Logo of Trend Micro

Root Account Access Keys Existence

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (act today)

To secure your Alibaba Cloud environment and adhere to security best practices, ensure that the Alibaba Cloud root account is not using access keys to perform API requests to access cloud resources or billing information. Trend Vision One™ recommends removing any existing root account key pairs and instead use individual RAM users for accessing resources within your cloud account.

Security

Having access to your root account key pair grants individuals unrestricted access to all your Alibaba Cloud services and resources, including sensitive billing information. Eliminating these credentials from your root account will significantly reduce the likelihood of unauthorized access to your cloud resources.

Audit

To determine the existence of your Alibaba Cloud root account access keys, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

03 In the left navigation panel, under RAM, choose Overview.

04 In the Security Check section, ensure that No AK for Root Account feature status is set to Finished. If No AK for Root Account status is not set to Finished, your Alibaba Cloud root account is configured with access keys (AKs), therefore your root access configuration fails to adhere to cloud security best practices for safeguarding against unauthorized access.

Using Alibaba Cloud CLI

01 Run GenerateCredentialReport command (OSX/Linux/UNIX) with custom output filters to generate the credential report for your Alibaba Cloud account. A credential report is a CSV document that lists all the existing users (root and RAM users) and the current status of their access credentials: 

aliyun ims GenerateCredentialReport
  --output cols=State

02 The command output should return the request status: 

State
-----
COMPLETED

03 Run GetCredentialReport command (OSX/Linux/UNIX) to obtain the credential report for your Alibaba Cloud account, generated at the previous step: 

aliyun ims GetCredentialReport
  --output cols=Content

04 The command output should return the requested document in a TEXT/CSV format. The document is encoded with the Base64 encoding scheme, as shown in the example below: 

Content
-------
abcdabcdabcdabcdabcdabcd ... abcdabcdabcdabcdabcdabcd

05 Decode the credential report content from the command line (OSX/Linux/UNIX) using the Base64 string returned at the previous step. In the following example, the report is decoded and saved to a file named tm-credentials-report.csv: 

echo "abcdabcdabcdabcdabcdabcd ... abcdabcdabcdabcdabcdabcd" | base64 -d > tm-credentials-report.csv

06 Open tm-credentials-report.csv in a TEXT/CSV editor and check the value available in the accesskey[n]_exist and additional_accesskey[n]_exist columns for the \ user, where [n] is the number of the existing key pair. If the value set for the accesskey[n]_exist and additional_accesskey[n]_exist attributes is TRUE, your Alibaba Cloud root account is configured with access keys, therefore your root access configuration fails to adhere to cloud security best practices for safeguarding against unauthorized access.

Remediation / Resolution

To remove the access keys created for your Alibaba Cloud root account, perform the following operations:

Deleting the root account access keys via Alibaba Cloud CLI (aliyun) is not currently supported.

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account using the root account credentials.

02 Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

03 In the left navigation panel, under RAM, choose Overview.

04 In the Security Check section, choose No AK for Root Account, and select Set Now to access the root account access keys settings.

05 In the Note confirmation box, choose Use Current AccessKey Pair to confirm using the access keys created for your Alibaba Cloud root account.

06 Choose the access key that you want to remove and select Disable in the Actions column to disable (decommission) the selected key pair. Select Disable to confirm the operation.

07 Choose Delete in the Actions column to remove the selected key pair from your Alibaba Cloud account. In the Delete confirmation box, enter the AccessKey ID, and select Delete to confirm the key pair removal.

08 Repeat steps no. 6 and 7 to remove all key pairs from your Alibaba Cloud root account.

References

Publication date Apr 26, 2024

Related AlibabaCloud-RAM rules