DocsICP FilingConsole
官方文档
首页

Prevent root user creation for Linux instances

更新时间:
复制 MD 格式
产品详情
我的收藏

When you create a Linux ECS instance, you can set the initial user to root or ecs-user. The root user has the highest permissions on the system. If its credentials are leaked, an attacker can gain full control of the system to delete important data, install malware, or steal sensitive information. Additionally, root user operations lack sufficient logging detail, making them difficult to track and audit. Alibaba Cloud recommends that you use ecs-user as the initial logon username for operating system images that support this standard user account. This topic describes how to use a RAM access policy to prevent a RAM user from creating Linux instances with root as the initial user.

Limitations

  • Windows instances do not support creating non-administrator users during instance creation. This access policy is not recommended if you need to create Windows instances.

  • Some Linux operating system images do not support the creation of the ecs-user standard user during instance creation. For a list of unsupported Linux image versions, see public image release notes.

Procedure

This section provides an example of how to prevent a RAM user named Alice from creating Linux ECS instances with root as the initial user.

  1. In the RAM console, create a RAM user named Alice.

    For more information, see Create a RAM user.

  2. In the RAM console, create an access policy named ecs-root-user-control. In the script editor, use the following policy content.

    Note

    This policy denies permission to select root as the logon username when you create an ECS instance. It also prevents you from resetting the credentials of the root user by replacing the system disk.

    {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:RunInstances",
                "ecs:CreateInstance",
                "ecs:CreateOrder",
                "ecs:ReplaceSystemDisk",
                "ecs:AttachDisk",
                "ecs:InvokeCommand"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "ecs:LoginAsNonRoot": [
                        "false"
                    ]
                }
            },
            "Effect": "Deny"
        }
    ]
}

  3. Create another access policy named ecs-admin. In the script editor, use the following policy content.

    Note

    This policy grants permissions to purchase, manage, and view ECS instances. In this example, the policy simulates an ECS administrator role. You can modify the policy based on your business requirements.

    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecs:*",
        "ecs-workbench:*",
        "vpc:CheckCanAllocateVpcPrivateIpAddress",
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitches",
        "bss:ModifyAgreementRecord",
        "bss:DescribeOrderList",
        "bss:DescribeOrderDetail",
        "bss:PayOrder",
        "bss:CancelOrder"
      ],
      "Resource": "*"
    }
  ]
}

  4. In the RAM console, grant permissions to the RAM user Alice.

    For Authorization Scope, select Account. For Principal, select the RAM user Alice. For Policies, select the custom policies created in the previous steps: ecs-root-user-control and ecs-admin. For more information, see Grant permissions to a RAM user.

    image

Verify the policy

Log on to the Alibaba Cloud Management Console as the RAM user Alice.

For more information, see Log on to the console as a RAM user.

Verification 1: Creating an ECS instance with the root user

  1. Go to the instance purchase page.

  2. Select the Custom Launch tab.

  3. Configure settings such as the billing method, region, instance type, and image. Set the logon username to root. For more information, see Create an instance by using the wizard.

    image

  4. After you confirm the order, a failure message is displayed.

Verification 2: Replacing the system disk of an existing ECS instance to reset the root user credentials

  1. Go to the Replace Operating System page.

    1. Go to ECS console - Instances.

    2. In the top navigation bar, select the region where the target ECS instance is located.image.png

    3. Go to the details page of the target instance. In the Actions column, choose All action(s) > Replace System Disk > Replace OS.

  2. Perform a precheck before you replace the operating system.

    1. In the Replace System Disk dialog box, select Replace a system disk.

    2. The system automatically performs a precheck. This process takes about 10 seconds.

      • If the Precheck column displays image, the precheck passes.

      • If the Precheck column displays image, the precheck failed. You can follow the on-screen instructions to resolve the issue and then try to replace the operating system again.

    3. Read the notes, select I am aware of the preceding risks and want to continue., and then click Continue to Replace Operating System.

  3. In the Replace System Disk dialog box, configure the new operating system information and set credentials for the root user. image

  4. Review the billing details and click Stop Instances and Continue. A failure message is displayed.

Previous:Prohibit RAM users from creating password-based Linux instancesNext:Prohibit RAM users from creating unencrypted cloud disks