Cloud Firewall allows you to manage multiple Alibaba Cloud accounts in a resource directory based on the trusted services of Alibaba Cloud Resource Directory. Each Alibaba Cloud account is a member account. You can specify a member account as a delegated administrator account to access the resources of all member accounts in the resource directory. This way, you can manage the resources in a centralized manner.

Prerequisites

Cloud Firewall Ultimate Edition is purchased. Other editions of Cloud Firewall do not support centralized account management.

Limits

  • By default, centralized account management allows you to add one member account. If you want to add more than one member account, upgrade the Managed Alibaba Cloud Member Accounts specification of your Cloud Firewall based on your business requirements. For more information about how to upgrade the specifications of Cloud Firewall, see Upgrade Cloud Firewall and change configurations.
  • Centralized account management allows you to manage only the Internet firewalls that belong to member accounts.

Step 1: Specify the current Alibaba Cloud account as the delegated administrator account of Cloud Firewall

To manage multiple member accounts in a centralized manner, you must specify the current Alibaba Cloud account as a delegated administrator account of Cloud Firewall and add member accounts by using the current Alibaba Cloud account.

You can also use the enterprise management account of a resource directory to specify a member account in the resource directory as a delegated administrator account of Cloud Firewall. After the member account is specified as a delegated administrator account of Cloud Firewall, the member account is authorized by the enterprise management account of the resource directory and can be used to access the information of the resource directory in Cloud Firewall. The information includes the structure and member accounts of the resource directory. The member account can also be used to manage business within the resource directory.

  1. Log on to the Resource Management console by using the enterprise management account of your resource directory.
    To check whether the current account is the account that passed the enterprise real-name verification, perform the following operations in the console: Move the pointer over the profile picture in the upper-right corner and click Basic Information. On the Basic Information page, check whether Enterprise real-name verification is displayed on the right of Verified. Account that passed the enterprise real-name verification
  2. Enable a resource directory.
    1. In the left-side navigation pane, choose Resource Directory > Overview.
    2. On the Overview page, click Enable Resource Directory.
    3. In the Enable Resource Directory dialog box, click OK.
    After the resource directory is enabled, the current account is specified as the enterprise management account (formerly known as the master account) of the resource directory and has full permissions on the resource directory.
  3. Invite a member account.
    1. In the left-side navigation pane, choose Resource Directory > Invite Member.
    2. On the Invite Member page, click Invite Member Account.
    3. In the Invite Member Account panel, specify Account ID/Logon Email and Remarks. Then, read the risk prompt and select the check box for the risk prompt.
      Note If you enter an email address, it must be the email address that you specified when you created the account. If you invite multiple member accounts, you can enter multiple account IDs or email addresses at a time. Separate them with commas (,).
    4. Click OK.
    After an Alibaba Cloud account joins a resource directory, it becomes a member account that is managed in the resource directory. You can specify the invited member account as a delegated administrator account.
  4. Add a delegated administrator account.
    1. In the left-side navigation pane, choose Resource Directory > Trusted Services.
    2. On the Trusted Services page, find the trusted service to which you want to add a delegated administrator account and click Manage Delegated Administrator Accounts in the Actions column.
    3. On the page that appears, click Add Delegated Administrator Account. In the Add Delegated Administrator Account panel, select a member account.
    4. Click OK.
    Then, you can use the added delegated administrator account to access the multi-account management module of the trusted service and perform administrative operations within the resource directory.

Step 2: Authorize Cloud Firewall to access the required cloud resources when you log on to the Cloud Firewall console by using a member account

Before you can use the features of Cloud Firewall, you must authorize Cloud Firewall to access the cloud resources within the current account.

  1. Log on to the Cloud Firewall console by using a member account.
  2. In the Service-Linked Role for Cloud Firewall dialog box, click OK.
    Note If the AliyunServiceRoleForCloudFW service-linked role is created, the dialog box does not appear, and you can directly use Cloud Firewall in the console.
    After you click OK, Alibaba Cloud automatically creates the AliyunServiceRoleForCloudFW service-linked role.
    You can view the service-linked role on the RAM Roles page of the RAM console. Your Cloud Firewall can access the other cloud resources within your account only after the AliyunServiceRoleForCloudFW service-linked role is created. The resources include ECS instances, VPCs, SLB instances, Log Service, bastion hosts, CEN instances, Security Center, and ApsaraDB RDS instances. AliyunServiceRoleForCloudFW
Note For more information about authorization, see Authorize Cloud Firewall to access other cloud resources.

Step 3: Add multiple Alibaba Cloud accounts

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Settings > Central Account Management.
  3. On the Central Account Management page, click Add Member Account.
  4. In the Add Member Account dialog box, select the member accounts that can be added and add them to the Selected Member Accounts section in the right area.
  5. In the Selected Member Accounts section, select the required member accounts and click OK.
    Add Member Account
    After you add multiple member accounts, you can view the details about an account and delete an added member account. The details include the unique identifier (UID) and name of each account. You can also perform the following operations on the Internet Firewall page: view the cloud assets within an added member account, and enable or disable protection for assets.