If the credentials of Alibaba Cloud accounts and Resource Access Management (RAM) users are leaked, it may cause security risks to cloud resources and business. This topic describes common mistakes in using credentials and their solutions.
The following types of credentials are commonly used on Alibaba Cloud: AccessKey pairs and Security Token Service (STS) tokens. For more information, see Credential.
Common mistakes
Many developers directly hardcode AccessKey pairs in business code. All developers who have the read permissions on the code repository can obtain the AccessKey information. Some developers even upload business code to open source communities or code hosting services. This causes even greater security risks.
Some developers write AccessKey pairs in client code to allow clients to directly call API operations. Attackers can decompile the client code and obtain the AccessKey information.
The technical documentation or materials that are shared with others contain AccessKey information.
The sample code in product documentation contains AccessKey information.
The responses of API operations on which developers do not have the management permissions contain AccessKey information.
Security solutions
Prevent the unnecessary transmission and hardcoding of credentials during the development process.
Avoid using the AccessKey pair of your Alibaba Cloud account
An Alibaba Cloud account has all permissions on resources. If the AccessKey pair of an Alibaba Cloud account is leaked, it may cause great security risks. We recommend that you do not use the AccessKey pair of an Alibaba Cloud account.
Avoid hardcoding credentials in code
Configure the information about credentials in environment variables instead of hardcoding credentials in code. The following example shows how to configure AccessKey pairs in the environment variables ALIBABA_CLOUD_ACCESS_KEY_ID
and ALIBABA_CLOUD_ACCESS_KEY_SECRET
. For more information, see Configure environment variables in Linux, macOS, and Windows.
Sample code:
public static com.aliyun.ecs20140526.Client createClient() throws Exception {
com.aliyun.teaopenapi.models.Config config = new com.aliyun.teaopenapi.models.Config()
.setAccessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"))
.setAccessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"));
config.endpoint = "ecs.cn-shanghai.aliyuncs.com";
return new com.aliyun.ecs20140526.Client(config);
}
Use KMS to manage credentials
Key Management Service (KMS) allows you to manage your credentials. For more information, see Overview. You can use Secrets Manager of KMS to periodically or immediately rotate a RAM secret that is hosted by Secrets Manager. After you install the RAM secret plug-in in your application, you can dynamically retrieve the AccessKey pair that is stored in the RAM secret. This prevents the hardcoding of AccessKey information in your code. For more information, see Manage and use RAM secrets.
Use an instance RAM role
You can attach an instance RAM role to an Elastic Compute Service (ECS) instance, an elastic container instance, or a worker node of a Container Service for Kubernetes (ACK) cluster. Then, you can obtain an STS token by using the metadata server of ECS. This prevents the hardcoding of AccessKey information in your code and reduces the risks of AccessKey pair leaks. For more information, see Grant ECS access to resources of other Alibaba Cloud services by using instance RAM roles, Use an instance RAM role by calling API operations, and Assign a RAM role to a pod.
Use the RRSA feature
In ACK, multiple services are deployed on a cluster and a worker node may contain pods of different services. In multi-tenant scenarios, a service can directly access the metadata server of ECS and obtain the STS token of the RAM role that is assigned to the worker node. This causes the leak of permissions. The RAM Roles for Service Accounts (RRSA) feature achieves fine-grained permission control on pods and automatically adds the information about OpenID Connect (OIDC) to environment variables. You can use the Alibaba Cloud Credentials tool to obtain an STS token as a temporary access token. For more information, see Use RRSA to authorize different pods to access different cloud services.
Use the Alibaba Cloud Credentials tool
The Alibaba Cloud Credentials tool encapsulates the features for obtaining and managing credentials. In addition, the default credential provider chain effectively prevents the hardcoding of the information about credentials. For more information, see Manage access credentials.
Use the AccessKey leak detection feature of Security Center
Security Center checks the AccessKey pairs of Alibaba Cloud accounts and RAM users in source code that is stored on GitHub in real time. If Security Center detects AccessKey pair leaks, Security Center generates alerts. We recommend that you view and handle AccessKey pair leak events at the earliest opportunity. For more information, see Detection of AccessKey pair leaks.
Handle AccessKey pair leaks
AccessKey pair leaks
Disable or delete an AccessKey pair
If an AccessKey pair leak occurs, first disable or delete the AccessKey pair and use a new AccessKey pair. For more information, see Disable an AccessKey pair of a RAM user and Delete an AccessKey pair of a RAM user.
Query AccessKey pair events
You can use the AccessKey pair audit feature of ActionTrail to query the basic information of AccessKey pairs, as well as the accessed Alibaba Cloud services, related IP addresses, and resources. This helps you trace the usage of AccessKey pairs and handle exceptions such as AccessKey pair leaks.
STS token leaks
An STS token is a temporary access token, whose validity period ranges from 15 minutes to 12 hours. Therefore, STS token leaks may also lead to great security risks. You can perform the following steps to make an STS token invalid:
- Log on to the RAM console by using an Alibaba Cloud account.
- Detach all policies from the RAM role.
For more information, see Revoke permissions from a RAM role.
- Delete the RAM role.
For more information, see Delete a RAM role.
After the RAM role is deleted, the STS tokens that are not expired become invalid.
If you want to continue using the deleted RAM role, create a RAM role that has the same name and attach the same policies to the new RAM role.
References
For more information, see the following topics: