You can create a policy to revoke high-risk permissions from the leaked AccessKey pair at the earliest opportunity to minimize economic losses and impacts on your workloads. Make sure that the revocation does not affect your workloads. Do not detach the policy before you disable and delete the AccessKey pair.
High-risk permissions include the permissions to create another RAM user and grant permissions to the RAM user in the RAM console, permissions to release resources of Elastic Compute Service (ECS), ApsaraDB RDS, Object Storage Service (OSS), and Simple Log Service, and permissions to send text messages.
The following sample code provides an example of a custom policy that is used to revoke high-risk permissions. We recommend that you configure the policy based on your business requirements after you fully evaluate the impacts.
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ram:AddUserToGroup",
"ram:AttachPolicyToGroup",
"ram:AttachPolicyToRole",
"ram:AttachPolicyToUser",
"ram:ChangePassword",
"ram:CreateAccessKey",
"ram:CreateLoginProfile",
"ram:CreatePolicyVersion",
"ram:CreateRole",
"ram:CreateUser",
"ram:DetachPolicyFromUser",
"ram:PassRole",
"ram:SetDefaultPolicyVersion",
"ram:UpdateAccessKey",
"ram:SetPasswordPolicy",
"ram:UpdateRole",
"ram:UpdateLoginProfile",
"ram:UpdateUser"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"ecs:DeleteInstance",
"ecs:DeleteInstances",
"ecs:DeregisterManagedInstance",
"ecs:ReleaseDedicatedHost"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"rds:DeleteAccount",
"rds:DeleteDatabase",
"rds:DeleteDBInstance",
"rds:DestroyDBInstance"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"oss:DeleteBucket",
"oss:DeleteObject",
"oss:PutBucketAcl",
"oss:PutBucketPolicy"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"log:DeleteLogStore",
"log:DeleteProject",
"log:PutProjectPolicy",
"log:DeleteProjectPolicy"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"dysms:CreateProductNew",
"dysms:CreateSmsTemplateNew",
"dysms:AddSmsTemplate",
"dysms:SendSms",
"dysms:SendBatchSms"
],
"Resource": "*"
}
]
}
We recommend that you remove all the permissions that are not required by the AccessKey pair.