Use RAM to ensure security of the Alibaba Cloud resources of your enterprise

Avoid using the root user identity of the Alibaba Cloud account

After you register with Alibaba Cloud, you obtain an Alibaba Cloud account. If you are an individual developer, the Alibaba Cloud account is associated with your personal identity information. If you register as an enterprise, the Alibaba Cloud account is associated with the enterprise identity verification information, financial account, contract information, and invoice information.

By default, the Alibaba Cloud account has a root user identity. The username and password that you use to register are the credentials that the root user uses to log on to the Alibaba Cloud Management Console. The root user has the following risks:

• High permissions: The root user has all access permissions on the Alibaba Cloud account by default. If the account password is leaked, the risk is extremely high.

• Password is easily leaked: If multiple users share the account, each user has the username and password of the account, which increases the possibility of password leakage.

• Untraceable: If multiple users share the account, the operation logs in the cloud cannot identify which user in the organization performed the operations by using the identity. This makes it impossible to trace the operations.

If you create an AccessKey pair for the root user, the following risks exist:

• High permissions: The AccessKey pair of the root user also has all access permissions on the Alibaba Cloud account. If the AccessKey pair is leaked, the risk is extremely high.

• Significant impact of AccessKey pair leakage: An AccessKey pair is a permanent credential that remains valid unless it is manually disabled. If you use the AccessKey pair of the Alibaba Cloud account for your business and disable the AccessKey pair when a leakage risk occurs, your online business is affected. You cannot limit the permissions of the AccessKey pair to quickly eliminate the risk.

Therefore, Alibaba Cloud recommends the following practices for Alibaba Cloud account management:

• The administrator must properly keep the username and password and must not share them with many enterprise employees.

• Enable U2F security key for the root user identity of the Alibaba Cloud account to add an additional layer of protection to the password.

• Use the username and password of the Alibaba Cloud account to log on to the console only when necessary.

• Avoid using the AccessKey pair of the Alibaba Cloud account if possible.

Use RAM user identity credentials

When enterprise personnel or applications need to access Alibaba Cloud resources, you must assign RAM user identity credentials to them. Create independent RAM users for different operators through RAM for permission management, instead of using the Alibaba Cloud account for daily operations and management. For more information, see Create a RAM user.

• Personnel access: We recommend that you use SSO integration. If SSO integration is not available, you must bind an MFA device when you enable console password logon for RAM users. Do not allow multiple users to share a RAM user identity. Password sharing increases the risk of leakage and makes it difficult to identify the actual operator from audit logs, which increases the difficulty of internal management.

• Program access: For applications deployed on Alibaba Cloud, we recommend that you use solutions without permanent AccessKey pairs and use Security Token Service (STS) tokens as temporary credentials to reduce the risk of credential leakage. For more information, see Best practices for using credentials to access Alibaba Cloud OpenAPI. For applications that are not deployed on Alibaba Cloud or for development and debugging scenarios that require AccessKey pairs, you can create an AccessKey pair for a RAM user. Each RAM user can have a maximum of two AccessKey pairs. One AccessKey pair is used for business, and the other is used for rotation.

Use SSO

We recommend that you use SSO integration for personnel access. After single sign-on (SSO) is enabled, all internal accounts of your enterprise are authenticated. Then, RAM users can log on to Alibaba Cloud and access resources only by using an internal account. SSO authentication is completed by the enterprise identity system. You do not need to set passwords for RAM users in Alibaba Cloud, which reduces the risk of password leakage. For more information, see SSO overview.

Set a strong password policy for RAM users

If SSO integration is not available, you must create RAM users for personnel to log on to the console by using passwords. You can set the password strength for RAM users in the RAM console, such as the password length, the required character types, and the validity period. In addition, if RAM users are allowed to change their logon passwords, you must require them to create strong passwords and change their logon passwords on a regular basis.

Enable MFA for RAM users

Enabling multi-factor authentication (MFA) for RAM users who log on to Alibaba Cloud by using passwords can improve account security by adding an additional layer of protection beyond the username and password.

After you enable MFA and bind an MFA device to a RAM user, the RAM user must perform the following steps when the RAM user logs on to the Alibaba Cloud Management Console or perform sensitive operations in the console:

1. Enter the username and password of the RAM user.

2. Enter the verification code that is generated by the virtual MFA device or that is sent to the email address. Alternatively, use the passkey to pass authentication.

