH service for the configuration to take effect
sudo systemctl restart sshd

    3. Clean up unnecessary system users and files

      Check the /etc/passwd and /etc/shadow files. Delete any unnecessary user accounts left over from the image creation process. Also, check for and delete any temporary files or scripts that might contain sensitive information, such as old passwords or keys.