This document introduces the best security practices for Alibaba Cloud account by using AccessKey management and RAM.
AccessKey(AK) is a type of credentials issued by Alibaba Cloud for users to authenticate with API calls. AccessKey is equivalent to the key to your cloud resources. Once the AccessKey is leaked, your cloud resources are at risks of being leaked and maliciously exploited. We recommend that you regularly check whether your internal AK is subject to any leakage risks.
If you find sensitive information containing the AK has been disclosed to the Internet, immediately remove the leaked code or information, and log on to the Alibaba Cloud console to disable or reset the AccessKey. The procedure is as follows.
Log on to the Alibaba Cloud console, and click accesskeys in the User Menu.
On the AccessKey Management page, select Disable or Delete under the leaked AK.
Avoid using code hosting services such as Github. We recommend that you build a private warehouse or build a code hosting system within your enterprise to prevent sensitive information leakage and guarantee code security.
Enable Alibaba Cloud Resource Access Management (RAM) and Security Token Service (STS) for authentication and authorization. You can grant different permissions to sub-accounts to access the OSS, or provide temporary authorization to users for access.
Follow the RAM best practices to configure RAM on logon verification, account authorization, and permission assignment. The main principles include the following:
- Enable account protection for the root account and RAM users
- Configure strong password policies for user logon
- Rotate logon passwords and AccessKeys of users
- Adhere to the minimum authorization rule
- Enhance security with policy conditions
- Revoke permissions that are no longer needed
- Avoid creating an AccessKey for the root account
- Grant permissions to RAM users through groups
- Separate user management, permission management, and resource management
- Separate console users from API users
Follow these OSS security practices:
- Do not use the master account to access OSS
- Use STS temporary tokens to access OSS
- Enable read/write splitting
- Isolate bucket permission
For more information, see Alibaba Cloud OSS Android SDK.
Establish a security system within your enterprise and carry out necessary security awareness instructions to enhance the security awareness of all employees.
For more information, see the following: