Alibaba Cloud recommends that you enable MFA, disable the AccessKey of your Alibaba Cloud account, and use RAM users and CloudSSO to avoid daily operations with your Alibaba Cloud account. This improves security and follows the principle of least privilege. - Elastic Compute Service

Your Alibaba Cloud account is the account you create when you sign up for Alibaba Cloud. It has full administrative permissions for all of your resources. To ensure account security, avoid using your Alibaba Cloud account for daily operations. We recommend that you do not create an AccessKey for your Alibaba Cloud account, keep its password secure, and enable multi-factor authentication (MFA).

Security risks

Your Alibaba Cloud account has the highest level of permissions for all your resources. Using your Alibaba Cloud account for daily operations can pose the following security risks:

Malicious damage: If the credentials (password or AccessKey) of your Alibaba Cloud account are leaked, an attacker can gain full administrative control over your cloud environment. The attacker can delete all your servers, steal or hold your core data for ransom, install backdoors, or use your resources for malicious activities such as mining. This can cause irreversible business loss and data breaches.
Violation of core security principles: Using your Alibaba Cloud account for daily operations directly violates the principle of least privilege. This principle requires that any user or system is granted only the minimum permissions required to complete its tasks. The permissions of an Alibaba Cloud account are unlimited and far exceed what is required for any daily operations and maintenance (O&M) or developer tasks.
Difficult audits: When all operations are performed by the Alibaba Cloud account, it is difficult to trace which employee or application performed a sensitive operation. This presents a major challenge for security audits and event response.
Classified protection compliance: Separating permissions for users and roles, following the principle of least privilege, and avoiding the use of a single, all-powerful Alibaba Cloud account are basic requirements of major security compliance standards, such as ISO/IEC 27001 and China's Classified Protection of Cybersecurity.

Best practices

Strengthen the protection of your Alibaba Cloud account

Enable MFA: Attach or detach a virtual MFA device for your Alibaba Cloud account. This adds a dynamic verification code, such as a mobile token or hardware-protected key, in addition to password authentication to prevent unauthorized access if your password is leaked.
Strictly manage the logon behavior of your Alibaba Cloud account:
- Enable risk governance: Limit the logon frequency of your Alibaba Cloud account. Log on only when necessary, such as when you create a RAM administrator or activate a service. Avoid logging on for daily operations.
- Set or purge a logon mask: Allow only specific IP addresses to access the console.
- Set the session duration for your account: Change the automatic sign-out time from the default 48 hours to 4 hours or less.
Disable the AccessKey of your Alibaba Cloud account: Do not use the AccessKey of your Alibaba Cloud account. Instead, create a RAM user and grant permissions based on the principle of least privilege.
Enable operation protection: Configure operation protection for your account. Enforce secondary authentication (MFA, text message, or mailbox) for important operations, such as releasing an ECS instance or modifying account information.
Perform regular audits and monitoring: Use ActionTrail to monitor logon events of your Alibaba Cloud account and check for abnormal behavior on a regular basis.
Use Resource Access Management (RAM) users for daily operations: Create a RAM user as an account administrator. Create separate RAM users for different roles and grant permissions as needed.

Plan RAM users and configure access control policies

To implement fine-grained permission management and the principle of least privilege, you can create accounts, roles, and permissions based on job responsibilities. The following section provides an example of how to create accounts and attach roles based on job functions in a typical enterprise scenario:

Account administrator
This account is used only to create RAM users and roles, and to define and assign access permissions. You can grant the AliyunRAMFullAccess permission to this account. Although this account cannot directly manage resources of other Alibaba Cloud services, it can create privileged accounts. Therefore, it is a highly sensitive account that you must protect by following these practices:
- Do not create an AccessKey for the account.
- Do not create RAM roles with the same permissions.
- Enable MFA and restrict the source IP addresses for logon.
Resource Administrator
You can use this account to create and manage resources such as ECS instances, VPCs, vSwitches, network interface cards, disks, security groups, snapshots, and images. You can grant the AliyunECSFullAccess, AliyunVPCFullAccess, and AliyunEIPFullAccess policies. To attach a RAM role to an ECS instance, you must also grant the sts:AssumeRole permission.
Suggestion: If you have many cloud resources, use resource groups to isolate resources. Create a separate ECS resource administrator account for each resource group to separate permissions horizontally.

