Trusted services refer to the Alibaba Cloud services that are integrated with the Resource Directory service. After an Alibaba Cloud service is integrated with Resource Directory, the service can access the information of the related resource directory, such as the member accounts and folders in the resource directory. You can use the enterprise management account of your resource directory or a delegated administrator account of a trusted service to manage your business in the trusted service based on your resource directory. This simplifies the unified management of cloud services activated by your enterprise. For example, after Cloud Config is integrated with Resource Directory, you can use the enterprise management account of your resource directory to view related information in Cloud Config. The information includes the resources of all the member accounts in the resource directory, as well as the configuration history and compliance statuses of the resources. You can also monitor the compliance of resource configurations in Cloud Config.

Use a trusted service

You can use trusted services in their consoles or by calling their API operations. This section describes how to use a trusted service in its console.

  1. Log on to the Resource Management console by using an Alibaba Cloud account and enable a resource directory. This Alibaba Cloud account is the enterprise management account of the resource directory.

    For more information, see Enable a resource directory.

  2. In the Resource Management console, build an organizational structure for your enterprise. You can create member accounts in the resource directory or invite existing Alibaba Cloud accounts to join the resource directory.

    For more information, see Create a folder, Create a member account, and Invite an Alibaba Cloud account to join a resource directory.

  3. Optional. In the Resource Management console, specify a member account as a delegated administrator account of the trusted service.

    If you do not specify a delegated administrator account for the trusted service, you can use only the enterprise management account to manage your business in the trusted service.

    For more information about how to specify a delegated administrator account for a trusted service, see Add a delegated administrator account.

    Note This step applies only to trusted services that support delegated administrator accounts.
  4. In the console of the trusted service, use the enterprise management account or delegated administrator account to enable the multi-account management feature. Then, select the member accounts that you want to manage in a unified manner based on the organizational structure of your resource directory, and manage the business of the selected member accounts.

    This step varies based on the specific trusted service. For more information, see the References column in the "Supported trusted services" section.

Supported trusted services

Trusted service Feature Support for delegated administrator accounts References
Cloud Config After Cloud Config is integrated with Resource Directory, you can use the enterprise management account of your resource directory to view related information in Cloud Config. The information includes the resources of all the member accounts in the resource directory, as well as the configuration history and compliance statuses of the resources. You can also monitor the compliance of resource configurations in Cloud Config. No Overview of account groups
ActionTrail After ActionTrail is integrated with Resource Directory, you can use the enterprise management account of your resource directory to create multi-account trails in ActionTrail. A multi-account trail delivers the events of all the member accounts in a resource directory to an Object Storage Service (OSS) bucket or a Log Service Logstore. No Multi-account trail
Security Center After Security Center is integrated with Resource Directory, Security Center provides an interface that displays the security risks detected for all the member accounts in your resource directory. No Enable multi-account control
Cloud Firewall After Cloud Firewall is integrated with Resource Directory, you can use Cloud Firewall to centrally manage the public IP addresses of the resources within multiple accounts. You can also configure defense policies for the public IP addresses and view log analysis results in a unified manner. This implements centralized security control. Yes Use central account management
Dynamic Route for CDN (DCDN) After DCDN is integrated with Resource Directory, DCDN can provide the multi-account management feature and realize the unified management of domain names that belong to various accounts and products. No

None

Enable or disable a trusted service

You can enable or disable a trusted service by using the console or API of the service. For more information, see the documentation of the service.

You can choose Resource Directory > Trusted Services in the left-side navigation pane of the Resource Management console to view the statuses of trusted services. However, you cannot enable or disable trusted services in the Resource Management console.

When you use some trusted services to perform specific operations, Resource Directory automatically updates the states of the trusted services to Enabled. For example, if you create a multi-account trail in ActionTrail or use a trusted service to view the resources related to Resource Directory for the first time, Resource Directory automatically updates the state of ActionTrail or the trusted service to Enabled.

When you use some trusted services to perform specific operations, Resource Directory automatically updates the states of the trusted services to Disabled. For example, if you disable a feature provided by a trusted service, Resource Directory automatically updates the state of the trusted service to Disabled. If a trusted service is disabled, it cannot access the accounts or resources in your resource directory. In addition, the resources that are related to integration with Resource Directory are deleted from the trusted service.

Service-linked roles for trusted services

Resource Directory creates its service-linked role AliyunServiceRoleForResourceDirectory for each member account. This role enables Resource Directory to create the roles required by trusted services. Only Resource Directory can assume this role. For more information, see Service linked role for Resource Directory.

Trusted services create their own service-linked roles, such as the AliyunServiceRoleForConfig role of Cloud Config, only for the member accounts that are used to perform administrative operations. These roles define the permissions required for trusted services to perform specific tasks. Only trusted services can assume their own service-linked roles.

The policy that is attached to a service-linked role is defined and used by the linked service. You are not allowed to modify or delete the policy. In addition, you are not allowed to attach policies to or detach policies from a service-linked role. For more information, see Service-linked roles.