Data Security Center (DSC) provides the value-added data detection and response feature. The feature checks the AccessKey pairs of Alibaba Cloud accounts or Resource Access Management (RAM) users in the source code on GitHub and in authorized Object Storage Service (OSS) buckets. This helps identify whether AccessKey pairs are leaked. If AccessKey pair leaks are detected, DSC tracks risk access to buckets and objects by using leaked AccessKey pairs or AccessKey pairs in self-managed intelligence and generates alerts for the AccessKey pairs. We recommend that you view and handle AccessKey pair leak events at the earliest opportunity. This topic describes how to use the data detection and response feature.
Feature description
DSC allows you to identify AccessKey pairs leaks based on the following intelligence sources and generates alerts when a leaked or abnormal AccessKey pair is used to access buckets and objects. DSC provides governance capabilities for AccessKey pairs, buckets, and objects. This helps you identify and handle data leaks at the earliest opportunity and improves data security.
Detection of AccessKey pair leaks
Detection scope: Alibaba Cloud accounts for which the data detection and response feature is purchased and the RAM users of the Alibaba Cloud accounts.
Supported intelligence sources:
GitHub: the source code on GitHub. In most cases, AccessKey pairs are uploaded by employees without authorization and inadvertently disclosed.
OSS buckets: OSS buckets that the data detection and response feature is authorized to access. The feature detects plaintext AccessKey pairs in bucket objects.
You can authorize the feature to access all OSS buckets within the current Alibaba Cloud account.
Self-managed intelligence: You can add AccessKey pairs that are leaked, potentially leaked, or need to be checked for abnormal access to self-managed intelligence.
The add operation applies to the current Alibaba Cloud account and the RAM users of the Alibaba Cloud account.
Multi-account management:
If you enable the multi-account management feature in DSC, you can add and check the AccessKey pairs of members and their RAM users. You can authorize the data detection and response feature to access all OSS buckets of the members.
For more information about how to enable and use the multi-account management feature in DSC, see Use the multi-account management feature.
Alert events for abnormal AccessKey pair-based access
If AccessKey pair leaks are detected on GitHub or in authorized OSS buckets, DSC aggregates all risk access to authorized buckets and objects by using leaked AccessKey pairs or AccessKey pairs in self-managed intelligence and generates a detailed alert event.
Alert aggregation logic
Alert dimension: An alert is generated when an AccessKey pair is used to access a bucket.
Alert time range: The alert time range starts from the point in time when you enable the data detection and response feature up to the most recent detection time. To view the current detection time and next detection time, log on to the DSC console, choose , and then view Current Check Time and Next Check Time.
Detection frequency: DSC detects and analyzes access logs of the previous day at 04:00 (UTC+8) every day.
Detection suspension time: The detection is suspended when you disable the data detection and response feature or quotas are exhausted.
Alert event information
The DSC console displays key information about an alert event for AccessKey pair leaks, including the alert time, intelligence source, account to which the AccessKey pair belongs, name of the accessed bucket, and number of accessed objects. If a sensitive data identification task is run by using an identification template, the sensitivity levels for buckets and objects in the buckets are also displayed. This way, the security administrator can learn about potential threats at the earliest opportunity.
Alert notifications for abnormal AccessKey pair-based access
You can configure alert notifications for abnormal AccessKey pair-based access. If an unhandled event is detected, DSC sends an alert notification to specific recipients to provide real-time threat intelligence. This way, the recipients can quickly identify potential leaks for objects in a bucket.
Alert notification suspension time: If the AccessKey pair leak event is handled or the affected AccessKey pair is added to the whitelist, alert notifications are no longer sent. To view an alert event, log on to the DSC console and choose .
Response measures
DSC provides a series of response measures, including AccessKey pair handling and governance of buckets and objects. For example, you can disable affected AccessKey pairs to prevent unauthorized access or configure a strict access policy on the affected objects. This way, DSC can help you improve protection capabilities, protect against data leaks and attacks in an effective manner, and ensure business continuity.
Additional information
After you authorize the data detection and response feature to access OSS buckets, you can use the following features to track abnormal AccessKey pair-based access events. For example, you can use the data insights feature to check whether accessed objects contain sensitive information and use the data auditing feature to monitor abnormal AccessKey pair-based access events. The information about the events includes the IP address of the client and the operation type. This helps you analyze and identify data leaks.
Data insights
During the first month after you purchase the data detection and response feature, DSC creates and runs a default data identification task by using the main identification template to scan authorized buckets and classify sensitive data. By default, the main identification template is the Internet industry classification template.
NoteBy default, the default data identification task is not displayed in the DSC console.
