Set Alias of the Account

• Set alias for your account, you can get an easy-to-understand IAM user login link.
• If you choose to log in via APP, the corresponding master account is also filled with the alias of the account defined here.

Operation steps

1. Enter the console, move the mouse to the head portrait at the upper right corner of the page, and enter the identity and access management > Setting
2. Edit the part Set Alias for the Account

E.g.: Set the alias of the account as test_123, the login link of PC is simplified into http://test_123.login.bce.baidu.com, the alias of the master account is filled as test_123 if you log in via APP.

Security Setting

Set the Password Policy

The customized password policy is used to enforce the password strength, validity period, etc. to ensure your account security. Currently, the password policies supported and configured by Baidu AI Cloud include:

1. Password length: Fill in 8 bits by default, ranging from 8 to 32 bits;
2. It at least includes: Multiple choice, you can select "uppercase", "lowercase", "numbers", "special character(!"#$%&’()*+,-./:;<=>?@[]^_>{¦©}<)"; to select a certain element means that the password must contain at least one of the elements; for example, if the "uppercase" and "lowercase" are selected, then the password must contain at least one uppercase and one lowercase letter;
3. Validity period of the password: It is 0 day by default, indicating permanent validity and ranging from 0 to 1095; the console pops a message up within 3 days after the password expires, please change the password timely;
4. Policy after the expiration of password:

• Unrestricted login, indicating that the IAM user can still log into the console after the expiration of password, but the password must be reset;
• Restricted login, indicating that the IAM user cannot log into the console after the expiration of the password, but the administrator must reset the password;

5. Historical password check: It defaults to be 1 time, indicating that the password cannot be repeated with the previous one, ranging from 0 to 24;
6. Restriction on password retry: If you log in with the wrong password for more than a certain number of times within an hour, the account is locked for an hour, with the default of 5 times, ranging 0 to 32, among which the number 0 is restriction free;

Set the Expiration Time of Session

The log-in session expiration refers to that if no operation is made within the valid time after the user logs in, the system clears up the session information of the current user automatically to ensure the security of the account. You need to log in the console again after the expiration of the session.

Note

• The time is set ranging from 15 minutes to 23 hours and 59 minutes, and the default expiration time is 1 hour, which can be set by the user according to the actual situation.
• This feature works for both the root and IAM user at the same time.

IP Whitelist

Set IP whitelist for all services used on IAM. When IAM users log onto the console directly or access the resources of Baidu AI Cloud by using OpenAPI or SDK, the source IP must be from IP whitelist.

Currently, IP whitelist supports:

• Restrict the IAM users from logging into the console, which is to restrict the IP that is not in the whitelist from logging in the console for operations;
• Restrict the program from accessing to cloud resources, which is to restrict the IP that is not in the whitelist from accessing the cloud resources through OpenAPI or SDK. See below for the list of cloud services that currently support the program to access the restricted cloud services.

You can choose to restrict only the IAM user from login or restrict the program access, or both.

Filling Requirements of IP Whitelist

Fill in the IP address or IP section that allows access.

• If IP whitelist is not set, it defaults to be the whole network.
• You need to add more than one IP, separate them with a comma or a space.
• If you fill in the IP segment, such as 10.10.10.0/24, it means that IP address of 10.10.10.X is accessible, and supports the CIDR mode.

AccessKey Leakage monitoring and Warning

On the basis that the user configures the IP whitelist, he can choose to enable the feature of AccessKey leakage monitoring and warning, which may trigger the instance warning provided by BCM after the AccessKey access of IP from non-whitelist reaches a certain number of times within a certain time, thus helping the customers to find the potential AccessKey leakage in a timely manner and protecting the asset security of the cloud account effectively.

AccessKey (hereinafter referred to as AK) leakage monitoring and alarm uses BCM event monitoring capability, and the following two steps need completing for specific opening:

1. Enable the AK leakage monitoring and warning in the setting module of identity and access management;

   2. Configure the event monitoring of BCT service at the Event Monitoring module of the cloud monitoring BCM;

Enable the AK leakage monitoring and warning

After the IP whitelist feature is enabled, click the button "Enable" at the option AK Leakage Monitoring and Warning to complete the identity and access management, and jump to the event monitoring module of BCM next and configure accordingly.

Configure event warning

In the event monitoring of BCM, complete the configuration of warning policy and warning action:

1. Click the button Create Warning Policy;

2. Fill in the policy name at the policy information module, select the service as Cloud Audit BCT, with the default region of global, and the others default options remain;

   3. In the warning action module, select the configured warning action, push the warning information to corresponding contact person or group; if you have not configured any warning, Add Warning Action at first. Please refer to Configuration of Warning Action for more details

Upon the completion of configuration, as long as the AK call from the non-IP whitelist meets the trigger conditions of warning, the corresponding contact person or group is notified according to the warning action configured in BCM. Upon the receipt of the warning, relevant personnel are recommended to view the detailed access records in Cloud Audit according to the notification to confirm whether the access is secure.

List of services that supports the programmatic access to cloud resource IP restrictions

Computation

Production name
Baidu Cloud Compute (BCC)
Baidu Baremetal Compute (BBC)
Baidu Application Engine (BAEPRO)
Baidu Container Instance BCI
Cloud Container Engine (CCE)
Cloud Function Compute (CFC)
Dedicated Cloud Compute (DCC)

Network

Production name
Elastic IP (EIP)
Baidu Load balance (BLB)
Cloud DNS
Virtual Private Cloud (VPC)

Storage and CDN

Production name
Content Delivery Network (CDN)
Baidu Object Storage (BOS)
Cloud File Storage (CFS)
Baidu Storage Gateway (BSG)

Security and management

Production name
Anti-DDoS Service (ADAS)
Baidu Cloud Monitoring (BCM)
Baidu Cloud Security (BSS)

Data analysis

Production name
Baidu MapReduce (BMR)
Baidu Stream Compute (BSC)
Baidu Data Science Platform JARVIS
Baidu Message Service KAFKAI

Database

Production name
Relational Database Service (RDS)
Simple Cache Service (SCS)
Cloud database HTAP for CockroachDB
Cloud database DocDB for MongoDB

Website service

Production name
Hosteye Management Service (HME)
Baidu Cloud Hosting (BCH)
Baidu Could Domain Service (BCD)

IoT service

Production name
Time Series Database ( TSDB)
Rule Engine
IoT Parser
IoT Device
Intelligent scheduling (ILS)
DuGo - AI Auto Cloud
Intelligent scheduling (ILS)
Hangu IOT Secure Kit (HISK)

Intelligent multi-media service

Production name
Documentation Service (DOC)
Live Streaming Service (LSS)
Real-time audio/video communication (RTC)
Video on demand (VOD)

AI

Production name
OCR capacity engine AI_OCR
Face capacity engine AI_FACE
Baidu Machine Learning AI_BML

Blockchain

Production name
Baidu Blockchain engine (BBE)