The leakage of credentials such as database account passwords, server account passwords, SSH keys, and access keys is one of the major threats to data security. Protecting secret keys is the most basic measure in data security protection. Providing protection measures for cloud account keys and general keys can protect data from being leaked and ensure the security of enterprise data. In the cloud environment, key types can be divided into general keys (database account passwords, server account passwords, SSH keys) and cloud account keys (RAM AccessKey/SecretKey). Effective protection measures for keys include key encryption, key hosting (dynamic acquisition of keys, known as credentials), credential rotation, access control, and auditing. Unsafe use cases for keys include:
Storing key plaintext in code;
Directly using AccessKey/SecretKey;
AccessKey/SecretKey is not rotated regularly.
Best Practices
Enable KMS and Configure Managed Keys and Credentials
Alibaba Cloud provides Key Management Service to protect users' keys and provides capabilities such as encrypted storage, regular rotation, secure distribution, and centralized management of credentials through Credential Management. It helps applications avoid the risk of plaintext configuration credentials and support rotation to effectively reduce the harm of credential leaks.
The following image shows the standard scenario and process of using credential management:
An administrator configures the username and password necessary for MyApp to access the target database.
The administrator creates a credential object named MyDbCreds in KMS to encrypt and store the above-mentioned username and password.
When MyApp needs to access the database, it requests the credential MyDbCreds from KMS.
KMS reads the stored encrypted credential and decrypts it, then returns the plaintext to MyApp via HTTPS.
MyApp reads and parses the decrypted credential returned by KMS, obtains the username and password, and uses this account to access the target database.
Best practices for enabling KMS and configuring managed keys and credentials:
Activate and Manage KMS instances.
After activating KMS, the standard steps for key protection are to first create a common credential, enter the value of the credential (i.e., the plaintext of the key), and select the master key for encrypting the credential (The master key is generated by KMS or imported by the customer and is used to complete data encryption operations within KMS). Then, use the KMS SDK or API to complete the application calling.
Enable the security protection of RAM keys (AccessKey/SecretKey). In credential management, manage and use RAM secrets without configuring AccessKey in the application. The application securely calls the managed keys by installing the RAM credential plugin.
Use Credential Rotation to Improve Key Security Level
It is generally recommended to rotate the keys stored in KMS regularly to meet higher security requirements and enhance the security of sensitive information. In KMS, enterprises can choose rotation schemes based on the types of keys stored (generic credentials or RAM credentials).
Alibaba Cloud supports rotating generic credentials using Function Compute.
RAM credentials, ECS, and RDS credentials support automatic rotation.
Set Access Control Policies for Key Access
In general, to prevent unauthorized access, it is necessary to restrict the ways, identities, and policies of accessing keys. In the cloud, it is important to limit the scope of authorization and authorized subjects for key access.
Use RAM to implement access control for KMS resources.
Use KMS application access points to implement access control for application access to KMS.
By creating application access points, you can fine-tune the credentials that can be granted to which applications, as well as access networks and identity authentication, to provide more refined authorization policies.
Enable Security Auditing for Key Usage
Enabling security auditing for KMS usage helps with post-event security tracing and compliance auditing. By using ActionTrail to query key management service operation events, you can view supported audit events of KMS.