Starting from March 17, 2025, Alibaba Cloud enables MFA verification for all RAM users by default when they log on. We strongly recommend that you do not change this configuration to reduce the risk of password leakage. If it is difficult to require all RAM users to verify their identities each time they log on, we recommend that you configure the system to verify identities only when abnormal logons are detected. This configuration requires all RAM users who log on to the console to bind MFA devices, but MFA verification is required only when the Alibaba Cloud platform detects abnormal logons. This reduces the frequency of logon verification. For more information, see Bind an MFA device for a RAM user.

Use passkeys for logon

A passkey is a more secure authentication method that can replace passwords. Alibaba Cloud allows RAM users to use passkeys for logon and as one of the multi-factor authentication (MFA) methods. A passkey allows you to use the authentication methods built in your laptop, mobile phone, or other devices for logons or MFA. The built-in authentication methods include fingerprint recognition, facial recognition, and PIN codes. For more information, see Bind a passkey for a RAM user.

• Based on the security guarantee of the passkey verification principle, RAM users can directly log on by using passkeys without the need for MFA verification.

• We recommend that RAM users also bind an MFA device so that they can log on by using a password and MFA when their devices are replaced or faulty.

Manage RAM users by group

When an Alibaba Cloud account has many RAM users, you can use RAM user groups to group RAM users with the same responsibilities and grant permissions to the groups. For more information, see Create a RAM user group and Grant permissions to a RAM user group.

Limit the IP addresses for console logon (logon mask)

The logon mask feature allows you to limit users to access the Alibaba Cloud Management Console only from trusted network environments. You can set trusted IP addresses or CIDR blocks in the logon mask. Users who attempt to log on from network environments outside this range will be rejected. For more information, see Configure network access control.

Use temporary identity credentials for program access

An AccessKey pair is a permanent access credential that Alibaba Cloud provides to Alibaba Cloud accounts and RAM users. An AccessKey pair consists of an AccessKey ID and an AccessKey secret. Improper use of permanent access credentials can cause many risks. For example, if application developers write fixed AccessKey pairs in plaintext in the code and upload the code to public repositories such as GitHub, the AccessKey pairs are leaked, which eventually causes business damage.

We recommend that you obtain temporary access credentials (STS tokens) by assuming RAM roles to replace permanent AccessKey pairs whenever possible. After an STS token is generated, it automatically expires after the maximum session duration (in hours) of the role, which significantly reduces the risk of access credential leakage.

Therefore, for applications deployed on Alibaba Cloud, we recommend that you use STS tokens as temporary credentials and avoid using permanent AccessKey pairs. For more information, see Best practices for using credentials to access Alibaba Cloud OpenAPI.

Do not hard code AccessKey information in plaintext in code

If application developers write permanent access credentials (AccessKey pairs) in plaintext in the code, upload the code to public repositories such as GitHub, or directly share the source code that contains AccessKey information when sharing, the AccessKey pairs are easily leaked.

If you must use AccessKey pairs, you can use Credentials tools, Key Management Service, or system environment variables to manage access credentials. If you find that an AccessKey pair is leaked, you must rotate the leaked AccessKey pair with a new one as soon as possible. For more information, see Best practices for using credentials to access Alibaba Cloud OpenAPI.

Clean up inactive RAM users and AccessKey pairs in a timely manner

If you do not clean up the RAM users and AccessKey credentials held by enterprise employees who have resigned or partners who have terminated cooperation in a timely manner, they can still access your cloud resources, which may lead to malicious use. At the same time, long-term inactive users and AccessKey pairs are poorly managed, and their theft may not be discovered in a timely manner.

Starting from September 2024, Alibaba Cloud has gradually enabled the automatic disabling of console logon for users who have been inactive for more than two years and the automatic disabling of AccessKey pairs that have been inactive for more than two years. After this feature is enabled, it continues to run and disables credentials that meet the conditions on a daily basis.

Limit the source IP addresses of API requests that use AccessKey pairs

Use AccessKey network access control policies to limit the source IP addresses of API requests that use AccessKey pairs. This controls the source of AccessKey pair calls within trusted network environments and improves the security of AccessKey pairs.

• If an existing AccessKey pair is suspected or confirmed to be leaked, first set a network access control policy for the AccessKey pair to limit calls to trusted network environments only, which directly blocks abnormal external calls.

• Sort out the network situations of various account businesses and set network control policies at the account level or for important business AccessKey pairs to prevent abnormal external calls in advance.