tencent cloud

Cloud Access Management

DokumentasiCloud Access ManagementUser GuideAccess KeySecurity Recommendations for Regularly Rotating Access Keys

Security Recommendations for Regularly Rotating Access Keys

Download
Mode fokus
Ukuran font
Terakhir diperbarui: 2026-07-07 19:39:52
If an AccessKey is used for a long time without being rotated, its repeated exposure increases the risk of leakage, which may threaten the security of your cloud resources. To prevent losses to your business, we recommend that you enhance protection by regularly rotating your AccessKeys.


Risks of Long-Term Use of Access Keys

Leakage risk accumulation: The longer a key is used, the more potential exposure vectors may arise (such as historical code leaks, unauthorized retention by internal personnel, accidental logging, and so on), and the likelihood of it being maliciously exploited increases accordingly.
Expanded impact scope: If a key is stolen, an attacker can lurk for an extended period and persistently abuse the permissions. This may lead to data leakage, service interruption, or malicious resource consumption. If the key leakage is not detected in time, it becomes difficult to quickly contain the losses.


Audit and Handling Recommendations for Access Key Information

Audit existing keys: Log in to the CAM console using your root account or an account with CAM permissions. Then, navigate to the CAM > Overview page, download the user credential report, view the complete list of keys under your root account, and thoroughly review their status and usage.
Do not use the root account key:
Tencent Cloud strongly recommends that you do not create or use root account keys. Instead, perform daily operations and API calls through methods such as CAM sub-users and role authorization.
A root account key has full control over all resources in the account, including finances, user permissions, and data management. If leaked, it could lead to a global, catastrophic security incident, and the permissions cannot be quickly revoked.
Use sub-account keys:
Sub-account permissions should adhere to the principle of least privilege.
Human sub-accounts should be separated from programmatic sub-accounts. This means that AccessKeys should not be created for human sub-accounts, which are only allowed to log in to the console. Conversely, programmatic sub-accounts should only use AccessKeys and are not permitted to log in to the console.
Sub-account keys should be rotated at least every 90 days. If a key is used for sensitive business, adjust the rotation cycle to a stricter standard.


Access Key Rotation Instructions

Create a new API access key: You can generate a new sub-user API key on the API Key Management page in the CAM console and update it in the relevant applications or services. For details, see Sub-account Access Key Management.
Disable the old API access key: Before disabling the old key, confirm that all services have been switched to the new key. You can verify recent call records by checking the CloudAudit console and the CAM > API Key Management > More Access Records page. For specific disabling operations, see Disable Sub-account API Key.
Delete the old API access key: After the key is disabled, it is recommended to observe the business operation status. Delete the old key only after confirming there are no exceptions. For specific deletion operations, see Delete Sub-account API Key.


Bantuan dan Dukungan

Apakah halaman ini membantu?

masukan