Alibaba Cloud Keys
Service Name: Alibaba Cloud (Aliyun)
Service Description: Alibaba Cloud provides a comprehensive suite of cloud computing services globally, including elastic computing, database services, storage, network virtualization, large-scale computing, security, and management services.
Service Address: https://www.alibabacloud.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the RAM (Resource Access Management) level through security policies.
Secret Access Scope: Grants programmatic access to Alibaba Cloud resources and services based on the permissions assigned to the associated RAM user or role.
Secret Revokement URL: https://www.alibabacloud.com/help/en/resource-access-management/latest/delete-an-accesskey-pair
Secret Example: LTAIxxxxxxxxxxxxxxxx (Access Key ID), xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Access Key Secret)
Suspicious Activity Investigation Instructions:
- Review ActionTrail logs for unusual API calls or resource access patterns
- Check the Alibaba Cloud Console for unexpected resource creation or modification
- Monitor for unauthorized service usage or unusual traffic patterns
- Examine billing information for unexpected charges or resource usage
- Verify IP addresses that have used the access key against expected access patterns
Mitigation Instructions:
- Log in to the Alibaba Cloud Console
- Navigate to the RAM console (Resource Access Management)
- Select the affected RAM user
- Go to the "Authentication" tab and locate the "AccessKey" section
- Click "Disable" to temporarily disable the compromised access key
- Click "Delete" to permanently remove the compromised access key
- Create a new access key pair if needed
- Update all legitimate applications with the new access key
- Review and tighten RAM policies to enforce the Principle of Least Privilege.
- Consider implementing STS (Security Token Service) for temporary credentials instead of long-term access keys