API credentials, also known as AccessKey pairs, are unique and essential identity credentials that enable users to access internal resources. They are used to encrypt communication and authenticate identities of users when the users call the API operations of a specific Alibaba Cloud service. AccessKey pairs are the sole identity credentials for cloud users to invoke cloud service APIs and access cloud resources.
API credentials are equivalent to passwords but they are used in different scenarios. API credentials are used to call Alibaba Cloud APIs by using command lines, whereas passwords are used to log on to the consoles of cloud services.
On Alibaba Cloud, users can use an AccessKey pair to construct an API request or use Alibaba Cloud SDKs to manage resources. An AccessKey pair consists of an AccessKey ID and an AccessKey secret. The AccessKey ID is used to identify a user, and the AccessKey secret is used to authenticate the key of the user. You must keep your AccessKey secret confidential.
If AccessKey pairs are leaked, users are exposed to risks such as data breaches.
Automatic closed-loop security check of AccessKey pairs
Security Center provides comprehensive detection to prevent accidental AccessKey pair leaks and ensure the security of services on Alibaba Cloud. The detection includes configuration checks, leak behavior detection, and detection of abnormal calls.
Alibaba Cloud has cooperated with GitHub to implement the token scan mechanism. GitHub is the largest open source code management provider.
Security Center provides the automatic closed-loop security check of AccessKey pairs to detect the AccessKey pair leaks on GitHub. Alibaba Cloud notifies users and responds within a few seconds after code that includes AccessKey pairs is submitted to GitHub. This minimizes impacts on users after AccessKey pairs are leaked.
Configuration check: CSPM
To prevent exceptions when you use Alibaba Cloud services, log on to the Security Center console and choose
in the left-side navigation pane. On the CSPM page, you can check whether the configuration items of your Alibaba Cloud services are at risk.Make sure that the log audit of Alibaba Cloud services is in the Enabled state. This way, you can check whether abnormal calls exist.
Make sure that the AccessKey pair of a RAM user is used, instead of AccessKey pair of an Alibaba Cloud account. Also, abide by the principle of least privilege. This way, if the AccessKey pair is leaked, the control permissions of the Alibaba Cloud account are not completely lost.
Make sure that multi-factor authentication TOTP is enabled for your Alibaba Cloud account. This reduces the risks of unauthorized access due to password leaks.
NoteMFA is renamed Time-based One-time Password (TOTP).
Leak behavior detection: detection of AccessKey pair leaks
You can log on to the Security Center console and choose
in the left-side navigation pane. On the AK leak detection page, you can view the details of AccessKey pair leaks.Detection of abnormal calls:
You can log on to the Security Center console and view the alerts of the Cloud threat detection type on the Alerts page. If Security Center detects an abnormal call that includes an AccessKey pair, Security Center generates alerts and sends notifications. This way, you can handle the leak at the earliest opportunity.
Security suggestions
In addition to the aforementioned detection and response measures for AccessKey pair leaks, we recommend that you conform to the following security specifications when you use Alibaba Cloud services. This reduces the impacts of AccessKey pair leaks.
Do not embed AccessKey pairs in code.
AccessKey pairs embedded in code may be ignored. We recommend that you store AccessKey pairs in databases or separate files to facilitate management.
Update AccessKey pairs on a regular basis.
We recommend that you regularly update the existing AccessKey pairs in code. This ensures that the leaks of original code do not affect online business.
Revoke unnecessary AccessKey pairs on a regular basis.
You can view the time of the last access to AccessKey pairs in the Alibaba Cloud Management Console. We recommend that you disable unnecessary AccessKey pairs.
Abide by the principle of least privilege and use RAM users.
You can grant the read and write permissions to RAM users based on business requirements and use the AccessKey pairs of different RAM users for business.
Enable log audit and deliver the logs to Object Storage Service (OSS) and Log Service for storage and audit.
Operation logs stored in OSS provide fixed evidence to exceptions that occur. If you have a large number of logs, you can deliver the logs to Log Service, where you can search for logs in an efficient manner.