Trusted services refer to Alibaba Cloud services that are integrated with the Resource Directory service. After an Alibaba Cloud service is integrated with Resource Directory, the service can access the information of the related resource directory, such as the members and folders in the resource directory. You can use the management account of your resource directory or a delegated administrator account of a trusted service to manage your business in the trusted service based on your resource directory. This simplifies the unified management of cloud services activated by your enterprise. For example, after Cloud Config is integrated with Resource Directory, you can use the management account of your resource directory to view related information in Cloud Config. The information includes the resources of all members in the resource directory, as well as the configuration history and compliance statuses of the resources. You can also monitor the compliance of resource configurations in Cloud Config.

Use a trusted service

Trusted services can be used by calling API operations or by using their consoles. This section describes how to use a trusted service in its console.

  1. Log on to the Resource Management console by using an Alibaba Cloud account and enable a resource directory. This Alibaba Cloud account is the management account of the resource directory.

    For more information, see Enable a resource directory.

  2. In the Resource Management console, build an organizational structure for your enterprise. You can create members in the resource directory or invite existing Alibaba Cloud accounts to join the resource directory.

    For more information, see Create a folder, Create a member, and Invite an Alibaba Cloud account to join a resource directory.

  3. Optional. In the Resource Management console, specify a member as a delegated administrator account of the trusted service.

    If you do not specify a delegated administrator account for the trusted service, you can use only the management account to manage your business in the trusted service.

    For more information about how to specify a delegated administrator account for a trusted service, see Add a delegated administrator account.

    Note This step applies only to trusted services that support delegated administrator accounts.
  4. In the console of the trusted service, use the management account or delegated administrator account to enable the multi-account management feature. Then, select the members that you want to manage in a unified manner based on the organizational structure of your resource directory, and manage the business of the selected members.

    This step varies based on the trusted service. For more information, see the References column in the Supported trusted services section.

Supported trusted services

Trusted service Feature Support for delegated administrator accounts References
Cloud Config After Cloud Config is integrated with Resource Directory, you can use the management account of your resource directory to view related information in Cloud Config. The information includes the resources of all the members in the resource directory, as well as the configuration history and compliance statuses of the resources. You can also monitor the compliance of resource configurations in Cloud Config. No Overview of account groups
ActionTrail After ActionTrail is integrated with Resource Directory, you can use the management account of your resource directory to create multi-account trails in ActionTrail. A multi-account trail delivers the events of all members in a resource directory to an Object Storage Service (OSS) bucket or a Log Service Logstore. Yes Multi-account trail overview
Security Center After Security Center is integrated with Resource Directory, Security Center provides an interface that displays security risks detected for all the members in your resource directory. No Enable multi-account control
Cloud Firewall After Cloud Firewall is integrated with Resource Directory, you can use Cloud Firewall to centrally manage the public IP addresses of the resources within multiple accounts. You can also configure defense policies for the public IP addresses and view log analysis results in a unified manner. This implements centralized security control. Yes Use centralized account management
Dynamic Route for CDN (DCDN) After DCDN is integrated with Resource Directory, DCDN can provide the multi-account management feature and unify the management of domain names that belong to various accounts and products. No

None

CloudSSO After CloudSSO is integrated with Resource Directory, you can use the management account of your resource directory to centrally manage the accounts of users who use Alibaba Cloud in your enterprise in CloudSSO. You can configure single sign-on (SSO) between your enterprise identity management system and Alibaba Cloud. In addition, you can configure access permissions for users on the members of your resource directory in a centralized manner. No Overview
Log Audit Service After Log Audit Service is integrated with Resource Directory, Log Audit Service can automatically collect the logs of Alibaba Cloud services from multiple accounts, and store and audit the logs in a centralized manner. Yes Configure multi-account collection
Resource Orchestration Service (ROS) After ROS is integrated with Resource Directory, you can use the management account of your resource directory to deploy the cloud resources that are required by your system within the members of the resource directory. This achieves centralized resource management in a multi-account environment. Yes Stack group overview

Enable or disable a trusted service

You can enable or disable a trusted service by using the console or API of the service. For more information, see the documentation of the service.

You can choose Resource Directory > Trusted Services in the left-side navigation pane of the Resource Management console to view the statuses of trusted services. You cannot enable or disable trusted services in the Resource Management console.

When you use some trusted services to perform specific operations, Resource Directory automatically updates the states of the trusted services to Enabled. For example, if you create a multi-account trail in ActionTrail or use a trusted service to view the resources related to Resource Directory for the first time, Resource Directory automatically updates the state of ActionTrail or the trusted service to Enabled.

When you use some trusted services to perform specific operations, Resource Directory automatically updates the states of the trusted services to Disabled. For example, if you disable a feature provided by a trusted service, Resource Directory automatically updates the state of the trusted service to Disabled. If a trusted service is disabled, the service cannot access the members or resources in your resource directory. In addition, the resources that are related to integration with Resource Directory are deleted from the trusted service.

Service-linked roles for trusted services

Resource Directory creates its service-linked role AliyunServiceRoleForResourceDirectory for each member. This role enables Resource Directory to create the roles required by trusted services. Only Resource Directory can assume this role. For more information, see Service-linked role for Resource Directory.

Trusted services create their own service-linked roles, such as the AliyunServiceRoleForConfig role of Cloud Config, only for the members that are used to perform administrative operations. These roles define the permissions required for trusted services to perform specific tasks. Only trusted services can assume their own service-linked roles.

The policy that is attached to a service-linked role is defined and used by the linked service. You are not allowed to modify or delete the policy. In addition, you are not allowed to attach policies to or detach policies from a service-linked role. For more information, see Service-linked roles.