Introduction: the management of identity and key is the top priority of enterprise cloud; Every year, there are serious production accidents or data leakage due to poor management of identity and key, or leakage, or misoperation at home and abroad. This issue will focus on those noteworthy things about identity on the cloud.
At the beginning of 2021, the judgment of a domestic database deletion and running away incident was announced. An enterprise employee took advantage of the convenience of being the company’s database administrator and mastering the root authority of the company’s financial system to log in to the company’s financial system server and delete financial data and related applications. As a result, the company’s financial system was unable to log in, and was finally sentenced to seven years’ imprisonment.
Although the cloud security incident was caused by malicious people, it also exposed the risk of identity and authority on the cloud. The management of identity and key is the top priority of enterprise cloud; Every year, there are serious production accidents or data leakage due to poor management of identity and key, or leakage, or misoperation at home and abroad. This issue will focus on those noteworthy things about identity on the cloud.
The first step is to ensure the security of cloud accounts
Before we start using alicloud services, we need to register an alicloud account, which is equivalent to the root or administrator of the operating system, so it is sometimes called the primary account or root account. We use an alicloud account to purchase resources and open services. At the same time, we have full control over all the resources under our name. The main account corresponds to completely unrestricted permissions. Let’s list the security risks caused by the non standardized use of the main account:
×Do not use the main account for daily operation: there is not only the risk of misoperation, but also the greater risk of data leakage and data deletion caused by account theft.
×Do not use the primary account’s access key (AK): in alicloud, users can use the access key to construct an API request (or use the cloud service SDK) to operate resources. Once AK is exposed to the public network, it will lose the control authority of the whole main account, which will cause a great probability of loss that is difficult to evaluate and cannot stop bleeding in time.
The second step is to start ram users, grant different permissions and assign them to different people
Because of the high risk of using the primary account, Alibaba cloud ram provides users with access to cloud services by ram subusers and ram roles with controlled permissions, so as to avoid allowing users to access cloud services directly by using the primary account. This issue will focus on the use of ram to grant the authority of the main account to the sub accounts in the account on demand, as well as the common problems of users.
Ram user creation and authorization
Create independent ram users for different operators under the name of ram and grant corresponding permissions.
Point 1: employees should not share accounts, including passwords, MFA and AK.
The second point is to follow the authorization principle of “minimum authority”. In addition, the safe use of ram users can be guaranteed by limiting the environmental conditions when access occurs
- Does the login scenario pass MFA verification
- Restrict the login IP address of visitors
- Limit the login time period for visitors
- Restricted access mode (HTTPS / HTTP)
Set appropriate password policy
- Set ram user password strength
In order to protect account security, you can edit password rules, including password strength (length + characters), password expiration policy, repeated history password policy and maximum number of wrong password retries policy to set the password.
- Enable multi factor authentication
Setting MFA authentication for visitors, dynamic password will eliminate the harm of password leakage.
The standard use of access key
The access key is the long-term certificate of ram users. If an access key is created for ram users, RAM users can access alicloud resources through API or other development tools.AccessKeyincludeAccessKey IDandAccessKey Secret. amongAccessKey IDUsed to identify users,AccessKey SecretIs the key used to verify the legitimacy of the user’s identity.
- Accesskeysecret is only displayed when it is first created and does not provide subsequent queries
Assuming that other accesskeysecrets can be found through the API, all accesskeys are at risk of leakage, and security problems cannot be prevented. Therefore, please save the accessKey in time when creating it.
- A child user can have at most two accesskeys:
In order to ensure the safety of use, users should only useOne AK and the other AK are used for periodic rotation of permanent AK, or emergency rotation in case of leakage, so as to reduce losses.
- AK needs to rotate regularly:
If your access key has been used for more than 3 months, it is recommended that you rotate the access key in time to reduce the risk of access key disclosure. First, a second access key for rotation is created. Then disable (rather than delete) the original access key. Then, verify that all applications or systems that use the access key are functioning properly. Finally, delete the original access key.
Audit the use of accounts regularly and recover inactive identity keys
- Through actiontrail, you can view the records of users’ operations on resource instances.
- Through the credentialreport, the key status of employees is controlled globally: password login record, AK use record, AK rotation record.
Disable ID / key before deleting
The identity / key should follow the principle of first disable and then delete, so as to avoid deleting AK which is being used only, affecting business progress and causing production accidents
- Confirm that the key is not in use
- Disable key and recover at any time
- After the key is disabled for a period of time, confirm that there is no adverse effect, and then delete the key
Best practice sharing: minimum configuration to maintain the most basic security, operation and maintenance convenience of Enterprise Cloud account.
It governance model room for start-ups
The model room for start-ups is a minimal configuration to maintain the most basic security and operation and maintenance convenience of Enterprise Cloud accounts, reduce the cloud risk of start-ups gradually increasing with the scale expansion, so that start-ups can quickly achieve the following goals:
- Main account security
- Authority controllable
- Network isolation
At the same time, it can be quickly enabled by console operation, terraform code and cli code.
This article is the original content of Alibaba cloud and cannot be reproduced without permission