If a Resource Access Management (RAM) user has two enabled AccessKeys, disable the idle AccessKey. Alternatively, move the AccessKey that is in use to a new RAM user. This ensures that each RAM user has only one enabled AccessKey, which reduces the threat of an AccessKey leak.
Risks
A RAM user can have a maximum of two AccessKeys. If you enable both AccessKeys at the same time, you can no longer rotate them. This also makes it easier to grant excessive permissions, which increases security threats.
Risk level
This is considered high-risk.
Best practices
Use Security Token Service (STS) tokens to call Alibaba Cloud APIs whenever possible. Use permanent AccessKeys only when you cannot use STS tokens for a specific scenario.
For scenarios that require permanent AccessKeys, rotate the AccessKeys regularly. This reduces the threat of exposure.
To make rotation easier, enable only one AccessKey for each RAM user. Keep the second AccessKey slot available. This lets you migrate an application to a new AccessKey during rotation.
After the application is migrated to the new AccessKey, disable the old AccessKey. After a waiting period, delete the old AccessKey. This prepares it for the next rotation.
Remediation
Confirm whether the AccessKeys of the RAM user are still in use.
If an AccessKey is no longer in use, disable it. If no issues related to the AccessKey occur within 90 days, delete the AccessKey. For more information, see Disable an AccessKey for a RAM user and Delete an AccessKey for a RAM user.
If both AccessKeys are still in use by your application, move one of the AccessKeys to a new RAM user. Follow these steps:
In the Resource Access Management (RAM) console, create a new RAM user.
For more information, see Create a RAM user.
Grant permissions to the new RAM user.
Grant the new RAM user the same permissions as the original RAM user. Alternatively, grant the minimum permissions required by the application. For more information, see Grant permissions to a RAM user.
Create an AccessKey for the new RAM user.
For more information, see Create an AccessKey for a RAM user.
In your application's staging environment, replace the original AccessKey with the new AccessKey. Then, verify that the application runs as expected.
In your application's production environment, replace the original AccessKey with the new AccessKey. Then, verify that the application runs as expected.
Disable the original AccessKey.
After 90 days, if no issues related to the original AccessKey occur, delete it.
Review the permissions of the original RAM user. Remove any unnecessary permissions to ensure the principle of least privilege.
Remediation difficulty
Administration can be complex.