The TencentCloud API key AccessKey (abbreviation "AK") is an important credential for building Tencent Cloud API requests. Your API key represents your account identity and permissions owned, allowing you to operate all Tencent Cloud resources under your name by using Tencent Cloud API.
AK includes SecretId and SecretKey, used to generate signatures when you call Tencent Cloud API. View signature generation algorithm. SecretId serves as user identity, while SecretKey (must keep secret) is the key to verify user identity. Note:
Warning: AK leakage and malicious exploitation may bring significant potential security risks to users' cloud resources and related business, leading to major losses.
AK Leakage Case
1. Hardcoding Expose Risks in Code Repository
Developers directly write SecretId/SecretKey into business code and upload it to open-source platforms like GitHub. Attackers can quickly locate sensitive credentials by searching for keywords such as "SecretKey" or "cos.ap-shanghai". (Environment variables or a configuration center are not used, and credentials remain in plaintext form in version control history.)
2. Credential Extraction Caused by Client Decompilation
Mini Program/APP developers hard-code SecretKey on the client. Attackers extract credentials through reverse engineering (such as decompiling APKs or WeChat Mini Program source code) and take over cloud resources directly.
3. Technical Documentation and Sample Code Leakage
Technical documentation, internal or public sharing materials may include test environment SecretId/SecretKey. If exploited by attackers, they can access production resources.
4. Temporary Key Misuse
Developers generate temporary credentials directly on the client. Attackers hijack and use them within the valid period to trigger malicious requests.
5. Log and Monitoring System Leakage
SCF environment variables, cloud disk snapshots, or CloudAudit logs may contain residual plaintext SecretKey. Attackers can obtain sensitive information through permission enumeration.
6. Plaintext AK Configuration in Server Accessed by Attackers
Attackers exploit vulnerabilities to compromise servers, such as arbitrary file read vulnerabilities, and steal plaintext AK/SK through environment variables or configuration files.
AK Security Practice Tutorial
Avoid Using Root Account AK
Avoid using the root account AK to access Tencent Cloud, and do not share the AK with others. Generally, create a sub-account for all users accessing Tencent Cloud and grant the sub-account corresponding management permissions. For related settings, see Type of User. Do Not Embed AK in Code
Embedding AK credentials in code is easy to ignore. Experienced developers write them to the database or an independent file to make management easier.
Developers should store AK in an independent encrypted configuration file or key management system (such as Tencent Cloud KMS white-box key), rather than directly written into business code, to reduce the risk of leakage caused by code repository permission management oversights or client decompilation.
Periodically Update AK
It is recommended that you or CAM users rotate AK regularly. This way, the impact time in case of identity credential leakage can be limited.
Deleting Unnecessary Permissions/AK
Delete permissions that are no longer needed to reduce security risks from AK leakage as much as possible.
Delete AKs that are not used for a long time to reduce the exposed surface.
Applying for an Account Following the Principle of Least Privilege
The principle of least privilege is a standard security principle. Only grant the minimal permissions needed for executing tasks, do not grant irrelevant permissions. For example, if a user only needs the Cloud Object Storage (COS) service, do not grant resource access permissions for other services (such as CAM read/write permissions) to the user.
When applying for a user, if only API is needed, just apply for an API permission user. Do not mix console and API users.
Sorting AK Request Status before Events
In CSC > TencentCloud API anomaly detection, perform real-time asset management and remarks for AK.
AK list: Sort AK assets, learn about how many AKs you have, and remark the business each AK is used for.
Source IP of call: Sort the source IP of calls and learn which business each source IP belongs to.
Risk permission convergence: View the AK configuration check result and sort whether there is unnecessary high-permission API.
Emergency response: When the above circumstances are grasped in advance and AK leakage leads to abnormal calls, rapid AK replacement can be completed.