In the following months after you purchase the data detection and response feature, DSC no longer creates or runs a default data identification task. If you want to classify sensitive data, you must create a custom data identification task and use an enabled identification template to scan sensitive data.
For more information, see Identification tasks.
Data auditing
You can enable the cloud-native audit log collection feature for OSS to analyze activities related to objects in OSS buckets and track potential malicious behavior or unauthorized access. For more information, see Set and enable the data auditing mode.
By default, the cloud-native audit log collection feature is enabled for the OSS buckets that the data detection and response feature is authorized to access. If you do not authorize DSC to access an OSS bucket but you authorize the data detection and response feature to access the OSS bucket, the cloud-native audit log collection feature is also enabled for the OSS bucket.
If you authorize DSC and the data detection and response feature to access an OSS bucket and want to disable the data auditing feature for the OSS bucket, you must revoke the permissions of the data detection and response feature on the OSS bucket.
If you enable the data detection and response feature, 50 GB of log storage is provided free of charge each month for each TB of purchased OSS protection capacity. If the log storage capacity is insufficient, you must manually increase the capacity to ensure that audit logs are collected. For more information, see Log storage management.
To view the validity period of the data insights and data auditing features, choose , find an OSS bucket, and then click Authorize Immediately in the Actions column. In the Asset Authorization Configuration panel, you can view the validity period.
If you purchase only the data detection and response feature and you want to use the data insights and data auditing features at a later time, you must upgrade DSC to the Enterprise edition. For more information, see Purchase DSC.
Scenarios
Source code protection
During software development, developers may inadvertently push code that contains AccessKey pairs to public GitHub repositories. This may lead to sensitive information leaks. DSC can monitor open source code, identify security risks at the earliest opportunity, and notify developers to take measures to prevent potential security threats.
Cloud storage security
OSS buckets may be exposed due to configuration errors, which may lead to unauthorized access. If an object of a bucket contains AccessKey pairs, the sensitive credentials may be disclosed. DSC can detect AccessKey pair leaks caused by configuration errors to protect cloud data against leaks.
Self-managed intelligence monitoring
DSC allows you to add AccessKey pairs to self-managed intelligence to monitor the objects that are accessed by using the AccessKey pairs, track unauthorized access, and identify whether sensitive information is leaked.
Security compliance
For enterprises that must adhere to stringent security compliance standards, credential leak monitoring is a fundamental requirement. DSC allows you to monitor credential usage to comply with industry security standards, laws, and regulations.
Real-time security analysis and response
DSC can send alerts on AccessKey pair leaks to allow security teams to respond at the earliest opportunity. The security teams can track leaked credentials, assess potential impacts, and take measures to mitigate risks.
Permission management and risk assessment
DSC can detect leaks of AccessKey pairs and empower O&M and security teams to manage and audit the usage of the AccessKey pairs. This helps implement fine-grained permission management and risk assessment.
The data detection and response feature of DSC facilitates the detection and handling of security risks. This helps lower the risk of attacks and ensure the security of operations.
Use process
Purchase the data detection and response feature. The feature is a value-added feature. For more information about the billing rules and purchase methods, see Enable the data detection and response feature.
Complete relevant preparations.
DSC provides the OSS synchronization configuration feature. The feature allows you to synchronize sensitivity level tags that are identified by data identification tasks to OSS as the tags of objects in buckets. We recommend that you enable the OSS synchronization configuration feature to facilitate access control of objects based on sensitivity level tags. For more information, see Synchronize sensitivity level tags to OSS objects.
You can configure alert notifications for unhandled AccessKey pair leaks, which can be sent by text message or email. For more information, see Configure alert notifications for abnormal AccessKey pair-based access.
Authorize DSC to access OSS buckets and add AccessKey pair intelligence. For more information, see Authorize DSC to access OSS buckets and add AccessKey pair intelligence.
In the following months after you purchase the data detection and response feature, DSC no longer creates or runs a default data identification task. You must create and run custom data identification tasks for authorized OSS assets. For more information, see Identification tasks.
View the information about leaked AccessKey pairs and alert events of access to authorized buckets and objects by using leaked AccessKey pairs and AccessKey pairs that are added to AccessKey pair intelligence. This helps you identify risks, evaluate the impacts of the risks, and select a handling method. For more information, see View leaked AccessKey pairs and alerts for abnormal AccessKey pair-based access.
Based on the leaked AccessKey pairs and abnormal access behavior, take appropriate measures to handle the leaked AccessKey pairs and manage the access control policies of OSS buckets and objects. For more information, see Handle AccessKey pair leaks and unusual access alerts.