Implement access control by using RAM - Security| Alibaba Cloud Documentation Center

Background information

RAM is a resource access control service provided by Alibaba Cloud. For more information about RAM, see What is RAM?. The following section describes how RAM is used to implement access control.

RAM users: If you have purchased one or more ECS instances and multiple RAM users within your organization (such as employees, systems, or applications) need to access the instances, you can create an authorization policy that grants only specific RAM users access to these instances. This eliminates the risk of disclosing your AccessKey pair of your Alibaba Cloud account and helps maintain account security.
RAM user groups: You can create multiple user groups and grant different permissions to each group. This way, RAM users in each group are assigned the same permissions. Example:
- You can associate a user group with an authorization policy to deny access to specific ECS resources from IP addresses that are outside your corporate network.
- You can move a RAM user from one user group to another to change the permissions of the users. Assume that you have two user groups: SysAdmins and Developers. The two groups are assigned different permissions.
  - SysAdmins: This user group needs permissions to create and manage ECS instances. You can associate the SysAdmins group with an authorization policy that allows its group members to perform all ECS operations to create and manage instances, images, snapshots, and security groups.
  - Developers: This user group only needs permissions to use ECS instances. You can associate the Developers group with an authorization policy that allows its group members to call the DescribeInstances, StartInstance, StopInstance, RunInstance, and DeleteInstance operations.

Authorization policies

Authorization policies are categorized into system policies and custom policies.

System policies: the authorization policies provided by Alibaba Cloud. Some commonly used system policies for ECS instances or default policies included in RAM roles are as follows:
- AliyunECSReadOnlyAccess: grants read-only permissions on ECS instances.
- AliyunECSFullAccess: grants full administrative permissions on ECS instances.
- AliyunECSNetworkInterfaceManagementAccess: grants permissions to manage ENIs.
- AliyunECSImageImportDefaultRole: This role has permission to allow ECS instances to access OSS when you import custom images.
- AliyunECSImageExportDefaultRole: This role has permission to allow ECS instances to access OSS when you export custom images.
- AliyunECSDiskEncryptDefaultRole: This role has permission to access KMS when you encrypt images.
Custom policies: the user-defined authorization policies. These policies are suitable for users who are familiar with various Alibaba Cloud APIs and require fine-grained access control. For more information about how to create a custom policy, see Step 2 (optional). Create a custom authorization policy.

Prerequisites

You have logged on to the RAM console using your Alibaba Cloud account.

Procedure

In the following example, the Alibaba Cloud account creates a RAM user in the RAM console and grants user-defined or system permissions to the RAM user.

Step 1. Create a RAM user
Step 2 (optional). Create a custom authorization policy
Step 3. Authorize the RAM user

Step 1. Create a RAM user

You can perform the following steps to create a RAM user in the RAM console:

In the left-side navigation pane, click Users under Identities.
Click Create User.

Note To create multiple RAM users at a time, click Add User.
Specify the Logon Name and Display Name parameters.
Under Access Mode, select Console Password Logon or Programmatic Access.
- Console Password Logon: If you select this check box, you must also complete the basic security settings for logon, including deciding whether to automatically generate a password or customize the logon password, whether the user must reset the password upon the next logon, and whether to enable multi-factor authentication (MFA).
- Programmatic Access: If you select this check box, an AccessKey pair is automatically created for the RAM user. The user can access Alibaba Cloud resources by calling an API operation or by using a development tool.
Note We recommend that you select only one access mode for the RAM users to ensure the security of your Alibaba Cloud account. This prevents RAM users who have terminated their employment contracts with the company from accessing Alibaba Cloud resources.
Click OK.

Step 2 (optional). Create a custom authorization policy

In addition to the system policies provided by Alibaba Cloud, you can create custom policies in the RAM console by performing the following steps:

In the left-side navigation pane, click Policies under Permissions.
On the page that appears, click Create Policy.
On the Create Custom Policy page, specify the Policy Name and Note parameters.

Set Configuration Mode. You can select Visualized or Script.

If you select Visualized, click Add Statement. In the dialog box that appears, configure the permission effect, actions, and resources.
If you select Script, edit policy scripts based on Policy structure and syntax.

If you select Script, you must specify values of the Action and Resource parameters in Statement based on the authentication list section in Authentication rules. For information about values of other parameters, see the following topic in the RAM documentation: Policy structure and syntax.

The following sample policy configured using scripts allows a RAM user to create pay-as-you-go instances.

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                    "ecs:DescribeImages", 
                  "vpc:DescribeVpcs", 
                  "vpc:DescribeVSwitches", 
                  "ecs:DescribeSecurityGroups", 
                  "ecs:DescribeKeyPairs",
                  "ecs:DescribeTags", 
                  "ecs:RunInstances"
          ],
            "Resource": "*"
        }
    ],
    "Version": "1"
}

The following sample policy configured using scripts allows a RAM user to create subscription instances. bss-related API operations can be called to query and pay subscription orders and the corresponding system policy is AliyunBSSOrderAccess.

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                    "ecs:DescribeImages", 
                  "vpc:DescribeVpcs", 
                  "vpc:DescribeVSwitches", 
                  "ecs:DescribeSecurityGroups", 
                  "ecs:DescribeKeyPairs",
                  "ecs:DescribeTags", 
                  "ecs:RunInstances",
                  "bss:DescribeOrderList",
                  "bss:DescribeOrderDetail",
                  "bss:PayOrder",
                  "bss:CancelOrder"
          ],
            "Resource": "*"
        }
    ],
    "Version": "1"
}

The following sample policy configured using scripts allows a RAM user to query instance and disk information after the RAM user creates an ECS instance.

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                    "ecs:DescribeInstances", 
                    "ecs:DescribeDisks"
          ],
            "Resource": "*"
        }
    ],
    "Version": "1"
}

Click OK.

Step 3. Authorize the RAM user

You can perform the following steps to authorize the RAM user in the RAM console:

In the left-side navigation pane, click Users under Identities.
In the User Logon Name/Display Name column, find the target RAM user.
Click Add Permissions. On the page that appears, the principal is automatically filled in.
In the Policy Name column, select the target policies by clicking the corresponding rows.

Note You can click X in the section on the right side of the page to delete the selected policy.
Click OK.
Click Finished.

What to do next

After authorization is complete, the assigned permissions take effect immediately. The RAM user then can log on to the RAM console to manage the target cloud resources.