This topic describes how to allow only Resource Access Management (RAM) users that have multi-factor authentication (MFA) enabled to access Alibaba Cloud resources, such as Elastic Compute Service (ECS) instances.
Prerequisites
- An Alibaba Cloud account is created. To create an Alibaba Cloud account, visit the account registration page.
- A RAM user is created. For more information, see Create a RAM user.
- You have a basic knowledge of policy elements, structure, and syntax before you create a custom policy. For more information, see Policy elements and Policy structure and syntax.
Step 1: Enable MFA for a RAM user
- Log on to the RAM console with the Alibaba Cloud account.
- In the left-side navigation pane, click Users under Identities.
- In the User Logon Name/Display Name column, click the name of the RAM user.
- On the Authentication tab, click Enable the Virtual MFA Device.
- On a mobile device, download and log on to the Google Authenticator app.
- On the mobile device, open the app and scan the QR code.
- Enter the two successive security codes that are obtained from the app and click Enable.
Note For more information about how to use MFA, see Enable an MFA device for a RAM user.
Step 2: Create a custom policy
Step 3: Attach the policy to the RAM user
- In the left-side navigation pane, click Users under Identities.
- In the User Logon Name/Display Name column, find the RAM user.
- In the Actions column, click Add Permissions. In the Add Permissions pane, the Principal field is automatically filled in.
- In the Authorization Policy Name column, click the custom policy that you created in Step 2.
- Click OK.
- Click Complete.