All Products
Search
Document Center

Resource Access Management:Manage security settings of RAM users

Last Updated:Nov 20, 2023

An Alibaba Cloud account or a Resource Access Management (RAM) user that has administrative rights can manage security settings of RAM users to improve the security of the RAM users. Security settings are global settings, which take effect on all RAM users.

Procedure

  1. Log on to the RAM console with your Alibaba Cloud account or as a RAM user that has administrative rights.

  2. In the left-side navigation pane, choose Identities > Settings.

  3. In the RAM User Security section of the Security Settings tab, click Modify RAM User Security Settings.

  4. In the Modify RAM User Security Settings panel, configure the parameters.

    • Remember MFA for Seven Days: specifies whether to allow RAM users to remember the multi-factor authentication (MFA) devices for seven days.

    • Manage Passwords: specifies whether to allow RAM users to change their passwords.

    • Manage AccessKey Pairs: specifies whether to allow RAM users to manage their AccessKey pairs.

    • Manage MFA Devices: specifies whether to allow RAM users to enable and disable MFA devices.

    • MFA for RAM User Logons: specifies whether MFA is required for all RAM users when the RAM users use usernames and passwords to log on to the Alibaba Cloud Management Console.

      • Enable for All Users: specifies that MFA is required for all RAM users.

        Note

        If you select Enable for All Users for the MFA for RAM User Logons parameter, MFA for sensitive operations is enabled for all RAM users. If a RAM user wants to perform a sensitive operation in the Alibaba Cloud Management Console, risk control is triggered and the RAM user is required to pass MFA again. For more information, see MFA for sensitive operations.

      • Apply User-specific Configuration: specifies that user-specific settings are applied. For more information, see Manage console logon settings for a RAM user.

      • Required Only for Unusual Logon: MFA is required only in scenarios in which a logon is initiated from a different location or device than the common logon locations or devices.

        If you select Required Only for Unusual Logon, you must also configure the Whether to Enable MFA Upon Unusual Logon parameter.

        • Must Bind MFA Device: MFA is required for unusual logons.

        • Skip and Do Not Bind MFA Device: MFA is prompted for RAM users who initiated unusual logons. However, the RAM users are allowed to skip MFA.

      Note

      If you set MFA for RAM User Logons to Required Only for Unusual Logon, MFA is required only during unusual logons. If you use the condition key acs:MFAPresent in a policy, MFA is not prompted for RAM users who initiated usual logons. The verification result for the condition key is failed. If you want the condition key to take effect, we recommend that you set the MFA for RAM User Logons parameter to Apply User-specific Configuration.

    • Keep Logged On to Alibaba Cloud App: specifies whether to allow RAM users to keep logged on to the Alibaba Cloud app for a long period of time.

    • Logon Session Validity Period: specifies the validity period of a logon session. The validity period is measured in hours. Valid values: 1 to 24. Default value: 6.

      Note

      If you assume a RAM role or use single sign-on (SSO) to log on to the Alibaba Cloud Management Console, the validity period of your session is no greater than the value of the Logon Session Validity Period parameter. For more information, see Assume a RAM role and SAML response for role-based SSO.

    • Logon Address Mask: specifies the IP addresses from which you can log on to the Alibaba Cloud Management Console by using a password or SSO. By default, this parameter is left empty, which indicates that logon from all IP addresses is allowed. If you enter IP addresses in this field, console logons, including password-based and SSO-based logon, from these IP addresses are limited. However, API calls that are initiated from these IP addresses by using AccessKey pairs are not limited. You can click Add to enter up to 40 IP addresses.

  5. Click OK.