All Products
Search
Document Center

Resource Access Management:Restrictive protection for AccessKey pairs

Last Updated:Nov 26, 2024

An AccessKey pair is a credential that is used to authenticate your identity when you call Alibaba Cloud API operations. In a large number of security incidents in which AccessKey pairs are leaked, attackers use the leaked AccessKey pairs to control accounts within a short period of time and disrupt your cloud workloads. The attacks cause large overdue payments and data leaks. To protect your cloud assets, Alibaba Cloud provides restrictive protection for AccessKey pairs that may be leaked to prevent risk escalation.

Restrictive protection for AccessKey pairs

If you receive the following error message when you access Alibaba Cloud by using development tools such as APIs, CLI, SDKs, and Terraform, restrictive protection is provided for the AccessKey pair that is used for authentication.

Forbidden : There is a risk of leakage of this AccessKey.

Scope of restrictive protection for AccessKey pairs

Restrictive protection for AccessKey pairs takes effect on some high-risk API operations regardless of the access IP addresses and access methods that are used to call the high-risk API operations. The list of the high-risk API operations is subject to change. For more information, see High-risk API operations under restrictive protection for AccessKey pairs.

Disable restrictive protection for AccessKey pairs

After you create an AccessKey pair, you cannot modify the AccessKey pair. If the AccessKey pair is leaked, related risks arise until you delete or rotate the AccessKey pair. Therefore, restrictive protection for AccessKey pairs cannot be disabled.

Attackers may use a leaked AccessKey pair to call an API operation that is not included in the list of high-risk API operations. This also affects your cloud workloads. Therefore, restrictive protection for AccessKey pairs is only a temporary protection measure. We recommend that you delete or rotate a leaked AccessKey pair at the earliest opportunity. For more information, see Solutions to AccessKey pair leaks.

If you have questions, go to the emergency response wizard page and click Contact Support.

High-risk API operations under restrictive protection for AccessKey pairs

Cloud service

API version

API operation

Description

Resource Access Management (RAM)

2015-05-01

All

None.

Identity Management Service (IMS)

2019-08-15

All

None.

Elastic Compute Service (ECS)

2014-05-26

RunInstances

Creates one or more pay-as-you-go or subscription ECS instances.

CreateInstance

Creates a subscription or pay-as-you-go ECS instance.

CreateAutoProvisioningGroup

Creates an auto provisioning group.

StartInstance

Starts an ECS instance.

StartInstances

Starts ECS instances.

RunCommand

Runs commands on ECS instances.

DeleteInstance

Deletes an ECS instance.

DeleteInstances

Deletes multiple ECS instances at a time.

DeleteSnapshotGroup

Deletes a snapshot-consistent group.

DeleteSnapshot

Deletes a snapshot.

DeleteImage

Deletes a custom image.

CreateCommand

Creates a Cloud Assistant command.

InvokeCommand

Runs a Cloud Assistant command on one or more ECS instances.

Elastic Container Instance

2018-08-08

CreateContainerGroup

Creates a container group.

CreateContainerGroupFromTemplate

Creates a container group by using a template.

BatchCreateContainerGroups

Creates multiple container groups at a time.

DeleteContainerGroup

Deletes a container group.

DeleteContainerGroups

Deletes multiple container groups at a time.

Short Message Service (SMS)

2017-05-25

AddSmsTemplate

Applies for a message template.

SendSms

Sends a message.

SendBatchSms

Sends multiple messages at a time.

CreateSmsTemplate

Applies for a message template.

Elastic Desktop Service

2020-09-30

StartDesktops

Starts cloud computers.

CreateDesktops

Creates cloud computers.

CreateDesktopGroup

Creates a cloud computer pool.

ModifyDesktopGroup

Modifies the configurations of a cloud computer pool.

RebootDesktops

Restarts cloud computers.

RebuildDesktops

Recreates cloud computers.

GetConnectionTicket

Obtains the credential that is used to connect to a cloud computer.

ModifyDesktopSpec

Changes the instance type of a cloud computer and scales up the disks of the cloud computer.

RunCommand

Runs a command on cloud computers.

Performance Testing Service

2019-08-10

StartJMeterTesting

Starts an Apache JMeter test.

SaveJMeterScene

Saves a test scenario in Apache JMeter.

CreateJMeterScene

Creates an Apache JMeter test scenario.

CreateCronJob

Creates a scheduled stress testing task.

StartSceneTesting

Starts a stress testing task.

StartDebugging

Starts a debugging task.

CreateScene

Creates a test scenario.

SaveScene

Saves a test scenario.

Performance Testing Service

2020-10-20

SaveOpenJMeterScene

Saves a test scenario.

StartDebuggingJMeterScene

Debugs a test scenario.

StartTestingJMeterScene

Starts a stress test on a scenario.

SavePtsScene

Saves or modifies a test scenario.

CreatePtsScene

Creates a test scenario.

StartDebugPtsScene

Starts test scenario debugging.

StartPtsScene

Starts a test scenario.

ApsaraDB RDS for MySQL

2014-08-15

ModifyBackupPolicy

Modifies the backup policy settings of an ApsaraDB RDS for MySQL instance.

DeleteBackup

Deletes the data backup files of an ApsaraDB RDS for MySQL instance.

DescribeBackups

Queries the data backup files of an ApsaraDB RDS for MySQL instance.

DeleteDBInstance

Releases an ApsaraDB RDS for MySQL instance.

DestroyDBInstance

Destroys an ApsaraDB RDS for MySQL instance.

DeleteDatabase

Deletes a database from an ApsaraDB RDS for MySQL instance.

CreateAccount

Creates a database account.

ResetAccountPassword

Resets the password of a database account.

ResetAccount

Resets the permissions of a privileged account.

Database Backup

2021-01-01

ModifyBackupStrategy

Modifies the backup time of a backup schedule.

CreateDownload

Creates a download task.

DescribeDownloadBackupSetStorageInfo

Queries the storage information of a downloaded backup set.

Alibaba Cloud DNS (DNS)

2015-01-09

DeleteDomain

Deletes a domain name.

AddDomainRecord

Adds a Domain Name System (DNS) record.

DeleteDomainRecord

Deletes a DNS record.

UpdateDomainRecord

Modifies a DNS record.

SetDomainRecordStatus

Specifies the status of a DNS record.