This topic describes how to use Resource Access Management (RAM) to apply the access and security settings of RAM to Alibaba Cloud resources of your enterprise. This helps you manage resource permissions by implementing fine-grained access control.

Background information

When you migrate your workloads to the cloud, traditional organizational structures or existing methods used to manage resources may no longer meet your business requirements. You may encounter the following security management issues when you migrate your workloads to the cloud:

  • The roles and responsibilities of RAM users are not clear.
  • You do not want to share the AccessKey pair of your Alibaba Cloud account with the RAM users due to security concerns.
  • The RAM users can use different methods to access resources, which may lead to security risks.
  • Resource permissions that are granted to the RAM users must be removed when the RAM users no longer require these permissions.

Solution

To resolve the preceding issues, you can use RAM to create RAM users and grant the RAM users permissions to access the resources. You can use RAM to prevent RAM users from sharing the AccessKey pair of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. This way, permission management is simplified, and resource security is ensured.

Solution

Security management solution

  • Create RAM users.

    Only one Alibaba Cloud account is required. You can create RAM users for your employees. Then, you can attach different policies to the RAM users. This ensures fine-grained access control. You do not need to use your Alibaba Cloud account to perform O&M.

    For more information, see Create a RAM user.

  • Separate console users from API users.

    We recommend that you do not create a logon password for console operations and an AccessKey pair for API operations for a RAM user at the same time.

    • To allow an application to access resources by calling API operations, you need only to create an AccessKey pair for the application.
    • To allow an employee to manage resources by using the console, you need only to set a logon password for the RAM user of the employee.

    For more information, see Create a RAM user.

  • Create and group RAM users.

    If your Alibaba Cloud account has multiple RAM users, you can group the RAM users based on their responsibilities and grant permissions to the groups.

    For more information, see Create a user group.

  • Grant the minimum permissions to different RAM user groups.

    You can attach system policies to RAM users or RAM user groups. You can also create custom policies and attach them to RAM users or RAM user groups for fine-grained access control. You can grant the minimum permissions to different RAM users or RAM user groups. This helps you better manage access permissions on resources.

    Note In a simple scenario, you can create a few RAM users and grant the required permissions to the RAM users. In a complex scenario, you may have a large number of RAM users. We recommend that you add RAM users with the same responsibilities to the same user group and then grant the required permissions to the user group. This facilitates permission management.

    For more information, see Create a custom policy and Grant permissions to a RAM user group.

  • Configure strong logon password policies.

    You can configure logon password policies that specify the minimum length, mandatory characters, and validity period of passwords for RAM users in the RAM console. If you authorize a RAM user to change the logon password, the RAM user must create a strong logon password and rotate the password or AccessKey pair on a regular basis.

    For more information, see Configure security policies for RAM users.

  • Enable an MFA device for your Alibaba Cloud account.

    You can enable a multi-factor authentication (MFA) device for your Alibaba Cloud account to enhance account security. This adds an extra layer of protection in addition to your username and password. After you enable an MFA device, a RAM user must perform the following operations when the RAM user logs on to the Alibaba Cloud Management Console:

    1. Enter a valid username and password.
    2. Enter the verification code that is generated by the virtual MFA device. Alternatively, pass the U2F authentication.

    For more information, see Enable an MFA device for an Alibaba Cloud account.

  • Enable SSO for RAM users.

    After single sign-on (SSO) is enabled, all internal accounts of your enterprise are authenticated. Then, RAM users can log on to Alibaba Cloud and access resources only by using an internal account.

    For more information, see SSO overview.

  • Do not create an AccessKey pair for your Alibaba Cloud account.

    The AccessKey pair of your Alibaba Cloud account has the same permissions as the logon password. The AccessKey pair is used for programmatic access whereas the logon password is used for console logon. Your Alibaba Cloud account has full permissions on your resources. To prevent the security risks caused by AccessKey pair leaks, we recommend that you do not create an AccessKey pair for your Alibaba Cloud account or use the AccessKey pair to perform daily operations.

    You can create AccessKey pairs for RAM users and use the RAM users to perform daily operations.

    For more information, see Create an AccessKey pair for a RAM user.

  • Specify the condition element in policies to enhance security.

    You can specify the condition element in a policy to allow RAM users to use a specified source IP address to access your resources or access your resources within a specified period of time.

    For more information, see Policy elements.

  • Manage permissions on your resources.

    By default, your Alibaba Cloud account owns all of your resources and has full control over the resources. The RAM users of your Alibaba Cloud account can use the resources, but do not own the resources. This allows you to manage instances or other resources that are created by the RAM users.

    • If you no longer need an existing RAM user, you can delete the RAM user to revoke all permissions that are granted to the RAM user.
    • If you require a new RAM user, you can create a RAM user, set a logon password or AccessKey pair for the RAM user, and then grant the RAM user the required permissions.

    For more information, see Grant permissions to a RAM user.

  • Use STS to grant temporary permissions to RAM roles.

    A RAM role does not have permanent identity credentials. A RAM role can only be assumed by using an issued Security Token Service (STS) token to access Alibaba Cloud resources.

    For more information, see What is STS?.

Result

After you migrate your workloads to Alibaba Cloud, you can use the solution described in this topic based on your business requirements. The solution allows you to manage your resources and protect your Alibaba Cloud account and assets in an effective and efficient manner.

What to do next

You can use RAM to categorize your O&M tasks and assign the tasks to different O&M personnel (RAM users). For more information, see Use RAM to manage permissions of O&M engineers.