O&M engineer

This account is assigned to users who log on to and operate ECS instances, for example, to start and stop them. It is not granted permissions to modify resources, network interface cards, or disks. You can customize RAM permissions for these users:

{
  "Version": "1",
  "Statement": [
    // 1. Read-only permissions to view resource status
    {
      "Effect": "Allow",
      "Action": [
        // View ECS resources
        "ecs:DescribeInstances",        // View instance status
        "ecs:DescribeInstanceStatus",   // Query instance status information
        "ecs:DescribeNetworkInterfaces", // View network interface card status
        "ecs:DescribeDisks",            // View disk status (inferred from the document context)
        "ecs:DescribeSecurityGroups",   // View security group status
        "ecs:DescribeSecurityGroupReferences", // Query authorized security groups
        // View VPCs and vSwitches
        "vpc:DescribeVpcs",             // Query VPC status
        "vpc:DescribeVSwitches",        // Query vSwitch status
        "vpc:DescribeVSwitchAttributes" // Query detailed vSwitch configurations
      ],
      "Resource": "*"  // Allows access to all resources
    },
    // 2. Workbench permissions (logon and read)
    {
      "Effect": "Allow",
      "Action": [
        "ecs-workbench:LoginInstance",  // Permission to log on to an instance using Workbench
        "ecs:DescribeTerminalSessions"  // View Workbench session records
      ],
      "Resource": "*"
    },
    // 3. Cloud Assistant permissions (read, log on, and execute commands)
    {
      "Effect": "Allow",
      "Action": [
        // Read permissions for Cloud Assistant
        "ecs:DescribeCommands",         // View the list of commands
        "ecs:DescribeInvocations",       // View command execution records
        "ecs:DescribeInvocationResults", // View command execution results
        "ecs:DescribeCloudAssistantStatus", // Query the status of Cloud Assistant
        // Permissions to execute commands using Cloud Assistant
        "ecs:InvokeCommand",             // Execute a command
        "ecs:RunCommand"                 // Immediately execute a command
      ],
      "Resource": "*",
      // Restricts command execution to regular users (security best practice)
      "Condition": {
        "StringNotEqualsIgnoreCase": {
          "ecs:CommandRunAs": ["system", "root"]  // Prohibits the use of the root or system account
        }
      }
    }
  ]
}

Note: In the preceding policy, "Resource": "*" indicates that all instances can be managed. To reduce risks,

we recommend that you:

Use resource groups or tags to limit the scope of operations.
Use more fine-grained resource ARNs instead of wildcard characters to grant permissions as needed.

Application role
An application may also need to access Alibaba Cloud services, such as OSS and Simple Log Service (SLS). You must create a dedicated account or role for the application. Do not share accounts between users and applications, or between different applications:
- Prohibit the application's account from logging on to the console.
- If your application is deployed on ECS (including container service), do not use an AccessKey. We recommend that you attach a RAM role to the instance to improve security.

Use CloudSSO to authenticate accounts

If you encounter the following scenarios, we recommend that you use CloudSSO to implement secure and centralized identity management and access control.

You need to create RAM accounts with the same permissions for multiple employees.
Multiple people share one RAM account.
You are concerned that employees may leak cloud platform credentials, such as AccessKeys or logon passwords.

CloudSSO (Cloud Single Sign-On) is a multi-account unified identity management and access control service that Alibaba Cloud provides based on a resource directory (RD). It allows users to log on once with a single set of credentials and then access multiple cloud applications and services without re-entering their username and password. You can use CloudSSO to centrally manage users who use Alibaba Cloud in your enterprise. After you configure single sign-on (SSO) between your enterprise identity management system and Alibaba Cloud, you can centrally configure access permissions for all users to accounts in the RD.

No cloud credentials required: Employees no longer need to know their Alibaba Cloud logon passwords or AccessKeys. This reduces the risk of credential leakage.
Unified identity authentication: Users log on with their internal enterprise accounts (such as company mailboxes or Active Directory (AD) accounts) and passwords for a seamless integrated experience.
Centralized permission management: Use access configurations (Permission Sets) to centrally assign role permissions to users or user groups. Fine-grained control is supported.
Support for standard protocols: Integrates with enterprise IdPs based on the SAML 2.0 protocol to ensure authentication security.

For more information, see Get started with CloudSSO.

Compliance capabilities

Check for operations performed by your Alibaba Cloud account

ECS Usage Maturity Assessment and Insights

Go to ECS Usage Maturity Assessment and Insights.
Click the Security tab. Click the Avoid Using The Alibaba Cloud Account For Daily Operations (Account Security) check item. You can view instances where the Alibaba Cloud account was used to log on and manage cloud resources, and view the high-frequency operations of the Alibaba Cloud account.

ActionTrail

Prerequisites: You must create a trail and deliver events to SLS. For more information, see Create a single-account trail and Create a multi-account trail.

Procedure:

Go to the ActionTrail console. In the navigation pane on the left, choose Events > Advanced Search.
In the Query Scope section, set Trail to the trail that you created.
In the Query Scope section, on the Template Library tab, choose System Template > Account/AK-related Events. Select Query Logon Events Of Alibaba Cloud Account or Query Access Events Of Alibaba Cloud Account AK.
Set a time range for the query and click Run.
- By default, ActionTrail queries events from the last 7 days.
- You can click Event Alerting on the right to set an alert for the current event. For more information, see Create a custom alert rule.
- You can modify the default SQL statement of the system template and click Save to save it as a custom template for future use.
View the query results.
- Raw Logs: On the Raw Logs tab, click View Event Details in the Actions column of the target event to view the basic information and JSON format of the event.
- Histogram: On the Query Result Histogram tab, view the histogram of event occurrences.