Identity and access control is used to manage user identities on Alibaba Cloud in a centralized manner. You can use the identity and access control capabilities provided by Alibaba Cloud to allow only users who are authenticated and authorized to access or manage specific Alibaba Cloud resources and prevent malicious access by unauthorized users to your Alibaba Cloud resources, thereby satisfying compliance and audit requirements. This topic describes the following security capabilities supported by Elastic Compute Service (ECS) in terms of identity and access control: increase authentication security, improve the security of access control, and bolster the security of identities and permissions.
Increase authentication security
To increase the security of your Alibaba Cloud account, we recommend that you enable multi-factor authentication (MFA) for your Alibaba Cloud account and use the AccessKey pair of a Resource Access Management (RAM) user for applications instead of the AccessKey pair of your Alibaba Cloud account. An AccessKey pair consists of an AccessKey ID and an AccessKey secret. Do not expose AccessKey pairs in plaintext in external development platforms. Clear RAM users that remain unused for an extended period of time on a regular basis, and use time-bound temporary Security Token Service (STS) tokens.
Improve the security of access control
To grant permissions to users that have different responsibilities, we recommend that you use the system RAM policies that are predefined by ECS and custom RAM policies. You can manage resources based on resource groups across different dimensions, such as the usage of Alibaba Cloud resources and the department structure, and grant different users access to different resource groups. You can also use tags to manage Alibaba Cloud resources in a fine-grained manner.
Bolster the security of identities and permissions
We recommend that you attach RAM roles to ECS instances instead of using AccessKey pairs in plaintext. We also recommend that you activate ActionTrail to perform post-event behavior analysis and security analysis to identify potential security risks and meet compliance and audit requirements.
Increase authentication security
Authentication is a process of verifying the identity of a user based on the credentials. In most cases, users use passwords or AccessKey secrets to authenticate their identities when the users log on to ECS instances.
Enable MFA
Feature introduction
MFA is an easy-to-use and effective authentication model, which adds an extra layer of protection on top of using a username and a password. MFA verifies users who initiate console logon or perform sensitive operations. This ensures the security of your Alibaba Cloud account. MFA does not affect API operation calls by using AccessKey pairs. For more information, see What is multi-factor authentication?.
Configuration method
We recommend that you do not use the AccessKey pair of your Alibaba Cloud account to log on to an ECS instance. Instead, we recommend that you enable MFA to add an extra layer of security in addition to using a username and a password to protect your Alibaba Cloud account. After you enable MFA for your Alibaba Cloud account, you are prompted for an authentication code from an MFA device when you log on to an ECS instance. For more information, see Bind an MFA device to an Alibaba Cloud account.
Use RAM users instead of Alibaba Cloud accounts and attach the required RAM policies to the RAM users
Make sure that access permissions on ECS resources are granted to RAM users based on the principle of least privilege. Do not share accounts or grant more permissions than necessary.
If you purchased multiple ECS instances and multiple users in your organization, such as employees, systems, or applications, need to use the instances, you can create RAM users for the users in your organization and attach RAM policies to grant the RAM users the permissions to access the instances. This eliminates the risk of AccessKey pair leaks and achieves account-level fine-grained access control on ECS resources. For more information, see RAM users.
RAM provides the following types of identities that can be authenticated and authorized: RAM users, which are physical identities, and RAM roles, which are virtual identities. Virtual identities must be assumed by physical identities to take effect. For more information, see Identities.
Prevent AccessKey pair leaks
AccessKey pairs are credentials for Alibaba Cloud accounts to access APIs and must be stored in a secure location. To prevent security threats caused by malicious use, do not expose your AccessKey pairs by any means, such as GitHub. If the AccessKey pair of an Alibaba Cloud account is disclosed, the resources in the account are exposed to risks. You can refer to the following security suggestions to minimize the risk of AccessKey pair leaks:
Do not embed AccessKey pairs in code.
Rotate AccessKey pairs on a regular basis.
Revoke unnecessary AccessKey pairs on a regular basis.
Use RAM users based on the principle of least privilege.
Configure the
acs:SourceIpparameter to control access from specific public IP addresses to Alibaba Cloud APIs.Set the
acs:SecureTransportparameter to true, which specifies that the features and resources are accessed over HTTPS.
Improve the security of access control
Grant permissions to users who have different responsibilities
RAM allows you to keep your Alibaba Cloud account and AccessKey pair strictly confidential when multiple users in your enterprise manage resources in a collaborative manner. RAM also allows you to grant the users the minimum required permissions to ensure high security.
