How to view the alert events for access by using the AccessKey pair of an Alibaba Cloud account or a RAM user - Data Security Center

If the AccessKey pair of an Alibaba Cloud account or a Resource Access Management (RAM) user is leaked, the data detection and response feature traces the behavior of leaked AccessKey pairs and AccessKey pairs that are added to AccessKey pair intelligence. The feature detects the objects that are accessed by using the AccessKey pairs and generates alerts for the access events. We recommend that you view and manage the access events in a timely manner. This topic describes how to view the details of alerts generated for abnormal AccessKey pair-based access. This helps you identify risks, determine the impacts of the risks, and mitigate the risks.

Prerequisites

The data detection and response feature is enabled and sufficient Object Storage Service (OSS) protection capacity is purchased. For more information, see Enable data detection and response.
The permissions to access the destination OSS buckets are granted. For more information, see Authorize DSC to access OSS buckets and add AccessKey pair intelligence.

Background information

For more information about the principles and limits of AccessKey pair leak detection and alerts for abnormal AccessKey pair-based access, see What is data detection and response?

View statistics of alert events for leaked AccessKey pairs

Log on to the DSC console.
In the left-side navigation pane, choose Data Detection and Response > OSS Data Leak (AccessKey Pair Scenarios).
On the OSS Data Leak (Access Key Pair Scenarios) page, view the statistics of alert events related to AccessKey pairs. The statistics include the number of alert events that are generated when objects in authorized OSS buckets are accessed by using AccessKey pairs leaked on GitHub, AccessKey pairs stored in plaintext in OSS buckets, or AccessKey pairs that are added to AccessKey pair intelligence, and the total number of alert events.
Important
If more than 10 AccessKey pairs are identified in a bucket object, Data Security Center (DSC) stores the first 10 AccessKey pairs and generates alert events for access by using the AccessKey pairs. You can view the number of AccessKey pair hits, sensitivity level, and sampled data in the details of a bucket object. For more information, see View the details of AccessKey pair leaks.
Click a number under an intelligence source in the Data Statistics section to view the AccessKey pairs and AccessKey pair status of the intelligence source.
- Click Refresh in the Actions column to update the status of an AccessKey pair.
- Click Manage AccessKey Pair in the Actions column to manage an AccessKey pair. For example, you can disable an AccessKey pair. For more information, see Handle AccessKey pair leaks and unusual access alerts.
- Click Details in the Actions column to view the information of the AccessKey pair, such as the GitHub file name, username, repository name, and detection time.

View alert events for abnormal AccessKey pair-based access

Log on to the DSC console.
In the left-side navigation pane, choose Data Detection and Response > OSS Data Leak (AccessKey Pair Scenarios).

In the lower part of the OSS Data Leak (Access Key Pair Scenarios) page, you can view the alert events that are generated when leaked AccessKey pairs or AccessKey pairs that are added to AccessKey pair intelligence are used to access authorized OSS buckets.

Parameter	Description
Alert Time	The time when the object is accessed by using the AccessKey pair.
Intelligence Source	The source of the AccessKey pair that is used to access the object.
Owner Account	The UID and username of the account to which the AccessKey pair belongs.
AccessKey ID	The AccessKey ID in plaintext.
AccessKey Pair Status	The status of the AccessKey pair. You can set the status to Disabled, Deleted, To Be Handled, or Added to Whitelist when you manage an alert event. You can set the status to Not Leaked or Suspected to Be Leaked when you add an AccessKey pair to self-managed intelligence source. For more information about how to manage alert events, see Handle AccessKey pair leaks and unusual access alerts.
Bucket Name/Sensitivity Level	The name of the bucket accessed by using the AccessKey pair and the sensitivity level determined by using the data identification template.
Bucket Governance Progress	To control access to buckets, you can specify access control lists (ACLs), restrict access from specific IP addresses, or restrict access to objects of specific sensitivity levels. DSC displays the governance progress based on the number of configured policies. The progress is calculated based on the following formula: Progress = Number of configured policies/3 × 100. Unit: percent.
Files/Sensitivity level	The number of objects in the bucket accessed by the AccessKey pair and the sensitivity levels determined by using the data identification template. On the Alert Details page, you can view the list of objects and the sensitive data identification models that are hit.

View the details of objects accessed by abnormal AccessKey pairs

On the OSS Data Leak (Access Key Pair Scenarios) page, find the AccessKey pair that you want to view and click Details in the Actions column.
On the Alert Details page, view the details of the AccessKey pair and the details of objects in the bucket accessed by using the AccessKey pair.
- Basic Information: includes the alert content, risk level, the time when the alert is generated, and the account to which the AccessKey pair belongs.
- Details: includes the first time when the AccessKey pair is detected, the most recent time when the AccessKey pair is detected, and the details about the source of the AccessKey pair. The following section describes the details that are displayed:
  - The file name, username, SK validity, and repository name on GitHub. You can click the file name, username, or repository name to go to GitHub to view more information.
  - The bucket name, object name, object update time, and object path. You can click the object name to view the data identification model that the AccessKey pair hits.
  - The username and description of the self-managed intelligence. You can click View Details next to Intelligence Management to create or delete an AccessKey pair in the Intelligence Management panel.
  You can click Manage AccessKey Pair next to AccessKey Pair Status to disable an AccessKey pair or add an AccessKey pair to the whitelist. For more information, see Handle AccessKey pair leaks and unusual access alerts.
- Details: includes the bucket name, the first time when the bucket is accessed, the source IP address, the most recent time when the bucket is accessed, the account to which the bucket belongs, and the number of sensitive objects.
  - Click View Details next to Originating IP Address. On the details page, you can view the IP addresses, the regions, and the numbers of visits. The regions are displayed only for public IP addresses. The IP addresses are sorted in descending order based on the number of visits.
  - Click Manage next to Bucket Governance Progress to restrict access to buckets and objects. For more information, see Handle AccessKey pair leaks and unusual access alerts.
  - Click View Details on the right side of the Details section. In the Bucket Details panel, you can view the following information.
- Files: displays the information about the accessed objects, including the object name, object size, object type, the number of times the object is accessed, the time when the object is accessed, and the sensitivity level of the object.
  - Click the drop-down list in the File ACL column to modify the ACL of the object. For more information, see Object ACLs.
  - Click Details in the Actions column to view the number of AccessKey pair hits, the sensitivity level, and the sampled data. For more information about identification models, see Configure identification templates.
On the Alert Details page, click Log Analysis in the upper-right corner to go to the Data Auditing > Log Analysis page and view the operation logs of the bucket. For more information, see View audit logs.
On the Alert Details page, click Operation Records in the upper-right corner to go to the Event Query page of the ActionTrail console and view the operation logs of the corresponding AccessKey pair. For more information, see Overview.

What to do next

Handle AccessKey pair leaks and access events based on the alert details and response measures provided by DSC. For example, you can disable affected AccessKey pairs to prevent unauthorized access or configure a stricter policy on affected objects. For more information, see Handle AccessKey pair leaks and unusual access alerts.

References

Sensitivity level tags identified by using data identification tasks can be synchronized to OSS as tags for objects in OSS buckets. This allows you to manage the permissions of objects based on the tags of the objects. For more information, see Synchronize sensitivity level tags to OSS objects.
Obtain alert events that are generated when leaked AccessKey pairs and AccessKey pairs that are added to AccessKey pair intelligence are used to access resources, and identify data leak risks. For more information, see Configure alert notifications for abnormal AccessKey pair-based access.