All Products
Search
Document Center

Overview

Last Updated: Jul 06, 2021

This document describes how to complete the basic settings for an Alibaba Cloud account and establish a basic environment. The basic environment does not involve specific business systems. This document introduces a basic framework and some specific rules to ensure the security of the Alibaba Cloud account. If this framework does not meet your IT governance requirements, you can customize the framework. For complicated scenarios, Alibaba Cloud plans to release a tailored IT governance solution for large- and medium-sized enterprises.

Introduction

Assume that Company A, an Internet technology start-up, has purchased resources from Alibaba Cloud to carry out business. The company is co-founded by CEO Anny and CTO Alan. The company has teams such as product, research and development (R&D), sales, finance, and human resources. The product and R&D teams have a total of 20 members. CTO Alan creates an Alibaba Cloud account and completes enterprise real-name authentication. Two senior members in the R&D team use the account to manage the purchased cloud resources, and other members in the R&D team use the account to access different cloud resources to develop and operate their own modules. One member in the finance team uses the account to manage bills and invoices on Alibaba Cloud.

The primary goal of Company A is business growth. However, as the company grows, the following potential risks may happen:

  • CTO Alan may give the account to the two senior members in the R&D team.

    Potential risk: The account has access permissions to all Alibaba Cloud resources. If the password of the account is leaked, all assets owned by the company that are deployed on Alibaba Cloud are vulnerable.

  • The two senior members in the R&D team may create several RAM users for different teams.

    Potential risk: All members in a team share the same RAM user. If a member deletes a cloud resource, it is hard to identify the responsible member.

  • The AdministratorAccess permission may be granted to all members.

    Potential risk: As the number of cloud resources increases, each member specializes in more detailed tasks. Members who have the AdministratorAccess permission may access cloud resources that they are not supposed to access. This may lead to security risks.

In fact, the preceding risks can be prevented. After you create an Alibaba Cloud account, we recommend that you complete the basic settings for the account before you use cloud resources to build your business systems. This configuration process is the establishment of a basic environment for IT governance. This process involves the minimal settings to ensure security and convenience for operations and maintenance (O&M) on your account.

We recommend that every enterprise establish the basic environment described in this document. However, if your O&M team for your IT cloud infrastructure has more than 5 members with more than 50 Elastic Compute Service (ECS) instances or other resources, and more than 5 R&D projects are running on Alibaba Cloud, the basic configurations described in this document may not meet your security, compliance, and IT governance requirements. Alibaba Cloud plans to release a tailored IT governance solution for large- and medium-sized enterprises.

Establish a basic environment

Procedure

  1. Create an Alibaba Cloud account and complete enterprise real-name authentication.

  2. Complete security settings of the account, create RAM users, and then grant permissions to the RAM users, which minimizes the use of the Alibaba Cloud account.

  3. Complete the following RAM settings:

    1. Create custom policies for system administrators.

    2. Configure a password policy for the RAM users.

    3. Configure RAM user groups, which simplifies RAM user authorization.

  4. Complete basic network settings. For example, you can create a virtual private cloud (VPC) and a security group.

You can use the Alibaba Cloud Management Console or code to establish the basic environment.

Architecture

After you complete the preceding procedure, a basic environment is established, as shown in the following figure. This document walks you through how to build the modules in the boxes with light blue dots. You can build your business systems based on the established basic environment.

样板间架构图-en

Build business systems

Procedure

  1. Assign the admin user to administrators, such as an O&M director. The admin user can access all Alibaba Cloud resources. We recommend that you rename the admin user to the name of the administrator to avoid account sharing.

  2. Create RAM users for each member in the O&M team and add the RAM users to the CloudAdminGroup group. Then, these RAM users can access all Alibaba Cloud resources.

  3. Create RAM users for each member in the R&D and test teams and add the RAM users to the SystemAdminGroup group. If your team has multiple roles, such as database administrators and network administrators, you can create user groups for each of the roles and grant the required permissions to the groups. Then, add the RAM users of each role to the groups.

  4. Create RAM users for each member in the finance team and add the RAM users to the BillingAdminGroup group. This way, the members of the finance team can process bills and invoices on Alibaba Cloud.

  5. Optional. If your enterprise has an access control policy that allows access to Alibaba Cloud resources only over an internal network, create a custom policy and apply the policy to the CommonUserGroup group. For more information, see Use RAM to limit the IP addresses used to access Alibaba Cloud resources. If you want to apply the access control policy to the groups for system administrators and database administrators, add these RAM users to the CommonUserGroup group. The RAM users are subject to the permissions and limits of their own and of all RAM user groups to which they belong.

    For more information, see Policy check rules.

  6. Create RAM users for each business system, grant permissions, and create AccessKey pairs. This way, applications of each business system can access the resources of the Alibaba Cloud account.

    Note: Do not create AccessKey pairs for applications by using the RAM user of an individual member. If the member resigns or transfers to a different job, the AccessKey pairs cannot be properly handled.

  7. Configure Internet access methods, Server Load Balancer (SLB), Object Storage Service (OSS), and monitoring and backup systems based on your business requirements. The Internet access methods include NAT Gateway.

  8. Build your business systems. For example, use RAM users with required permissions to create ECS instances and configure CDN.

  9. View event logs on a regular basis or save event logs to OSS or Log Service. For more information, see Query historical events in the ActionTrail console.

Example

The following figure shows the architecture of a simple business system. The system is named DemoSystem and is used by Alice from the R&D team.

业务系统搭建

Procedure

  1. Create a RAM user for Alice.

    Use the admin user to create a RAM user for Alice and add the RAM user to the SystemAdminGroup group. Then, Alice can use the RAM user to log on to the Alibaba Cloud Management Console to build the business system.

  2. Create ECS instances.

    Alice uses the existing VPC, vSwitch, and security group to create two ECS instances.

  3. Configure SLB.

    1. Create an SLB instance. By default, the instance does not have a public IP address.

    2. Create elastic IP addresses (EIPs) and bind them to the SLB instance.

    3. Start an HTTP SLB listener. The listener connects to the Internet over port 80 and to backend servers over port 8080.

    4. Add ECS instances to the SLB instance.

  4. Create an ApsaraDB RDS instance.

    Alice creates an ApsaraDB RDS instance by performing the following steps:

    1. Create an ApsaraDB RDS for MySQL instance.

    2. Create a privileged account.

    3. Create a database.

  5. Deploy business code.

    Deploy business code on the ECS and RDS instances. Then, the business system can provide services. If the DemoSystem business system needs to access Alibaba Cloud resources other than the cloud resources described in this document, you must use a RAM user in the CloudAdminGroup group to create a RAM user for the system. Then, create an AccessKey pair for the new RAM user and grant it the permissions that are required by the system. For more information about how to access OSS data, see Use RAM to manage OSS permissions. Make sure that the AccessKey pair created for the system remains confidential.