An identity performs actions in a cloud environment. There are two primary types of identities in the cloud: human identities and programmatic identities.
A human identity typically represents an individual within an organization, such as a security administrator, an operations engineer, or an application developer. Human identities usually manage cloud resources through tools like the Alibaba Cloud Management Console, the Command-Line Interface (CLI), or other clients designed for specific use cases.
A programmatic identity represents an application or service that accesses cloud resources and data through Alibaba Cloud APIs.
On Alibaba Cloud, identity management for both identity types follows two core security principles based on the principle of least privilege: minimizing exposure duration and minimizing exposure surface.
Minimizing exposure duration means using temporary identities or temporary credentials instead of static identities or static credentials. Even when using static credentials, rotate them regularly.
Minimizing exposure surface means storing keys and credentials securely and avoiding the sharing or reuse of credentials across different applications or identity types.
The following sections describe best practices for managing each type of identity on Alibaba Cloud.
Human identities
Avoid using the root identity
When you register for an Alibaba Cloud account, you can sign in to the Alibaba Cloud Management Console with your username and password. After you sign in, you assume the root identity. This identity has full permissions for all resources under the account. If the account's password is leaked or compromised, this poses an extremely high risk. If multiple people share this identity, each person possesses the account's username and password, which increases the likelihood of a compromise. When the root identity is shared, operational logs cannot distinguish which individual performed an action, making it impossible to trace accountability. Therefore, except in a few specific scenarios, use an Alibaba Cloud Resource Access Management (RAM) identity to access cloud resources and avoid using your Alibaba Cloud Account's root identity. To enhance the security of the root identity, refer to the best practices in the "Establish a more secure sign-in mechanism" section below.
Implement unified authentication for human identities
Using a centralized Identity Provider (IdP) to manage unified authentication for Human Identities simplifies identity management and ensures consistency between your on-premises and cloud identities. When personnel changes occur, such as new hires or departures, configure their identity settings in one central location. For cloud environment users, this approach eliminates the need to issue additional usernames and passwords, like RAM user credentials. They only need to secure their identity and credentials within the organization's IdP. Some organizations add another layer of security through network access controls that restrict IdP access to the corporate intranet only, further securing the authentication process for Human Identities.
Alibaba Cloud supports Single Sign-On (SSO) based on the SAML 2.0 protocol. On Alibaba Cloud, we recommend that you integrate with your organization's IdP through RAM SSO to achieve unified authentication for human identities. For complex organizations with multiple Alibaba Cloud Accounts, you can also use CloudSSO for centralized SSO configuration. This further unifies identity management across multiple accounts and improves administrative efficiency.
Establish a more secure sign-in mechanism
Human identities often sign in using a username and password. If these credentials are leaked, an attacker could sign in to Alibaba Cloud with that identity and cause irreparable damage. Therefore, it is critical to protect usernames and passwords for all human identities. Enhance sign-in security in the following ways:
Increase password strength. For example, increase the password length and require a mix of numbers, uppercase and lowercase letters, and special characters. For RAM users on Alibaba Cloud, administrators can set password strength rules to enforce complex passwords, reducing the risk of password leaks or cracking.
Avoid password reuse. Using the same password across different services, sites, or for different users increases the password's exposure surface and the likelihood of a leak. If a password for one service or user is compromised, an attacker can attempt to sign in to other services that share the same password. Therefore, ensuring that different services and users have unique passwords reduces the risk of a widespread compromise.
Rotate passwords regularly. The longer a password exists, the higher the risk of it being leaked. By resetting passwords periodically, you reduce the lifespan of a single password, which further lowers the risk of a leak. For RAM users on Alibaba Cloud, administrators can set a password expiration policy in the password strength rules to enforce regular password rotation.
Use multi-factor authentication (MFA). MFA is a simple and effective security practice that adds an extra layer of protection on top of a username and password. It is used for secondary identity verification when signing in to Alibaba Cloud or performing sensitive operations, to better protect your account. Alibaba Cloud supports multiple second-factor verification methods, including virtual MFA devices and U2F security keys. We recommend enabling MFA for all human identities in the cloud. For organizations that use an on-premises IdP for unified authentication, we also recommend providing an MFA option on the IdP side.
Use role assumption instead of static identities
Using a temporary identity instead of a static identity minimizes the exposure surface and significantly reduces the risk of a credential leak. For human identities, this approach also lets you abstract permission models, such as creating roles based on job functions. This helps standardize permission settings and improves management efficiency.
In the cloud, we recommend managing human identities by using Single Sign-On (SSO) based on role assumption.
Programmatic identities
Do not use Alibaba Cloud account AccessKeys
An Alibaba Cloud account AccessKey is equivalent to the root identity's permissions, granting full administrative control over the account. It cannot be restricted by conditions (such as source IP address or access time) and its permissions cannot be narrowed. If leaked, this poses an extremely high risk. For programmatic access scenarios, always use the AccessKey of a RAM user to make Alibaba Cloud API calls.
Avoid sharing AccessKeys
If multiple programmatic identities, or a mix of programmatic and human identities, share an AccessKey, the permissions associated with that key must accommodate all use cases, which leads to overly broad permissions. In a shared scenario, a single leak affects all applications, expanding the risk and making remediation more difficult. For different environments of the same application, such as production and testing, you often need to access different resources. At the same time, test environment code often lacks stability and robustness, making leaks more likely. If the same AccessKey is shared, a leak in the test environment could easily impact the production environment, creating a significant business security risk.
Therefore, for different applications, different modules of a large application, or different environments of the same application (such as production and test), create a unique AccessKey for each programmatic use case. Each AccessKey should only have the permissions required for its specific scenario. Avoid sharing AccessKeys.
Rotate AccessKeys regularly
Like usernames and passwords for human identities, the longer an AccessKey exists, the higher the risk of it being leaked. Periodically create a new AccessKey, replace the one currently in use by your application, and then disable and delete the old AccessKey to achieve regular rotation. Use the Secrets Manager feature of Alibaba Cloud Key Management Service (KMS) to automate this rotation process.
In addition to AccessKeys, rotate all other types of programmatic access credentials regularly to reduce the risk of a credential leak.
Use temporary credentials instead of static credentials
Creating an AccessKey for a RAM user or the account's root identity for programmatic calls results in a static credential. Once created, this credential consists of a fixed AccessKey ID and AccessKey Secret until it is deleted. Using static credentials introduces significant risks. For example, an application developer might hardcode a static AccessKey into their code and push it to a public repository like GitHub, causing a leak that leads to business losses.
On Alibaba Cloud, use role assumption to obtain a temporary Security Token Service (STS) token instead of using a static AccessKey. Each STS token automatically expires after the role's maximum session duration (on the order of hours), which reduces the risks associated with leaked static credentials.
Alibaba Cloud provides features that integrate STS tokens for different deployment methods:
For applications deployed on Elastic Compute Service (ECS) instances, use an instance RAM role. By binding a RAM role to the instance, your application can obtain a temporary authorization token through the instance metadata service.
For applications deployed on Container Service for Kubernetes (ACK), use the RRSA feature to bind a RAM role to a specific ServiceAccount. This lets you assume the corresponding role at the pod level to obtain an STS token.
For serverless applications deployed in Function Compute, you can grant the service to which the function belongs permissions to access other Alibaba Cloud services to obtain an STS token.
Regardless of the deployment method, you can use the official Alibaba Cloud Software Development Kits (SDKs) in your application code. By setting the appropriate credentials configuration based on your deployment type, you can obtain an STS token without managing the underlying caching and credential refresh logic.