Logo of Trend Micro

Root Account Usage

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your Alibaba Cloud root account is not used to access cloud services and resources. To follow security best practices, Trend Vision One™ recommends locking down the use of the root account and stop using the root credentials for everyday access. This Trend Vision One™ - Cloud Posture rule validates the usage of the root account credentials within the time frame set to enforce best practices for AWS user access inside your organization.

Security

While an Alibaba Cloud account offers comprehensive control, using it with full administrative privileges (often referred to as "root" access) is strongly discouraged due to security risks. Locking down your root account usage is crucial for keeping your cloud account safe because anyone who has your root credentials has unrestricted access to all your cloud resources, including billing information and the ability to change the root password. To avoid root account usage, we recommend implementing the Principle of Least Privilege (POLP) by creating RAM users with specific permissions for everyday tasks.

Audit

To determine if your Alibaba Cloud root account has been used to access cloud services and/or resources, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

03 In the left navigation panel, under RAM, choose Overview.

04 In the Security Check section, choose Download User Credential Report to download the credential report for your Alibaba Cloud account. A credential report is a CSV document that lists all the existing users (including the root account user) and the current status of their access credentials.

05 Open the credential report file in a TEXT/CSV editor and check the date-time value (timestamp) available in the user_last_logon column for the \ user to determine when the root account credentials have been last used. If the root account credentials have been used recently to access cloud services and/or resources, your Alibaba Cloud root account usage is not minimized.

06 To receive alert notifications for Alibaba Cloud root account usage, follow the steps outlined on this page to create and configure an alarm that is triggered each time the root account is used.

Using Alibaba Cloud CLI

01 Run GenerateCredentialReport command (OSX/Linux/UNIX) with custom output filters to generate the credential report for your Alibaba Cloud account. A credential report is a CSV document that lists all the users available in your cloud account and the current status of their access credentials: 

aliyun ims GenerateCredentialReport
  --output cols=State

02 The command output should return the request status: 

State
-----
COMPLETED

03 Run GetCredentialReport command (OSX/Linux/UNIX) to obtain the credential report for your Alibaba Cloud account, generated at the previous step: 

aliyun ims GetCredentialReport
  --output cols=Content

04 The command output should return the requested document in a TEXT/CSV format. The document is encoded with the Base64 encoding scheme, as shown in the example below: 

Content
-------
abcdabcdabcdabcdabcdabcd ... abcdabcdabcdabcdabcdabcd

05 Decode the credential report content from the command line (OSX/Linux/UNIX) using the Base64 string returned at the previous step. In the following example, the report is decoded and saved to a file named tm-credentials-report.csv: 

echo "abcdabcdabcdabcdabcdabcd ... abcdabcdabcdabcdabcdabcd" | base64 -d > tm-credentials-report.csv

06 Open tm-credentials-report.csv in a TEXT/CSV editor and check the value available in the user_last_logon column for the \ user to determine when the root account credentials have been last used. If the root account credentials have been used recently to access cloud services and/or resources, your Alibaba Cloud root account usage is not minimized.

Remediation / Resolution

To avoid root account usage, we recommend creating less privileged users with specific permissions tailored to their needs. The user permissions should be assigned through RAM groups to unify permissions management to a single, flexible layer, consistent with organizational functional roles. In this way, the likelihood of excessive permissions is greatly reduced. To create the RAM users necessary for everyday access and implement the required permissions through RAM groups only, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

03 In the left navigation panel, under Identities, select Users.

04 Choose Create User to create a new user for everyday access. On the Create User setup page, specify a Logon Name, a Display Name, and select the appropriate Access Mode (Console Access and/or OpenAPI Access). For Console Access, configure any required settings, then choose OK to create your new RAM user.

05 In the left navigation panel, under Identities, choose Groups.

06 Choose Create User Group, specify a Group Name, a Display Name, and enter a short description in the Note box. Choose OK to create your new RAM group.

07 Click on the name (link) of the newly created RAM group, and perform the following actions:

  1. Select the Permissions tab, choose Grant Permission, and select the permissions policies required to provide access to the group members. Follow the Principle of Least Privilege (POLP) and give the group members the minimal amount of access required to perform their tasks. You can configure permissions that relate to job functions such as administrators, developers, and testers, and add users to the group as needed. All the RAM users added to this group (i.e. group members) will inherit the permissions assigned to the group at this step. Choose OK to apply the necessary permissions and select Complete to finish the setup process.
  2. Select the Group Members tab, choose Add Group Members, and select the RAM user created at step no. 4. Choose OK to save the changes and select Done to return to the RAM console.

Using Alibaba Cloud CLI

01 Run CreateUser command (OSX/Linux/UNIX) to create a new Resource Access Management (RAM) user for everyday access: 

aliyun ram CreateUser
  --UserName 'tm-project-admin'
  --DisplayName 'Project Admin'

02 The command output should return the RAM user configuration information: 

{
	"User": {
		"CreateDate": "2024-02-19T18:55:20Z",
		"DisplayName": "Project Admin",
		"Email": "tm-admins@domain.com",
		"MobilePhone": "",
		"UserId": "123456789012345678",
		"UserName": "tm-project-admin"
	},
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

03 Run CreateGroup command (OSX/Linux/UNIX) to create the necessary RAM group for your user: 

aliyun ram CreateGroup
  --GroupName tm-project-admins

04 The command output should return the RAM group configuration information: 

{
	"Group": {
		"GroupName": "tm-project-admins",
		"Comments": "",
		"CreateDate": "2024-02-19T19:15:20Z",
		"GroupId": "g-ABCD1234ABCD1234"
	},
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

05 Run AttachPolicyToGroup command (OSX/Linux/UNIX) to attach the permissions policies required to provide access to the group members. Follow the Principle of Least Privilege (POLP) and give the group members the minimal amount of access required to perform their tasks. You can configure permissions that relate to job functions such as administrators, developers, and accounting, and add users to the group as needed. All the group members will inherit the permissions assigned to the RAM group at this step. Run the AttachPolicyToGroup command for each access policy that you want to attach to your user group: 

aliyun ram AttachPolicyToGroup
  --GroupName tm-project-admins
  --PolicyName AliyunECSFullAccess
  --PolicyType System

06 The command output should return the ID of the request: 

{"RequestId":"ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"}

07 Run AddUserToGroup command (OSX/Linux/UNIX) to add the RAM user created at step no. 1 to your new user group. The user will automatically inherit the RAM group policies: 

aliyun ram AddUserToGroup
  --GroupName tm-project-admins
  --UserName tm-project-admin

08 If successful, the command output should return the ID of the request: 

{"RequestId":"1234ABCD-1234-ABCD-1234-ABCD1234ABCD"}

References

Publication date Apr 26, 2024

Related AlibabaCloud-RAM rules