Detection of AccessKey pair leaks - Security Center - Alibaba Cloud Documentation Center

Security Center checks the AccessKey pairs in source code stored on platforms such as GitHub in real time. If Security Center detects the leaks of your AccessKey pairs, Security Center generates alerts. We recommend that you view and handle leak events on AccessKey pairs at the earliest opportunity.

Background information

If an employee of an enterprise uploads source code that cannot be disclosed to platforms such as GitHub, the AccessKey pairs of the enterprise may be leaked.

To check the source code stored on the platforms in real time, the AccessKey leak detection feature uses the threat intelligence collection system and network crawlers. In most cases, source code is uploaded and disclosed by employees of an enterprise. Security Center determines whether the source code contains AccessKey pairs. If the leaks of AccessKey pairs are detected, Security Center generates alerts in real time. This helps minimize the risks in data leaks.

Limits

All editions of Security Center support this feature. For more information about the features that each edition supports, see Functions and features.

Configure alert notifications for AccessKey pair leaks

If an alert is generated for AccessKey pair leaks, Security Center notifies users by text message, email, or internal message.

By default, Security Center sends alert notifications when an alert is generated. You can also perform the following operations to customize the notification time range and method: Log on to the Security Center console. Open the Settings page and click the Notifications tab. In the Notification Settings section, configure Notify At and Notify By for AccessKey leakage info. After you configure the parameters, Security Center sends alert notifications only in the time range that you specified. For more information, see Notifications.

Notice

If an AccessKey pair leak is detected at a point in time that is beyond the specified time range, Security Center does not immediately send an alert notification.
After you receive an alert notification for AccessKey pair leaks, you must delete all information that involves the AccessKey pairs and select a method to handle the alert at the earliest opportunity. To handle the alert, select Deleted manually, Manually disable AK, or Whitelist. Otherwise, Security Center continues to send you alert notifications.

View and handle leak events on AccessKey pairs

Log on to the Security Center console. In the left-side navigation pane, choose Risk Management > AccessKey Leak.
On the AK leak detection page, view and handle leak events on AccessKey pairs.
- View information about leak events on AccessKey pairs
  You can view information about leak events on AccessKey pairs that Security Center detects. The information includes Acceskey Leaked, AccessKey Exception Call, and Testing Platform.
  
  Click the number below AccessKey Exception Call to go to the Alerts page and view the generated alerts on suspicious calls of AccessKey pairs.
- Search for the leak events on an AccessKey pair
  To search for the leak events on an AccessKey pair, enter the AccessKey ID in the search box.
- View the details of a leak event on an AccessKey pair
  To view the details of a leak event on an AccessKey pair, find the leak event and click Details in the Operation column.
- Handle a leak event on an AccessKey pair
  To handle a leak event on an AccessKey pair, find the leak event on the AK leak detection page, click Process in the Operation column, and then select a method to handle the leak event. We recommend that you handle the leak event in the following procedure:
  - Log on to the Log Service console. Search for the access logs of the required server and view the details of the leak event. For example, you can set the URI field to the file path that contains the AccessKey application file to search for web access logs.
  - In the Related recommendation section of the Leaked details of AccessKey page, view the suggestions on how to handle the leak event. You must select a method in the Processing Method section. In the Processing Method section, you can select Deleted manually, Manually disable AK, or Whitelist.
    
    Note After you delete the information that involves the AccessKey pair and select a method in the Processing Method section, the status of the leak event changes to Handled. Then, Security Center does not send alert notifications for the leak event.
    
    If you add the leak event to the whitelist, the status of the leak event changes to Whitelisted. Then, the leak event is added to the Handled list.
    
    If you want to remove the leak event from the whitelist, find the leak event in the Handled list, go to the details page, and then click Cancel the whitelist.
- Export the detection report of leak events on AccessKey pairs
  On the AK leak detection page, click the icon in the upper-right corner above the list of leak events on AccessKey pairs. After the report is exported, the Done message appears in the upper-right corner. To download and save the report as an Excel file to your computer, click Download.

References

Best practices to prevent AccessKey pair leaks

Configure alert notifications