This solution enables your enterprise to securely control access to your cloud services and resources, set up a clear account hierarchy (single and multiple accounts) that mirrors your organizational structure to manage your cloud resources more efficiently while tracking your spending, and keep track of your account and configuration changes to help you meet auditing and compliance requirements.
Up to Date with Compliance Requirements
Alibaba Cloud is up to date with the requirements of China Classified Protection of Cybersecurity 2.0 and has a professional team dedicated to defining standards for building compliant systems on the cloud.
Easy Resource Management
This solution offers you an easy way to boost your resource management efficiency by enabling you to set up a clear single or multi account organizational structure based on your business needs as well as track spending by each account or project.
IT Governance Challenges
Identity Management & Access Control
Enterprises require comprehensive and advanced account and resource security capabilities. This includes managing accounts, such as creating, authenticating, and grouping, defining fine-grained role-based policies for individual resource access, and ensuring that resources are isolated and only authorized access is allowed.
When a single account cannot meet enterprises' requirements, enterprises need to create multiple accounts in a hierarchy that mirrors their organizational structure. In addition, they have to make sure that different accounts can be managed by different teams while the access for shared resources across these accounts remain intact.
Meet Auditing Compliance Requirements
Enterprises need to demonstrate compliance with the help of a well-defined auditing framework that can monitor and track all operations from all accounts and users. In addition, they must also retain historical configuration changes for compliance auditing.
Resource Access Management
Resource Access Management (RAM) is an identity and access control service which enables you to centrally manage your user accounts and securely control access to your resources. You can create RAM users and RAM user groups to grant or deny access to your resources based on these entities. RAM provides you unified access control, conditional access control, easy-to-use identity federation and single sign-on, fine-grained access control, predefined authorization policies, and multiple access methods.
Resource Management provides a number of key features to help you manage your IT assets and resources, including resource groups and resource directory. Resource directory allows you to set up a multi-account structure to pair different accounts with different resources while resource groups lets you define how lower-level resources within a single account are organized. So you can define a hierarchy that reflects your resource management model, including object types such as directories, folders, accounts, and resource groups to organize and manage your resources more efficiently while keeping track of your spending and costs by project or account.
ActionTrail & Cloud Config
ActionTrail helps you keep track of all operations made by Alibaba Cloud accounts, whether made through the consoles, APIs, SDKs, or CLIs. You can download these tracked events or save them in cloud storage. The tracked events are important data for you to conduct behavior analysis, security analysis, resource change tracking, and auditing and compliance evaluation. Cloud Config is a configuration audit service that provides configuration history of cloud resources and audits the compliance of resource configurations. This product helps you set up self-monitoring infrastructure with continuous compliance assurance.
How It Works
This scenario is for customers who need to manage permissions and cloud resources by business attribute. Specifically, these customers need to arrange resources by groups such as project, company code, department, and product line, and then set access permissions for these groups. This way, they can ensure isolation between different types of resources and grant access when needed.
You can use user groups to manage role-based access control more easily. You can sort users into user groups, depending on the role each user takes and the tasks they need to perform. For example, you can create user groups for administrators, developers, and financial specialists. You can grant the user groups specific permissions to access resources. When you add a user to a user group, the user will automatically have the permissions of the user group.
You can also use resource groups to cluster resources that serve the same function together. When you grant permissions, you can allow a certain user group to access the resources in a certain resource group.
This scenario is for customers who require a more advanced account management architecture that involves multiple Alibaba Cloud accounts affiliated with an enterprise master account.
You can create an Alibaba Cloud enterprise master account and a hierarchy of organizational units. You can create up to five levels of organizational units in the hierarchy to reflect your organizational structure. Then you can add your member accounts into each organizational unit. In this way, you can manage your account permissions, calculate and analyze costs, better meet compliance requirements, and more.
This scenario is for customers who need to audit all operations occurring on the cloud and to meet relevant compliance requirements. These customers usually need to track and evaluate configuration changes according to security, compliance, and corporate policies. They also need to receive alerts if there are abnormal configurations. And for enterprises that have business operations in China, China Classified Protection of Cybersecurity 2.0 compliance auditing requirements must be met.
Alibaba Cloud provides a host of audit functionalities to support the auditing of operations and configurations on the cloud. For example, you can use ActionTrail to track, consolidate, and analyze all operations made by cloud users to meet your audit requirements. Additionally, you can use Cloud Config to define your own compliance rules to monitor and control configuration changes. When non-compliant configurations are applied, the designated responsible person will be notified and be able to take immediate action. These functionalities are the pillars of your efforts to ensure the compliance of both operations and configurations, including China Classified Protection of Cybersecurity 2.0 requirements for your China business operations.
Enabling Operation and Configuration Auditing on Alibaba Cloud
With a combination of multiple Alibaba Cloud services, you can achieve proactive governance based on effective auditing and automatic monitoring and alerting on all your cloud resources.
Setting up the Stage for Enterprise-Grade Deployment on Alibaba Cloud
This article shows you how you can set up an enterprise grade deployment for managing thousands of users while maintaining a centralized governance on the cloud.
Resource Access Management
Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions.
ActionTrail is an Alibaba Cloud service that records the operations on your Alibaba Cloud resources.
A configuration audit service that tracks and audits configurations of your Alibaba Cloud resources, helping you achieve the compliance of resource configurations.
Resource Management provides a number of key features to help you manage your IT assets and resources, including resource groups and resource directory.