Security model and authentication ↗
Cortex XSIAM implements a defense-in-depth security model built on the principle of least privilege. Every permission granted to Cortex XSIAM is read-only and has a clear purpose. This section describes the security principles, authentication mechanisms, and operational safeguards that protect your Alibaba Cloud environment.
Security principles
No static credentials: Cortex XSIAM never stores or exchanges static access keys. Authentication relies entirely on OIDC-based Workload Identity Federation with short-lived temporary credentials.
Minimal permissions by default: Cortex XSIAM operates with the minimum read-only permissions scoped to specific Alibaba Cloud services. No write permissions are provisioned. The permission set cannot be expanded through the onboarding process.
Permission transparency: Every permissions is mapped to a specific Alibaba Cloud API action. The complete permission set is visible in the Terraform authentication template before deployment, allowing security review prior to granting access.
Cloud-native identity and trust: Authentication uses Alibaba Cloud's native OIDC provider and STS service. All permissions and resources are provisioned through a customer-reviewed Terraform template to ensure transparency.
Authentication mechanisms
Cortex XSIAM uses a single OIDC-based identity flow for all operations (discovery and permissions analysis). Alibaba Cloud onboarding uses one identity for all access. The authentication flow works as follows:
The Cortex Service Account in the Cortex-managed GCP project obtains a GCP ID token with the audience
alibaba-cortex-wif-.<tenantID>The token is presented to the OIDC Identity Provider in the customer's Alibaba Cloud account.
The OIDC provider validates the token and Cortex XSIAM calls Alibaba Cloud STS
AssumeRoleWithOIDCatsts..<region>.aliyuncs.comSTS issues temporary credentials with a session name of
Cortex-WIF-Sessionand a maximum session duration of 55 minutes (3300 seconds).Cortex XSIAM uses the temporary credentials to assume the CortexPlatformRole and perform read-only discovery and permissions analysis.
Security considerations
Cortex XSIAM incorporates the following security considerations to protect your Alibaba Cloud environment:
No persistent credentials: OIDC tokens have a maximum expiry of 1 hour (3600 seconds) and STS sessions expire after 55 minutes (3300 seconds). Credentials are never stored. Instead, they are obtained on demand and discarded after use.
Single identity, minimal blast radius: A single RAM role with read-only permissions limits the blast radius. Compromising the role grants no write access to any Alibaba Cloud resource.
Auditability: All Cortex XSIAM operations are logged in Alibaba Cloud ActionTrail under the session name Cortex-WIF-Session. SOC teams can monitor and audit all Cortex access patterns independently.
Operational control: The CortexPlatformRole can be disabled or deleted at any time in the Alibaba Cloud console to immediately revoke Cortex XSIAM access.