This topic describes how to allow only the Resource Access Management (RAM) users that have multi-factor authentication (MFA) enabled to access Alibaba Cloud resources, such as Elastic Compute Service (ECS) resources.

Prerequisites

  • You have basic knowledge of the policy elements, structure, and syntax before you create a custom policy. For more information, see Policy elements and Policy structure and syntax.
  • The Google Authenticator app is downloaded and installed on your mobile device. You can use one of the following methods to download the Google Authenticator app:
    • For iOS, download the Google Authenticator app from the App Store.
    • For Android, download the Google Authenticator app from your preferred app store.
      Note For Android, you must download and install a quick response (QR) code scanner from an app store for the Google Authenticator app to identify QR codes.

Step 1: Create a custom policy

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Custom Policy page, specify the Policy Name and Note parameters.
  5. Set Configuration Mode to Script and enter the following information.

    The following policy indicates that only MFA-enabled RAM users can access ECS resources by using the Alibaba Cloud Management Console. The acs:MFAPresent condition key in the Condition element is set to true.

    {
        "Statement": [
            {
                "Action": "ecs:*",
                "Effect": "Allow",
                "Resource": "*",
                "Condition": {
                    "Bool": {
                        "acs:MFAPresent": "true"
                    }
                }
            }
        ],
        "Version": "1"
    }
    Note The Condition element applies only to the actions specified for the current policy. You can also modify the policy to limit the access from RAM users to other cloud resources based on your business requirements.
  6. Click OK.

Step 2: Create a RAM user

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click Create User.
  4. On the Create User page, specify Logon Name and Display Name in the User Account Information section.
    Note You can click Add User to create multiple RAM users at a time.
  5. In the Access Mode section, select Console Access or Programmatic Access.
    • Console Access: If you select this access mode, you must complete the logon security settings. These settings specify whether to use a system-generated or custom logon password, whether the password must be reset on the next logon, and whether to enable multi-factor authentication (MFA).
      Note If you select Custom Logon Password in the Console Password section, you must specify a password. The password must meet the complexity requirements. For more information about the complexity requirements, see Configure the password policy for RAM users.
    • Programmatic Access: If you select this access mode, an AccessKey pair is automatically created for the RAM user. The RAM user can call API operations or use other development tools to access Alibaba Cloud resources.
    Note We recommend that you select only one access mode for the RAM user to ensure the security of your Alibaba Cloud account. This prevents the RAM user from using an AccessKey pair to access Alibaba Cloud resources after the RAM user leaves the organization.
  6. Click OK.

Step 3: Attach the policy to the RAM user

Attach the policy that you created in Step 1 to the RAM user that you created in Step 2.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user to which you want to grant permissions. Click Add Permissions in the Actions column.
  4. In the Add Permissions panel, grant permissions to the RAM user.
    1. Select the authorization scope.
      • Alibaba Cloud Account: Permissions take effect on the current Alibaba Cloud account.
      • Specific Resource Group: Permissions take effect on a specific resource group.
        Note If you select Specific Resource Group as the authorization scope, you must make sure that the cloud service supports resource groups. For more information, see Alibaba Cloud services that support resource groups.
    2. Specify the principal.
      The principal is the RAM user to which permissions are granted. By default, the current RAM user is specified. You can also specify another RAM user.
    3. Select policies.
      Note You can bind a maximum of five policies to a RAM user at a time. If you need to bind more than five policies to a RAM user, perform the bind operation multiple times.
  5. Click OK.
  6. Click Complete.

Step 4: Enable MFA for the RAM user

Enable MFA for the RAM user that you created in Step 2.

  1. Log on to the RAM console by using your Alibaba Cloud account or a RAM user that has administrative rights.
    Note
    • If you have selected Required for Enable MFA when you create a RAM user, you are required to bind an MFA device upon the logon of the RAM user. You can select Virtual MFA Device in the Enable MFA Device dialog box and go to Step 6.
    • If you allow a RAM user of your Alibaba Cloud account to manage its own MFA device, you can enable an MFA device for the RAM user by logging on to the RAM console as the RAM user. To enable an MFA device, perform the following operations: Move the pointer over the profile picture in the upper-right corner of the console and click Security Information Management. On the Virtual MFA Device tab, click Enable Virtual MFA Device.
  2. In the left-side navigation pane, choose Identities > Users.
  3. In the User Logon Name/Display Name column, click the username of the RAM user for which you want to enable a virtual MFA device.
  4. On the page that appears, click the Authentication tab. Then, click the Virtual MFA Device tab.
  5. Click Enable the Virtual MFA Device.
  6. On your mobile device, enable a virtual MFA device.
    Note The following example shows how to enable a virtual MFA device in the Google Authenticator app on your mobile device that runs iOS.
    1. Open and log on to the Google Authenticator app.
    2. Click Get started and select one of the following methods to enable a virtual MFA device:
      • Tap Scan a QR code in the Google Authenticator app. Then, scan the QR code that is displayed on the Scan the code. tab in the RAM console. This method is recommended.
      • Tap Enter a setup key. Then, enter the account and key that you obtained from the Retrieve manually enter information. tab in the RAM console, and tap Add.
  7. In the RAM console, enter the two consecutive verification codes that are displayed in the Google Authenticator app. Then, click Enable.
    Note Verification codes in the Google Authenticator app are updated at an interval of 30 seconds.