Restrict the source IP addresses for OpenAPI calls - Elastic Compute Service

You can configure a Resource Access Management (RAM) policy to restrict the allowed source IP addresses for OpenAPI calls. This prevents an attacker from using leaked credentials to control or access your cloud resources from any location on the Internet.

Security risks

By default, any entity with a valid AccessKey (AK) can call OpenAPI from anywhere on the Internet to access your cloud resources. If an AK is leaked due to misconfiguration, hard coding, or an employee's departure, an attacker can gain direct control over your cloud resources. This is a global threat that can lead to data theft, malicious resource deletion, or high charges.

Best practices

Use a RAM policy to restrict source IP addresses. Even if an AK is leaked, an attacker can succeed only if the attack originates from a predefined, trusted IP address, such as your company's egress IP or a Bastionhost IP.

Console

Create a RAM user. You cannot use a RAM policy to restrict the source IP address for an Alibaba Cloud account.
1. Log on to the RAM console as an Alibaba Cloud account or a RAM administrator.
2. In the navigation pane on the left, choose Identities > Users.
3. On the Users page, click Create User. Follow the prompts to enter the user information, click OK, and then complete the security authentication.

Create a custom policy.

Log on to the RAM console as a RAM administrator. In the navigation pane on the left, choose Permissions > Policies.
On the Access Policies page, click Create Policy.

On the Create Policy page, click the JSON tab. Enter the following policy document and then click OK.

{
  "Version": "1",
  "Statement": [
    {
      "Action": "ecs:*",  // All OpenAPI operations for ECS. To apply to all OpenAPI operations for all cloud services, set this to *.
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "IpAddress": {
          "acs:SourceIp": [
            "200.1.xxx.xxx/24",  // Replace with the allowed IP address range.
            "213.1.xxx.xxx"      // Replace with the allowed single IP address.
          ]
        }
      }
    }
  ]
}

Enter a Policy Name and a Description. Click OK and complete the security authentication.

Attach the access policy to the RAM user.
1. Log on to the RAM console as a RAM administrator.
2. In the navigation pane on the left, choose Identities > Users.
3. On the Users page, find the target RAM user and click Add Permissions in the Actions column.
4. In the Grant Permission panel, select the access policy and click Grant permissions.

API

Call the CreateUser operation to create a RAM user:
- UserName: The logon name of the RAM user.
- DisplayName: The display name of the RAM user.
Call the CreatePolicy operation to create a RAM policy:
- PolicyName: The name of the policy. Use a readable name, such as RestrictIPAccess.
- PolicyDocument: The policy document in JSON format. This document specifies the allowed IP address range.
Call the AttachPolicyToUser operation to attach the policy to the RAM user:
- PolicyType: The type of the policy. Set the value to "Custom".
- PolicyName: The name of the policy, such as RestrictIPAccess.
- UserName: The name of the RAM user, such as TestUser.

Note

You cannot use a RAM policy to directly restrict access to OpenAPI from a VPC based on the source IP address. This is because the acs:SourceIp condition key uses the public egress IP or NAT Gateway egress IP of the OpenAPI call, not the private IP address within the VPC.

Compliance

Check: Find RAM users that are not attached to a source IP restriction policy

Use Alibaba Cloud CLI to run the following script. The script traverses all RAM users and checks whether each user has a source IP restriction policy attached.

#!/bin/bash

# Define the policy ARN (Alibaba Cloud Resource Name).
POLICY_ARN="acs:ram::123456789012:policy/RestrictIPAccess"  # Replace with your policy ARN.

# Get a list of all RAM users.
USER_LIST=$(aliyun ram ListUsers | jq -r '.Users.User[].UserName')

# Traverse each user and check if the specified policy is attached.
for USER in $USER_LIST; do
  # Get the list of policies attached to the user.
  POLICIES=$(aliyun ram ListPoliciesForUser --UserName $USER | jq -r '.Policies.Policy[].PolicyArn')

  # Check if the list of policies contains the target policy ARN.
  if ! echo "$POLICIES" | grep -q "$POLICY_ARN"; then
    echo "User $USER is not attached to policy $POLICY_ARN"
  fi
done

Fix: Attach a source IP restriction policy to RAM users in batches

Use Alibaba Cloud CLI to run the following script. The script traverses all RAM users and attaches the policy to users that do not have it.

#!/bin/bash

# Define the policy ARN (Alibaba Cloud Resource Name).
POLICY_ARN="acs:ram::123456789012:policy/RestrictIPAccess"   # Replace with your policy ARN.

# Get a list of all RAM users.
USER_LIST=$(aliyun ram ListUsers | jq -r '.Users.User[].UserName')

# Traverse each user and check if the specified policy is attached.
for USER in $USER_LIST; do
  # Get the list of policies attached to the user.
  POLICIES=$(aliyun ram ListPoliciesForUser --UserName $USER | jq -r '.Policies.Policy[].PolicyArn')

  # Check if the list of policies contains the target policy ARN.
  if ! echo "$POLICIES" | grep -q "$POLICY_ARN"; then
    echo "User $USER is not attached to policy $POLICY_ARN"
    
    # Attach the policy to the user.
    echo "Attaching policy $POLICY_ARN to user $USER ..."
    aliyun ram AttachPolicyToUser \
      --PolicyType Custom \
      --PolicyName RestrictIPAccess \
      --UserName $USER
    
    if [ $? -eq 0 ]; then
      echo "Policy $POLICY_ARN was successfully attached to user $USER"
    else
      echo "Failed to attach policy $POLICY_ARN. Check your permissions or if the policy exists."
    fi
  fi
done