By default, an Alibaba Cloud account has all permissions on the resources in the account, and RAM users created by the Alibaba Cloud account do not have permissions. The Alibaba Cloud account must grant permissions to the RAM users. To grant permissions to a RAM user or role, perform the following steps:
Select or create policies.
RAM supports system and custom policies. System policies are created and maintained by Alibaba Cloud. You can use system policies but cannot modify the policies. Custom policies are user-defined policies. You can create, update, and delete custom policies.
For information about system policies for ECS, see System policies for ECS.
For information about custom policies for ECS, see Custom policies for ECS.
Grant permissions to the RAM user or role.
You can attach one or more system or custom policies to grant permissions to a RAM user or role in an Alibaba Cloud account. You can grant the RAM user or role permissions on all resources in the Alibaba Cloud account or all resources in a specific resource group in the Alibaba Cloud account.
Use resource groups to manage resources in a fine-grained manner
Feature introduction
Resource groups allow you to organize your Alibaba Cloud resources into groups based on different criteria, such as the usage, permissions, and owners of the resources. You can create resource groups to manage resources across multiple users and projects in a hierarchical manner. Each cloud resource can belong to only one resource group. Adding resources to resource groups does not change the associations between the resources. For example, you can add instances used in the production environment to a resource group named Production Environment and instances used in the staging environment to a resource group named Test Environment. For more information, see What is Resource Group?
Configuration method
For information about how to create a resource group, see Create a resource group.
Add ECS instances to resource groups.
You can add an ECS instance to a resource group when you create the instance. For more information, see Create an instance on the Custom Launch tab.
You can move existing ECS instances from one resource group to another resource group. For more information, see Perform manual resource transfer across resource groups.
For the use cases of how to categorize and manage ECS resources by using resource groups, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance and Allocate the costs of ECS instances by resource group.
Use tags to manage resources in a fine-grained manner
Feature introduction
Tags allow you to categorize resources from different dimensions, such as the region, department, and environment, in a more flexible manner than resource groups. You can add multiple tags to each resource and control access to ECS resources based on tags. For more information, see What is Tag?
Configuration method
For information about how to create a tag and add the tag to an ECS instance, see Tags.
For the use cases of how to categorize and manage ECS resources by using tags, see Use tags to grant access to ECS instances by group and Use tags to enable RAM users to manage only authorized ECS instances.
Bolster the security of identities and permissions
Use instance RAM roles instead of AccessKey pairs
Feature introduction
In most cases, applications deployed on ECS instances access the APIs of other Alibaba Cloud services by using the AccessKey pair of an Alibaba Cloud account or a RAM user. Before you use the AccessKey pair on an ECS instance to call API operations, you must configure the AccessKey pair in the instance. For example, you can write the AccessKey pair to a configuration file of the instance. However, this practice grants users more than required permissions and may cause issues, such as information leaks and increased maintenance complexity. To resolve the issues, Alibaba Cloud provides instance RAM roles. By using instance RAM roles, you can ensure the security of your AccessKey pairs and use RAM to perform fine-grained access control and permission management.
Configuration method
You can attach an instance RAM role to an ECS instance to obtain an STS token as a temporary access credential and then use the temporary access credential on the instance to access the APIs of other Alibaba Cloud services. You can obtain temporary access credentials only from within an ECS instance without the need to provide an AccessKey pair. This ensures security of the AccessKey pair of your Alibaba Cloud account and allows you to perform fine-grained access control and permission management by using RAM. For more information, see Instance RAM roles.
Activate ActionTrail
Feature introduction
ActionTrail monitors and records the operations of your Alibaba Cloud account. You can use this service to perform security analysis, resource change tracking, and compliance audits. ActionTrail can deliver management events to Logstores in Simple Log Service or OSS buckets. This way, you can audit the events in real time and identify the causes of issues. For more information, see What is ActionTrail?
In the ActionTrail console, you can query the management events that are generated when you manage ECS resources. For more information, see Audit events of ECS. If an error occurs when you perform operations on ECS instances, you can query the details of the related events to obtain information such as the time when the events occurred, the region where the events occurred, and the ECS instances involved.
Configuration methods
By default, ECS is integrated with ActionTrail and ActionTrail is activated. You do not need to manually configure ActionTrail.