introduction
At the beginning of 2021, the judgment of a domestic database deletion incident was announced. An employee of an enterprise took advantage of his role as a company database administrator and mastered the company’s financial system root authority to log in to the company’s financial system server to delete financial data and related applications, causing the company to delete financial data and related applications. The financial system could not log in and was eventually sentenced to 7 years in prison.
Although this cloud security incident was caused by malicious people, it also exposed the risk of identity permissions on the cloud. The management of identities and keys is the top priority for enterprises to go to the cloud; every year, at home and abroad, there are serious production accidents or data leakages due to poor management, or leakage, or misoperation of identities and keys at home and abroad. In this issue, the editor will focus on the things worth paying attention to about the identity on the cloud.
The first step, cloud security starts with ensuring the safe use of cloud accounts
Before we start using Alibaba Cloud services, we first need to register an Alibaba Cloud account, which is equivalent to the root or Administrator of the operating system, so it is sometimes called the main account or root account. We use Alibaba Cloud accounts to purchase resources and activate services, and we also have full control over all resources under our name. The master account corresponds to completely unrestricted permissions. Let us enumerate the security risks caused by the unregulated use of the master account:
- Do not use the main account for daily operations: not only there is a risk of misoperation, there are also greater risks of data leakage and data deletion caused by the theft of the account.
- Do not use the AccessKey of the main account (AK for short): In Alibaba Cloud, users can use AccessKey to construct an API request (or use cloud service SDK) to manipulate resources. Once the AK is exposed to the public network, it will lose the control authority of the entire main account, which will cause a loss that is difficult to assess and will not be able to stop the bleeding in time.
The second step is to start RAM users, grant different permissions and assign them to different people
- Because of the high risk of using the main account, Alibaba Cloud RAM provides users with controlled permission sub-accounts (RAM SubUser) and roles (RAM Role) to access cloud services to avoid allowing users to directly use the main account to access. This issue will focus on the use of RAM to grant the permissions of the main account to the sub-accounts in the account on demand, as well as the common problems of users.
RAM user creation and authorization
Create independent RAM users and grant corresponding permissions for different operators under the name of RAM.
Point 1: Employees should not share accounts, including passwords, MFA, and AK.
Point 2: Follow the authorization principle of "least privilege". In addition, you can also ensure the safe use of RAM users by restricting the environmental conditions when access occurs: - Whether the login scene passes MFA verification
- Restrict the visitor's login IP address
- Restrict visitor's login time period
- Restricted access method (HTTPS/HTTP)
Set up a suitable password policy
- Set RAM user password strength
To protect account security, you can edit password rules, including password strength (length + characters), password expiration policy, repeated history password policy, and incorrect password maximum retries policy for password settings.
- Enable multi-factor authentication
Set up MFA authentication for visitors, dynamic password will eliminate the harm of password leakage.
Standard use of access key (AccessKey)
The AccessKey is the long-term credential of the RAM user. If an access key is created for RAM users, RAM users can access Alibaba Cloud resources through APIs or other development tools. AccessKey includes AccessKey ID and AccessKey Secret . The AccessKey ID is used to identify the user, and the AccessKey Secret is the key used to verify the legitimacy of the user's identity.
1. AccessKeySecret is only displayed when it is created for the first time, and no follow-up query is provided:
Assuming that other AccessKeySecrets can be queried through the API, all AccessKeys are at risk of leakage, and security issues cannot be prevented, so please save them in time when creating AccessKeys.
2. A sub-user has at most two AccessKeys:
In order to ensure the safety of use, the user should only use one AK, and the other AK is used for periodic rotation of permanent AK, or emergency rotation in the face of leakage, which has been reduced loss.
3. The AK needs to be rotated regularly:
If your access key has been used for more than 3 months, it is recommended that you rotate the access key in time to reduce the risk of the access key being leaked. First create a second access key for rotation. Then disable (instead of delete) the original access key. Then, verify that all applications or systems that use the access key are functioning properly. Finally delete the original access key.
Regularly audit the use of accounts and recover inactive identity keys
- Through ActionTrail, you can view the records of user operations on resource instances.
- Through the user credential report (CredentialReport) to globally control the key situation of employees: password login records, AK use records, AK rotation records.
Identities/keys are disabled and then deleted
Identities/keys need to be disabled and then deleted to avoid deleting the AK that is only being used, which will affect business progress and cause production accidents:
- Confirm that the key is not in use
- Disable the key, can be restored at any time
- After the key is disabled for a period of time, confirm that there is no adverse effect, and then delete the key
Best practice sharing: Minimize configuration to maintain the most basic security and operation and maintenance convenience of enterprise cloud accounts.
Start-up IT governance model room
The startup model room is a minimal configuration that maintains the most basic security and operation and maintenance convenience of enterprise cloud accounts, reduces the risk of startups on the cloud that gradually increases with the expansion of scale, and allows startups to quickly realize:
- Master account security
- Controllable permissions
- Network isolation
At the same time, it can be quickly activated through three methods: console operation, Terraform code, and CLI code.
Click to learn more: https://help.aliyun.com/document_detail/172542.html
This article is the original content of Alibaba Cloud and may not be reproduced without permission.