Allow only MFA-enabled RAM users to access cloud resources

Edit in GitHub

Last Updated: Oct 09, 2020 Edit in GitHub

This topic describes how to allow only Resource Access Management (RAM) users that have multi-factor authentication (MFA) enabled to access Alibaba Cloud resources, such as Elastic Compute Service (ECS) instances.

Prerequisites

An Alibaba Cloud account is created. To create an Alibaba Cloud account, visit the account registration page.
A RAM user is created. For more information, see Create a RAM user.
You have a basic knowledge of policy elements, structure, and syntax before you create a custom policy. For more information, see Policy elements and Policy structure and syntax.

Step 1: Enable MFA for a RAM user

Log on to the RAM console with the Alibaba Cloud account.
In the left-side navigation pane, click Users under Identities.
In the User Logon Name/Display Name column, click the name of the RAM user.
On the Authentication tab, click Enable the Virtual MFA Device.
On a mobile device, download and log on to the Google Authenticator app.
On the mobile device, open the app and scan the QR code.
Enter the two successive security codes that are obtained from the app and click Enable.

Note For more information about how to use MFA, see Enable an MFA device for a RAM user.

Step 2: Create a custom policy

In the left-side navigation pane, click Policies under Permissions.
On the Policies page, click Create Policy.
On the Create Custom Policy page, set the Policy Name and Note parameters.
In the Configuration Mode section, select Script.
Copy and paste the following sample script to the Policy Document text box, and then edit the script based on your business requirements.
```
{
    "Statement": [
        {
            "Action": "ecs:*",
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "acs:MFAPresent": "true"
                }
            }
        }
    ],
    "Version": "1"
}
```
The policy indicates that only MFA-enabled RAM users can use the console to access ECS resources. This is because the value of the acs:MFAPresent key in the Condition element is true.

You can modify the policy to limit the access from RAM users to other cloud resources based on your business requirements.
Click OK.

Step 3: Attach the policy to the RAM user

In the left-side navigation pane, click Users under Identities.
In the User Logon Name/Display Name column, find the RAM user.
In the Actions column, click Add Permissions. In the Add Permissions pane, the Principal field is automatically filled in.
In the Authorization Policy Name column, click the custom policy that you created in Step 2.
Click OK.
Click Complete.