Today, we will take a look back at a few questions I have received during live training sessions and classes.
But first...Happy Friday! If you're in China, Happy National Day also!
Ok, let's get started!
Good question. It depends! Let's consider a few different scenarios.
If the contractor just needs to SSH or RDP into a virtual machine and make operating system level changes, you might want to look at Bastion Host. This will give you a single point-of-logon for all your employees and third party contractors, and has the added benefit that it records what commands were carried out, so you can make sure nobody is doing anything they aren't supposed to be doing.
In this case, your best approach would be to create a RAM User by following this Quick Start guide, then attach one or more RAM Policies to the RAM user. You want to make sure you provide only the minimum necessary permissions to the RAM user, so you'll need to learn how to write custom RAM policies. You can get some examples here.
The very best way to provide access to third parties is via a RAM Role. This way, your contractor or third party developer can access your account from a RAM user that they create and maintain themselves under their own account. They just need to use the AssumRole function in RAM to "switch over" to a RAM role in your account, whenever they need access.
This is also good for you because it makes revoking the third party's permissions very easy...simply delete the RAM Role they are using. This won't affect the RAM user that the third party has set up in their own account, but will make it impossible for them to access your account via AssumeRole. Easy!
First, to create and organize multiple accounts, you should be using Resource Directory.
Note that you can only use this service if you have created an Enterprise Account on Alibaba Cloud. This involves going through a process to verify your business name and registration info (your tax number, company ID, etc...). So if you haven't done that already, you should get started now!
Once you have created a Resource Directory, you can set up an organizational structure using "folders", and create one or more new Alibaba Cloud accounts within this structure.
You can then apply Control Policies to the folders within Resource Directory, which will affect what your accounts can and cannot do. Easy!
Read the documentation (links above) to get a clearer idea of how this works. Control Policy in Resource Directory is basically "RAM Policy on steroids", so if you already know how to create RAM policies, you should have no trouble with Control Policy.
That's it for this week! Enjoy your weekend!
Great! Reach out to me at
firstname.lastname@example.org and I'll do my best to answer in a future Friday Q&A blog.
You can also follow the Alibaba Cloud Academy LinkedIn Page. We'll re-post these blogs there each Friday.
JDP - April 30, 2021
JDP - August 27, 2021
JDP - June 4, 2021
JDP - July 9, 2021
JDP - May 7, 2021
JDP - April 9, 2021
Secure your cloud resources with Resource Access Management to define fine-grained access permissions for users and groupsLearn More
DDH is a solution for security and regulation implementation and flexible resource deployment. It offers dedicated resources in Alibaba Cloud for industries such as government departments, enterprises, and financial institutions.Learn More
Alibaba Cloud provides products and services to help you properly plan and execute data backup, massive data archiving, and storage-level disaster recovery.Learn More
Implement security analytics, resource change tracking, and compliance audits.Learn More
More Posts by JDP