Alibaba Cloud Secret Access Key

ID

alicloud_secret

Severity

critical

Vendor

Alibaba Cloud

Family

API Token

Description

Alibaba Cloud (also AliCloud or Aliyun) use access keys for programmatic calls to Alibaba Cloud or for authentication in the Alibaba Cloud command-line interface. An access key is a pair (Access Key ID, Secret Key) where Access Key ID (like LTAI5tMYCr1pxcx4vz2o7riE) acts as the username and Secret Key (like vtAZaFH4CqJcqFj5oyyuRobivPNK8p) acts as a password.

Access keys are managed by the Resource Access Management (RAM) service.

Security

Any leakage of the Secret Access Key is critical, specially when the AccessKey ID is also leaked. Together with the secret part of the access key pair, it would allow a threat actor to access any cloud resource allowed to the key owner.

Examples

The following example shows a hardcoded Alibaba Cloud access key (id and secret) in a shell script:

export ALIYUN_SECRET_ACCESS_KEY=vtAZaFH4CqJcqFj5oyyuRobivPNK8p

Mitigation / Fix

  1. Follow your policy for handling leaked secrets, which typically require rotating the secret in the target system(s). First you need to know the user that owns the access key. You may use the AliCloud web console, or the aliyun command-line tool. The detailed rotation procedure is as follows:

    1. Create a new access key for the user:

      • AliCloud console: Follow the Create an AccessKey pair documentation: go to the AliCloud Console as the AliCloud RAM administrator, navigate to Identities/Users, click on the user that owns the key, and in the AccessKey section find the specific AccessKey pair, click Create Access Key, and copy the ID and Secret shown (they will not be visible later).

      • aliyun:

        # Create a new access key for the user
aliyun ram CreateAccessKey --UserName [RamUserName]
# Take note of the new AccessKeyID and AccessKeySecret...

        If the owner user is not known, you may use the aliyun tool to find the user that owns the leaked key:

        aliyun ram ListUsers | jq -r '.Users.User[].UserName' | while read username; do
  echo "Checking user: $username"
  aliyun ram ListAccessKeys --UserName "$username"
done

    2. Delete the leaked access key:

      • AliCloud console: Follow the Delete anAccessKey pair documentation: In the same AccessKey section as before, find the specific access key leaked, and click Delete in the Actions column. In the Delete confirmation dialog box, copỳ the AccessKey ID that you want to delete and click Delete.

        Do not inactivate the key. Disabled keys can be re-enabled later, but when leaked the key should be deleted and never reused.

      • aliyun:

        # Look for the AccessKey ID of the user that owns the key
aliyun ram ListAccessKeys --UserName [RamUserName]
# Delete the AccessKey
aliyun ram DeleteAccessKey --UserName [RamUserName] --UserAccessKeyId [YourAccessKeyId]`

  2. Create a new access key. Take note of the new key ID and secret for the next step.

    • AliCloud console: In the same user access keys section, click Create Access Key and copy the ID and Secret shown (they will not be visible later).

    • aliyun:

      # Create a new access key for the user
aliyun ram CreateAccessKey --UserName [RamUserName]
# Take note of the new AccessKeyID and AccessKeySecret...

  3. Remove the Access Key from the source code or committed configuration file. Replace the hard-coded key with the new one, using a more secure alternative, such as one of the options documented in How to Prevent Hard-Coded Secrets.

  4. (Optionally) If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference