By the Open API Team
Alibaba Cloud Resource Access Management (RAM) is an identity and access control service that enables you to centrally manage your users and securely control their access to your resources through permission levels. With RAM, you can easily create and manage users, including employees and apps developed by your enterprise. You can control the access permissions of these users for cloud resources, allowing for collaborative work while protecting your account from any unsolicited access.
The ability to protect cloud resources and mitigate risks are necessary to ensure successful enterprise cloud migration. In various cloud-native app scenarios, RAM provides customers with diversified access control mechanisms and enables enterprises to implement the principle of least privilege across full-stack systems such as DevOps, computing environment, apps, and data access. These benefits reduce the exposure to attack of cloud resources and effectively control the information security risks involved in enterprise cloud migration.
RAM has provided identity security and access management services to over 100,000 enterprise customers. Based on the Attribute Based Access Control (ABAC) security model, RAM provides customers with fine-grained access control over cloud resources and supports the following cloud-native app scenarios:
Recently, the RAM Single Sign-On (SSO) function was released to support a new scenario: logging on to Alibaba Cloud using internal enterprise accounts.
Let's assume that your enterprise has deployed a local domain account system, such as Microsoft AD or AD FS. To meet the enterprise's security management and compliance requirements, all employees must pass a unified identity verification of the enterprise domain account system before they can perform any operations on resources, including cloud resources. In this case, employees are prohibited from using independent user accounts and passwords to directly operate on cloud resources. To meet the security and compliance requirements, a similar security capability is required from the cloud service provider.
Alibaba Cloud RAM supports the Security Assertion Markup Language 2.0 (SAML 2.0) standard for identity federation, which is widely used by enterprise-level identity providers (IdPs). By activating the RAM user federated Single Sign-On (SSO) service under the cloud account, you can use internal enterprise accounts to log on to Alibaba Cloud.
In scenarios where Alibaba Cloud services are integrated with an enterprise identity system, Alibaba Cloud serves as the SP while the enterprise identity system serves as the IdP. Figure 1 shows how employees of an enterprise log on to the Alibaba Cloud console through their own enterprise identity system.
Figure 1. Basic process of using internal enterprise accounts to log on to the Alibaba Cloud console
After the administrator configures SAML federated SSO, enterprise employees can log on to the Alibaba Cloud console by using the method shown in Figure 1.
Note: In step 1, the employee does not have to log on from the Alibaba Cloud console. Instead, the employee can click the link on the enterprise's own IdP logon page to send a SAML verification request to the enterprise IdP in order to access the Alibaba Cloud console.
For more information about the working principles and configuration method of SAML federated SSO, visit the official RAM documentation page for SSO Federation Logon.
For this scenario, let's assume that your enterprise has only one cloud account, which has resources including VMs, networks, databases, and storage resources. Meanwhile, this account is used to manage RAM users and their permissions. Figure 2 shows the proposed SSO model.
Figure 2. Single-account management and SSO model for on-cloud enterprises
Recommendations: Use this account as an SP for identity federation with the enterprise's local IdP, and use RAM to control user access to cloud resources.
In this scenario, assume that your enterprise has two cloud accounts, which are referred to as workload accounts. Both accounts host resources, such as VMs, networks, databases, and storage resources. Figure 3 shows the proposed SSO model.
Figure 3. Multi-account management and SSO model for on-cloud enterprises
Recommendations: Create an independent cloud account, which is referred to as the identity account. Under this account, you can only create RAM users. Use this account as an SP for identity federation with the enterprise's local IdP. Then, use the cross-account access function provided by Alibaba Cloud RAM to authorize the employees to access the resources under A1 and A2.
To learn more about Alibaba Cloud Resource Access Management, visit https://www.alibabacloud.com/product/ram
Alibaba Clouder - September 22, 2020
Alibaba Clouder - March 21, 2019
ClouderLouder - July 22, 2020
Alibaba Clouder - February 28, 2019
ClouderLouder - August 10, 2020
Alibaba Clouder - March 26, 2020
More Posts by Alibaba Clouder