Prohibit RAM users from creating Linux instances with password logon-Elastic Compute Service(ECS)-阿里云帮助中心

When you create an ECS instance, you may be tempted to set a simple, easy-to-remember password, such as "Test123456!" or "Password!". Such passwords are easy for attackers to guess using a brute-force or dictionary attack. Even if you use a complex password, you might reuse it across multiple systems. If the password for one system is compromised, an attacker can use the leaked password to log on to other systems, which increases your security risks.

Alibaba Cloud recommends that you use an SSH key pair for logon when you create an ECS instance. An SSH key pair is far more secure than a conventional password. It is computationally infeasible to derive the private key from the public key, which effectively eliminates the threat of brute-force attacks. We also recommend that you connect to your instances using Session Manager. Session Manager is a feature of Cloud Assistant that allows you to connect to instances without using an instance password or an SSH key pair, which makes it more secure than conventional logon methods.

This topic provides an example of how to prohibit a RAM user named Alice from creating a Linux instance with password logon.

In the RAM console, create a RAM user named Alice.

For more information, see Create a RAM user.

In the RAM console, create a policy named ecs-password-control. On the JSON tab, enter the following policy:

Note

This policy denies the creation of Linux instances with custom passwords. It also prevents you from setting a password by resetting the instance password or replacing the system disk.

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:RunInstances",
        "ecs:CreateInstance",
        "ecs:ReplaceSystemDisk"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "ecs:PasswordCustomized": [
            "true"
          ]
        },
        "StringEquals": {
          "ecs:ImagePlatform": "linux"
        }
      },
      "Effect": "Deny"
    },
    {
      "Action": [
        "ecs:CreateOrder",
        "ecs:ModifyInstanceAttribute",
        "ecs:InvokeCommand",
        "ecs:AttachDisk"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "ecs:PasswordCustomized": [
            "true"
          ]
        }
      },
      "Effect": "Deny"
    }
  ]
}

Create another policy named ecs-admin. On the JSON tab, enter the following policy:

Note

This policy grants permissions to manage ECS, including purchasing, managing, and viewing ECS instances. This policy simulates an ECS administrator. You can modify the policy to meet your needs.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecs:*",
        "ecs-workbench:*",
        "vpc:CheckCanAllocateVpcPrivateIpAddress",
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitches",
        "bss:ModifyAgreementRecord",
        "bss:DescribeOrderList",
        "bss:DescribeOrderDetail",
        "bss:PayOrder",
        "bss:CancelOrder"
      ],
      "Resource": "*"
    }
  ]
}

In the RAM console, grant permissions to the RAM user Alice.

For Authorization Scope, select Account Level, for Principal, select the RAM user (Alice), and for the policy, select the custom policies that you created in the previous step (ecs-password-control and ecs-admin). For more information, see Manage permissions for RAM users.

Log on to the Alibaba Cloud Management Console as the RAM user Alice.

For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.

Scenario 1: Create an ECS instance with a custom password

Go to the ECS instance buy page.
Click the Custom Launch tab.
Configure parameters such as the billing method, region, instance type, and image, and then set a custom password. For more information, see Create an instance using the wizard.

For Login Name, select root.
After you confirm the order, the instance creation fails.

Scenario 2: Reset the custom password for an existing ECS instance

Go to ECS console - Instances.
In the upper-left corner of the page, select a region and resource group.
Find the target instance. In the Actions column, choose > Instance Properties > Reset Password.
In the Reset Password dialog box, select Reset Online, set the required parameters, and then click OK.

Set Login Name to root and SSH Password Logon Policy to Allowed.
After you click OK, the operation fails.

Scenario 3: Replace the system disk of an existing ECS instance and set a new custom password

Go to the Replace Operating System page.
1. Go to ECS console - Instances.
2. In the top navigation bar, select the region where the target ECS instance is located.
3. Go to the instance details page. From the All action(s) drop-down list, click Replace System Disk.
Complete the pre-replacement check.
1. In the Replace System Disk dialog box, select Replace a system disk.
2. The system automatically performs prechecks, which takes about 10 seconds.
  - If appears in the Precheck column, the prechecks passed.
  - If appears in the Precheck column, the prechecks failed. Troubleshoot the issue as prompted and then try to replace the operating system again.
3. Read the notes, select I am aware of the preceding risks and want to continue., and then click Continue to Replace Operating System.
In the Replace System Disk dialog box, configure the new operating system and set a custom password. In the Security Settings section, click the Custom Password tab, select the root user, and then set and confirm the logon password.
View the billing details and click Replace. The operation fails.

Prohibit RAM users from creating Linux instances with password logon

Background

Procedure

Verification