Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI

RAM User Access Keys Rotation

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (act today)
Rule ID: AlibabaCloud-RAM-009

Ensure that your RAM user access keys are rotated every 90 days or less in order to decrease the likelihood of accidental exposures and protect your Alibaba Cloud resources against unauthorized access.

Security

Rotating RAM user credentials periodically will significantly reduce the chances that a compromised set of access keys can be used without your knowledge to access certain components and resources within your Alibaba Cloud account.

Audit

To determine if your Alibaba Cloud RAM users have any outdated access keys, perform the following operations:

Using Alibaba Cloud Console

  1. Sign in to your Alibaba Cloud account.

  2. Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

  3. In the left navigation panel, under Identities, choose Users.

  4. Click on the name (link) of the RAM user that you want to examine, listed in the User Logon Name/Display Name column.

  5. Select the Authentication tab to access the authentication configuration information available for the selected user.

  6. Check the resource creation date, listed in the Created At column, for each active access key available in the User AccessKeys section to determine the key age. An active access key has the Status set to enabled. If an active key is older than 90 days, the access key is outdated and needs to be re-created in order to secure the access to your Alibaba Cloud resources.

  7. Repeat steps no. 4 – 6 for each RAM user available in your Alibaba Cloud account.

Using Alibaba Cloud CLI

  1. Run ListUsers command (OSX/Linux/UNIX) with custom output filters to list the name of each RAM user available within your Alibaba Cloud account:

    aliyun ram ListUsers
  --output cols=UserName

  2. The command output should return a list with the requested RAM user identifiers:

    UserName
--------
tm-project-admin
tm-project-developer

  3. Run GetUser command (OSX/Linux/UNIX) with the name of the Resource Access Management (RAM) user that you want to examine as the identifier parameter, to describe the access keys created for the selected RAM user:

    aliyun ram ListAccessKeys
  --UserName tm-project-admin

    The command output should return the information available for each user access key. If the "AccessKey" attribute is empty (i.e. []), no access key exists:

    {
	"AccessKeys": {
		"AccessKey": [
			{
				"Status": "Active",
				"AccessKeyId": "ABCD1234ABCD1234ABCD1234",
				"CreateDate": "2023-07-10T10:50:06Z"
			},
			{
				"Status": "Active",
				"AccessKeyId": "1234ABCD1234ABCD1234ABCD",
				"CreateDate": "2023-07-18T20:54:58Z"
			}
		]
	},
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

    Check the "CreateDate" attribute value (timestamp) for each active access key returned by the ListAccessKeys command output to determine the key age. An active access key has the "Status" attribute set to "Active". If an active key is older than 90 days, the access key is outdated and needs to be re-created in order to secure the access to your Alibaba Cloud resources.

  4. Repeat steps no. 3 and 4 for each RAM user available within your Alibaba Cloud account.

Remediation / Resolution

To rotate (re-create) your outdated Resource Access Management (RAM) user access keys, perform the following operations:

Using Alibaba Cloud Console

  1. Sign in to your Alibaba Cloud account.

  2. Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

  3. In the left avigation panel, under Identities, choose Users.

  4. Click on the name (link) of the inactive RAM user that you want to configure, listed in the User Logon Name/Display Name column.

  5. Select the Authentication tab to access the authentication configuration information available for the selected user.

  6. Choose Create AccessKey from the User AccessKeys section to create a new set of access keys required for key rotation. If the RAM user has two access keys and the Create AccessKey button is not active, follow the instructions outlined at step no. 9 to remove the outdated key first.

  7. In the Create AccessKey confirmation box, choose Download CSV File to save the new access key ID and secret access key to a CSV file on your device or copy the AccessKey ID and AccessKey Secret strings to a text file. Alibaba Cloud will not provide access to the new secret access key again once the Create AccessKey confirmation box is closed so make sure that you save your credentials in a safe location before you close the box. Choose OK to return to the RAM console.

  8. Update all your applications and systems to replace the outdated access key ID and secret access key with the new ones created at the previous step.

  9. Once the new access key is validated, return to the RAM console, identify the outdated access key under User AccessKeys, and choose Disable to change the state of the selected key to disabled. In the Disable confirmation box, choose Disable to decommission the selected key.

  10. Test all your applications and systems to make sure that the new key pair is working as expected. Confirm that your new access key is working.

  11. Once you are sure that your applications and systems are no longer using the original access key, return to the RAM console, identify the disabled access key, and choose Delete to remove the selected key. In the Delete confirmation box, enter the key ID and choose Move to Recycle Bin to move the selected key to the recycle bin.

  12. Repeat steps no. 4 – 11 for each outdated RAM user access key available in your Alibaba Cloud account.

Using Alibaba Cloud CLI

  1. Run CreateAccessKey command (OSX/Linux/UNIX) to create a new set of access keys for the selected RAM user, required for key rotation:

    aliyun ram CreateAccessKey
  --UserName tm-project-admin

  2. The command output should return the access key information:

    {
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"AccessKey": {
		"Status": "Active",
		"AccessKeyId": "1234ABC01234ABC01234ABC0",
		"AccessKeySecret": "abcd1234abcd1234abcd1234abcd1a",
		"CreateDate": "2024-01-20T10:08:54Z"
	}
}

  3. Update all your applications and systems to replace the outdated access key ID and secret access key with the new ones created at the previous steps.

  4. Run UpdateAccessKey command (OSX/Linux/UNIX) to disable (decommission) the outdated access key:

    aliyun ram UpdateAccessKey
  --UserName tm-project-admin
  --UserAccessKeyId ABCD1234ABCD1234ABCD1234
  --Status Inactive

  5. If successful, the output should return the command request ID:

    {"RequestId":"ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"}

  6. Test all your applications and systems to make sure that the new key pair is working as expected. Confirm that your new access key is working.

  7. Once you are sure that your applications and systems are no longer using the original access key, run DeleteAccessKey command (OSX/Linux/UNIX) to delete the outdated access key:

    aliyun ram DeleteAccessKey
  --UserName tm-project-admin
  --UserAccessKeyId ABCD1234ABCD1234ABCD1234

  8. If successful, the output should return the command request ID:

    {"RequestId":"ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"}

  9. Repeat steps no. 1 - 8 for each outdated RAM user access key available within your Alibaba Cloud account.

References

Publication date Feb 23, 2024

Related AlibabaCloud-RAM rules