Detection of AccessKey pair leaks - Threat Detection| Alibaba Cloud Documentation Center

Security Center detects the source code stored on platforms, such as GitHub, in real time to check whether the usernames and passwords of your assets are leaked. When leaks are detected, Security Center generates alerts. This helps you detect and handle potential AccessKey pair leaks.

Background information

Employees of an enterprise can upload source code to platforms such as GitHub. This may cause the leaks of sensitive data, such as the endpoints and passwords of enterprise databases and the passwords of enterprise servers.

To detect the source code stored on the platforms, the AccessKey leak detection feature uses the threat intelligence collection system. In most cases, source code is uploaded and shared by employees of an enterprise. Security Center determines whether the source code contains the usernames and passwords of your assets. The assets include Elastic Compute Service (ECS) instances, ApsaraDB RDS instances, ApsaraDB for Redis instances, and ApsaraDB RDS for MySQL instances. Security Center generates alerts for potential leaks in real time to help you minimize security risks.

Note By default, the AccessKey pair leak detection feature is enabled for all users of Security Center.

Limits

All editions of Security Center support this feature. For more information about the features that each edition supports, see Feature.

Configure alert notifications for AccessKey pair leaks

If an alert is generated, Security Center sends alert notifications to users by using text messages, emails, or internal messages.

By default, Security Center sends alert notifications to users when an alert is generated. You can also perform the following operations to customize the notification time range and method: Log on to the Security Center console. Open the Settings page and click the Notifications tab. In the Notification Settings section, configure Notify At and Notify By for AccessKey leakage info. After you configure the parameters, Security Center sends alert notifications only during the time range that you specified. For more information, see Use the notification feature.

Notice

If an AccessKey pair leak is detected beyond the time range that you specified, you cannot receive notifications at the earliest opportunity.
After you receive notifications for AccessKey pair leaks, you must delete all information that involves your AccessKey pairs and handle the alert by selecting a method at the earliest opportunity. To handle the alert, select Deleted manually, Manually disable AK, or Whitelist. Otherwise, Security Center continues to send you the alert notifications.

View and handle AccessKey pair leaks

Log on to the Security Center console.
In the left-side navigation pane, choose Detection > AccessKey Leak.
On the Leak Detection by AccessKey page, view and handle AccessKey pair leaks.
You can perform the following operations:
- View information about AccessKey pair leaks
  You can view the information about AccessKey pair leaks that Security Center detects. The information includes the number of AccessKey pair leaks, the number of alerts on suspicious calls of an AccessKey pair, and the platform on which the detection is performed.
  
  Click the number under AccessKey Exception Call to open the Alerts page and view the detected alerts on suspicious calls of an AccessKey pair.
- Search for a specific AccessKey pair leak
  To search for the leak, enter the AccessKey ID in the search box.
- View details of an AccessKey pair leak
  To view the details of an AccessKey pair leak, select the leak and click Details in the Operation column.
- Handle an AccessKey pair leak
  To handle an AccessKey pair leak, find the leak on the Leak Detection by AccessKey page, click Processing in the Operation column, and then select a method. You can perform the following operations:
  - Log on to the Log Service console. Search for the access logs of the required server and determine whether AccessKey pairs are leaked. For example, you set the URI field to the file path that contains the AccessKey application file to search for the web access logs.
  - In the Related recommendation section of the Leaked details of AccessKey page, view the suggestions on how to handle the leak. You must select a method in the Processing Method section. In the Processing Method section, you can select Deleted manually, Manually disable AK, or Whitelist.
    
    Note After you delete the information that involves your AccessKey pair and select a method in the Processing Method section, the status of this AccessKey pair leak changes to Handled. Then, Security Center does not send alert notifications for the leak.
    
    If you add the AccessKey pair leak to the whitelist, the status of the AccessKey pair leak changes to Whitelisted. Then, the Accesskey pair leak is added to the Handled list.
    
    If you want to remove the AccessKey pair leak from the whitelist, find the record in the Handled list, go to the details page, and then click Cancel the whitelist.
- Export the detection report of the AccessKey pair leak
  On the Leak Detection by AccessKey page, click the icon in the upper-right corner of the AccessKey pair leak detection list. After the report is exported, the Done message appears in the upper-right corner. To download and save the report as an Excel file to your computer, click Download.

References

Best practices to prevent AccessKey pair leaks

Configure alert notifications