Help Center/ Enterprise Router/ Best Practices/ Enterprise Router Security Best Practices
Updated on 2025-04-10 GMT+08:00

Enterprise Router Security Best Practices

No matter whether you access Enterprise Router resources through the console or APIs, you are required to provide identity credentials for validity verification. In addition, login and login authentication policies are provided to enhance identity authentication security. Enterprise Router works with Identity and Access Management (IAM) to support four identity authentication methods: username and password, access key, temporary access key, and access code. IAM also provides Login Protection and Login Authentication Policy.

  1. Using a temporary AK/SK

    Querying resources like metrics and alarms via Enterprise Router APIs or SDKs requires identity credential authentication. This ensures request confidentiality, integrity, and requester identity correctness. You are advised to configure an IAM agency to obtain temporary AK/SKs, or directly configure temporary AK/SKs for your applications or cloud services. Temporary AK/SKs will expire after a short period, which reduces data leakage risks. For details, see Temporary Access Key and Obtaining Temporary Access Keys and Security Tokens of an Agency.

  2. Periodically changing a permanent AK/SK

    If you have to use a permanent AK/SK pair for access, periodically change it and store it after encryption. This can prevent data leaks in case you lose the preset plaintext credentials. For details, see Access Keys.

  3. Regularly changing your username and password and avoiding weak passwords

    Regularly resetting passwords is one important measure to enhance system and application security. This practice not only lowers the chances of password exposure but also helps you meet compliance requirements, mitigate internal risks, and boost your security awareness. Also, complex passwords are recommended to reduce risks. For details, see Password Policy.

  4. Disabling the Auto Accept Shared Attachments function

    In a cloud service or enterprise network environment, enterprise routers function as core devices for cross-network communications. Improper configuration may cause security risks. Sharing an enterprise router with other accounts and enabling Auto Accept Shared Attachments can lead to unauthorized access or abnormal configurations, creating vulnerabilities for attackers. You are advised to:

    1. Disable the Auto Accept Shared Attachments function.

      When you create an enterprise router, Auto Accept Shared Attachments is disabled by default. For details, see Creating an Enterprise Router.

      If Auto Accept Shared Attachments is already enabled for your enterprise router, you can disable this function on the console or by calling the API.
    2. Restrict user permissions.

      Based on the sharing mechanism of Resource Access Manager (RAM), if an owner shares their enterprise router with another account, the account can create attachments and the attachments can be completed only after the owner accepts the requests.

      You are advised to specify that attachment creation requests can only be accepted by certain roles by configuring custom permission policies on the IAM console. The following is an example:
      {
          "Version": "1.1", 
          "Statement": [
              {
                  "Effect": "Allow", 
                  "Action": [
                      "er:attachments:accept"
                  ]
              }
          ]
      }