This topic describes how to use your Alibaba Cloud account to set security policies for RAM users.

Procedure

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, click Settings under Identities.
  3. On the Security Settings tab, click Update RAM User Security Settings. In the dialog box that appears, configure the following parameters:
    • Save MFA Logon Status for 7 Days: specifies whether to allow RAM users to keep the multi-factor authentication (MFA) devices logged on for seven days. By default, this parameter is set to Not Allowed.
    • Manage Passwords: specifies whether to allow RAM users to change their passwords.
    • Manage AccessKey: specifies whether to allow RAM users to change their AccessKey pairs.
    • Manage MFA Devices: specifies whether to allow RAM users to enable and disable MFA devices.
    • Logon Session Valid For: specifies the maximum duration of a logon session. The validity period is measured in hours.
      Note If you log on to the Alibaba Cloud console by assuming a RAM role or using single sign-on (SSO), the maximum session duration is limited by the Logon Session Valid For parameter. For more information, see Assume a RAM role and SAML assertions for role-based SSO.
    • Logon Address Mask: specifies the IP addresses that can be used for password logon or SSO. By default, this parameter is unspecified, which indicates that logon from all IP addresses is allowed. If you use the password or SSO to log on to the Alibaba Cloud console, you can initiate access requests only from the IP addresses that are specified by the subnet masks. However, you can use AccessKey pairs to call API operations to access Alibaba Cloud resources from all IP addresses regardless of the subnet mask setting.
  4. Click OK.
    Note The settings apply to all the RAM users of your Alibaba Cloud account.