An AccessKey pair is a credential that is used to authenticate your identity when you call Alibaba Cloud API operations. In a large number of security incidents in which AccessKey pairs are leaked, attackers use the leaked AccessKey pairs to control accounts within a short period of time and disrupt your cloud workloads. The attacks cause large overdue payments and data leaks. To protect your cloud assets, Alibaba Cloud provides restrictive protection for AccessKey pairs that may be leaked to prevent risk escalation.
Restrictive protection for AccessKey pairs
If you receive the following error message when you access Alibaba Cloud by using development tools such as APIs, CLI, SDKs, and Terraform, restrictive protection is provided for the AccessKey pair that is used for authentication.
Forbidden : There is a risk of leakage of this AccessKey.Scope of restrictive protection for AccessKey pairs
Restrictive protection for AccessKey pairs takes effect on some high-risk API operations regardless of the access IP addresses and access methods that are used to call the high-risk API operations. The list of the high-risk API operations is subject to change. For more information, see High-risk API operations under restrictive protection for AccessKey pairs.
Disable restrictive protection for AccessKey pairs
After you create an AccessKey pair, you cannot modify the AccessKey pair. If the AccessKey pair is leaked, related risks arise until you delete or rotate the AccessKey pair. Therefore, restrictive protection for AccessKey pairs cannot be disabled.
Attackers may use a leaked AccessKey pair to call an API operation that is not included in the list of high-risk API operations. This also affects your cloud workloads. Therefore, restrictive protection for AccessKey pairs is only a temporary protection measure. We recommend that you delete or rotate a leaked AccessKey pair at the earliest opportunity. For more information, see Solutions to AccessKey pair leaks.
If you have questions, go to the emergency response wizard page and click Contact Support.
High-risk API operations under restrictive protection for AccessKey pairs
Cloud service | API operation | Description |
Resource Access Management (RAM) | All | None. |
Identity Management Service (IMS) | All | None. |
Elastic Compute Service (ECS) | RunInstances | Creates one or more pay-as-you-go or subscription ECS instances. |
CreateInstance | Creates a subscription or pay-as-you-go ECS instance. | |
CreateAutoProvisioningGroup | Creates an auto provisioning group. | |
StartInstance | Starts an ECS instance. | |
StartInstances | Starts ECS instances. | |
RunCommand | Runs commands on ECS instances. | |
DeleteInstance | Deletes an ECS instance. | |
DeleteInstances | Deletes multiple ECS instances at a time. | |
DeleteSnapshotGroup | Deletes a snapshot-consistent group. | |
DeleteSnapshot | Deletes a snapshot. | |
DeleteImage | Deletes a custom image. | |
Elastic Container Instance | CreateContainerGroup | Creates a container group. |
CreateContainerGroupFromTemplate | Creates a container group by using a template. | |
BatchCreateContainerGroups | Creates multiple container groups at a time. | |
DeleteContainerGroup | Deletes a container group. | |
DeleteContainerGroups | Deletes multiple container groups at a time. | |
Short Message Service (SMS) | AddSmsTemplate | Applies for a message template. |
SendSms | Sends a message. | |
SendBatchSms | Sends multiple messages at a time. | |
CreateSmsTemplate | Applies for a message template. | |
Elastic Desktop Service (2020-09-30) | StartDesktops | Starts cloud computers. |
CreateDesktops | Creates cloud computers. | |
CreateDesktopGroup | Creates a cloud computer pool. | |
ModifyDesktopGroup | Modifies the configurations of a cloud computer pool. | |
RebootDesktops | Restarts cloud computers. | |
RebuildDesktops | Recreates cloud computers. | |
GetConnectionTicket | Obtains the credential that is used to connect to a cloud computer. | |
ModifyDesktopSpec | Changes the instance type of a cloud computer and scales up the disks of the cloud computer. | |
RunCommand | Runs a command on cloud computers. | |
Performance Testing Service (2019-08-10) | StartJMeterTesting | Starts an Apache JMeter test. |
SaveJMeterScene | Saves a test scenario in Apache JMeter. | |
CreateJMeterScene | Creates an Apache JMeter test scenario. | |
CreateCronJob | Creates a scheduled stress testing task. | |
StartSceneTesting | Starts a stress testing task. | |
StartDebugging | Starts a debugging task. | |
CreateScene | Creates a test scenario. | |
SaveScene | Saves a test scenario. | |
Performance Testing Service (2020-10-20) | SaveOpenJMeterScene | Saves a test scenario. |
StartDebuggingJMeterScene | Debugs a test scenario. | |
StartTestingJMeterScene | Starts a stress test on a scenario. | |
SavePtsScene | Saves or modifies a test scenario. | |
CreatePtsScene | Creates a test scenario. | |
StartDebugPtsScene | Starts test scenario debugging. | |
StartPtsScene | Starts a test scenario. | |
ApsaraDB RDS (2014-08-15) | ModifyBackupPolicy | Modifies the backup policy settings of an ApsaraDB RDS instance. |
DeleteBackup | Deletes the data backup files of an ApsaraDB RDS instance. | |
DescribeBackups | Queries the data backup files of an ApsaraDB RDS instance. | |
DeleteDBInstance | Releases an ApsaraDB RDS instance. | |
DestroyDBInstance | Destroys an ApsaraDB RDS instance. | |
DeleteDatabase | Deletes a database from an ApsaraDB RDS instance. | |
CreateAccount | Creates a database account. | |
ResetAccountPassword | Resets the password of a database account. | |
ResetAccount | Resets the permissions of a privileged account. | |
Database Backup (2021-01-01) | ModifyBackupStrategy | Modifies the backup time of a backup schedule. |
CreateDownload | Creates a download task. | |
DescribeDownloadBackupSetStorageInfo | Queries the storage information of a downloaded backup set. |