Handling Access Key Leakage

Access key ID (AK) and secret access key (SK) are used as identity credentials for you to access Huawei Cloud through development tools (APIs, CLI, and SDKs). An AK is a unique identifier used in conjunction with an SK to sign requests cryptographically, ensuring that the requests are secret, complete, and correct.

If an access key is leaked, your resources may be stolen, unexpected fees may be generated, or you may be extorted. This section describes how to handle suspected access key leakage to reduce possible security risks.

Huawei Cloud Security Measures

Huawei Cloud is committed to protecting your cloud identities and resources. If we detect that your access key has been leaked, Huawei Cloud will notify you through the contact method you have provided. To prevent greater asset loss, Huawei Cloud may restrict some operations on the access key. For example, we may restrict the identity (such as an IAM user or agency) created using the access key. For details, see Access Key Restrictions.

You must monitor notifications from SMS, email, and phone calls, and quickly take actions as needed. In addition, you need to monitor the cloud resources of your account to ensure that services are running properly.

As a cloud service provider, Huawei Cloud cannot and will not know the security status of all your access keys. According to the shared responsibility model for security, both you and Huawei Cloud share the cloud security responsibilities. You are fully responsible for the security of your access keys.

Handling Suspected Access Key Leakage for a Huawei Cloud Account (Master Account)

Scenario 1:

If the access key has not been used, disable and delete the access key on the My Credentials page.

Scenario 2:

If the access key is in use, rotate the access key using the following methods:

Method 1: On the My Credentials page, create a new access key for the account and keep it secure. Replace the original access key with the new one. After verifying that services are running properly, disable and delete the original access key.
Method 2 (recommended): Create an IAM user, generate an access key for the user, and grant the user permissions according to the principle of least privilege. Use new IAM user's access key to replace the account's access key. Disable and delete the original access key of the account.

Deleted access keys cannot be restored. Disable the access keys and verify that services are not affected before deleting them.

Handling Suspected Access Key Leakage for an IAM User

Scenario 1:

If the access key has not been used, disable and delete the access key of the IAM user on the IAM console. If you do not have the permission, contact an administrator who has the required IAM permissions. For details, see Managing Access Keys for an IAM User.

Scenario 2:

If the access key is in use and can be rotated, rotate it as soon as possible.

Create a new access key and keep it secure. (Each IAM user can create a maximum of two pairs of access keys.) Replace the original access key with the new one. After verifying that services are running properly, disable and delete the original access key on the IAM Console. For details, see Managing Access Keys for an IAM User. Deleted access keys cannot be restored. Disable the access keys and verify that services are not affected before deleting them.

Scenario 3:

If the access key is in use and cannot be rotated in a short period of time, you can perform the following operations to minimize the impact of access key leakage. You still need to rotate the access key as soon as possible.

Reduce the permissions of the access key.

Reduce the permissions of the access key as soon as possible. Disable high-risk operations that do not affect services to prevent core asset loss. Remove access key restrictions after rotation.

You are advised to disable the following critical permissions:
- Forbid the IAM user to create IAM users and grant permissions.
- Forbid operations on compute resources, such as stopping ECSs and BMSs.
- Forbid operations on storage resources, such as deleting OBS buckets, EVS disks, and RDS instances.
- Forbid the deletion of logs, such as deleting logs from LTS and deleting CTS trackers.
For details, see Creating a Custom Policy Assigning Permissions to an IAM User.

You are advised to remove unnecessary permissions of the access key to comply with the principle of least privilege.
Enable login protection for IAM users.

You are advised to enable login protection for all IAM users (created using your account) who can access the console, and add a virtual MFA device for verification, increasing the security level.
1. Enable login protection for IAM users created using your account. For details, see Viewing or Modifying IAM User Information.
2. Bind a virtual MFA device to an IAM user. For details, see Binding a Virtual MFA Device.
Check whether there are abnormal access key operations.

Check for abnormal operations using the access key and whether there are other suspected disclosed access keys.

Check steps:
1. On the CTS console, filter events by the user whose access key may have been leaked and check whether there are abnormal operations.
2. Check whether there are abnormal operations using other IAM users and access keys. If abnormal operations are found, confirm whether they are performed by the corresponding owners. If a suspected leakage is found, you are advised to perform the following operations:
  - If you want to continue using the IAM user, change the password immediately and enable login protection.
  - If the IAM user is not created properly or is idle, disable it and delete it after confirming that services are not affected.
  - If the access key has abnormal operations, reduce the permissions according to the preceding method and then rotate the access key.
Check for unexpected costs.

If unexpected costs and bills are found in the Billing Center, take protective measures.