Changes

Alibaba Cloud is committed to continuously enhancing the security of its cloud services and supporting you in better protecting your accounts and assets. To strengthen the baseline security posture of Alibaba Cloud accounts, starting April 8, 2026, the following RAM (Resource Access Management) security settings will adopt stricter default values upon first use of RAM for all newly created Alibaba Cloud accounts:

• User password policy: By default, passwords must contain at least two character types — digits and lowercase letters;
• Max idle days for user: Default value set to 365 days — if a RAM user does not log on to the Alibaba Cloud console for 365 days, the user's console access configuration will be automatically disabled;
• Max idle days for AccessKey: Default value set to 365 days — if an AccessKey is not used to make any API calls for 365 days, it will be automatically disabled.

Impact

This change applies only to Alibaba Cloud accounts that first use Resource Access Management service on or after April 8, 2026, and has no effect on existing accounts or their current RAM configurations. All the above settings can be customized by administrators with the AliyunRAMFullAccess permission via the RAM console or OpenAPI.

We recommend that you:

• Enforce strong password policies ;
• Regularly audit and deactivate long-inactive RAM users and unused AccessKeys to mitigate credential leakage risks.

For configuration instructions and security best practices, refer to: Configure a Password Policy for RAM Users, Manage Security Settings of RAM Users.

If you have questions or require further assistance, please contact us anytime via support ticket or our service hotline. Thank you for your understanding and cooperation.