Description: The management of identity and key is the top priority of the enterprise cloud; Every year, there are serious production accidents or data breaches caused by mismanagement, disclosure, or misoperation of identities and keys at home and abroad. In this installment, we’ll focus on some of the most interesting things about identity in the cloud.

The introduction

In early 2021, domestic road together delete library running events, a verdict has been announced an enterprise employees use the company database administrator and master the company’s financial system root access convenience, login to financial system server deletes the financial data and related applications, the company’s financial system cannot login, was sentenced to seven years in the end.

Although this cloud security incident was caused by malicious people, but also exposed the risk of identity permissions on the cloud. The management of identity and key is the top priority of enterprise cloud; Every year, there are serious production accidents or data breaches caused by mismanagement, disclosure, or misoperation of identities and keys at home and abroad. In this installment, we’ll focus on some of the most interesting things about identity in the cloud.

The first step, cloud security starts with ensuring the safe use of cloud accounts

Before using Aliyun service, we need to register an Aliyun account first, which is equivalent to the root or Administrator of the operating system, so sometimes it is called the primary account or root account. We use Aliyun account to purchase resources and open services, and at the same time, we have full control rights over all resources under our name. The master account corresponds to completely unrestricted permissions. Let’s list the security risks caused by the improper use of the master account:

* Do not use the master account for daily operations: there is not only the risk of misoperation, but also the greater risk of data leakage, data deletion and other greater risks caused by account theft.

* Do not use the AccessKey (AK) of the primary account: In the Ali Cloud, the user can use the AccessKey to construct an API request (or use the cloud service SDK) to manipulate the resource. Once AK is exposed to the public network, it will lose the control rights of the entire main account, which will probably cause losses that are difficult to assess and cannot stop bleeding in time.

The second step is to start the RAM user, grant different permissions and assign them to different people

Due to the high risk of using the primary account, AliCloud RAM provides users with access to cloud services by RAM SubUser and RAM Role, which are controlled by permissions, so as to avoid users directly using the primary account to access cloud services. This installment will focus on using RAM to grant permissions from the primary account to sub-accounts within the account as needed, as well as common user problems.

RAM user creation and authorization

Create separate RAM users for different operators under the name RAM and grant the appropriate permissions.

Point 1: Employees should not share accounts, including passwords, MFA and AK.

Point two: Follow the authorization principle of “minimum authority”. In addition, you can also guarantee the safe use of RAM users by limiting the environmental conditions when access occurs:

  • Whether the login scenario has passed MFA verification
  • Restrict the visitor’s logon IP address
  • Limit the visitor’s login time
  • Restricted access mode (HTTPS/HTTP)

Set an appropriate password policy

  • Sets RAM user password strength

To protect account security, you can edit password rules, including password strength (length + characters), password expiration policy, repeated history password policy, and incorrect password maximum retry policy for password Settings.

  • Enable multi-factor authentication

Set up MFA authentication for visitors and dynamic passwords will eliminate password leakage damage.

Canonical use of access keys

The AccessKey is the long-term credential of the RAM user. If an access key is created for the RAM user, the RAM user can access AliCloud resources through API or other development tools. The AccessKey includes the AccessKey ID and the AccessKey Secret. The AccessKey ID is used to identify the user, and the AccessKey Secret is the key used to verify the validity of the user’s identity.

  1. The accessKeySecret is only displayed when it is first created and does not provide subsequent queries:

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

If other accessKeySecret can be found through the API, then all accessKeySecret is at risk of disclosure. Therefore, please save it in time when you create the accessKey.

  1. A child user has a maximum of two accesskeys:

= = = = = = = = = = = = = = = = = = = = = = = = =

To ensure safety, the user should use only one AK, and the other AK should be used for regular rotation of the permanent AK, or for emergency rotation in the event of a leak to reduce the damage.

  1. AK needs to be rotated regularly:

= = = = = = = = = = = = =

If your access key has been used for more than 3 months, it is recommended that you rotate the access key in time to reduce the risk of disclosure of the access key. Start by creating a second access key for rotation. Disable (rather than delete) the original access key. Then, verify that all applications or systems that use the access key are functioning properly. Finally, delete the original access key.

Periodically audit account usage and recover inactive identity keys

  • ActionTrail allows you to view a record of user actions on resource instances.
  • Global control of employee key status through user CredentialReport: password login record, AK usage record, AK rotation record.

The identity/key is disabled before being deleted

The identity/key should follow the principle of first disabling and then deleting, so as to avoid deleting AK that is being used, which will affect the business progress and cause production accidents:

  • Verify that the key is not in use
  • Disable the key, ready to recover
  • After the key is disabled for a period of time, confirm that there is no bad effect, and then delete the key

Best practice sharing: minimal configuration to maintain basic security and ease of operation of enterprise cloud accounts.

Start-up enterprise IT governance model room

Start-up model room is a minimal configuration to maintain the most basic security and convenience of enterprise cloud account, reduce the cloud risks that start-ups gradually increase with the expansion of scale, and enable start-ups to quickly realize:

  • Primary account security
  • Access control
  • Network isolation

At the same time through the console operation, TerraForm code, CLI code three ways to enable quickly.

This article is the original content of Aliyun, shall not be reproduced without permission