This topic describes how to use Resource Access Management (RAM) to control access to ECS resources at the account level.
Background information
RAM is a resource access control service provided by Alibaba Cloud. For more information about RAM, see What is RAM?. The following section describes how RAM is used to implement access control.
- RAM users: If you have purchased one or more ECS instances and multiple RAM users within your organization (such as employees, systems, or applications) need to access the instances, you can create an authorization policy that grants only specific RAM users access to these instances. This eliminates the risk of disclosing your AccessKey pair of your Alibaba Cloud account and helps maintain account security.
- RAM user groups: You can create multiple user groups and grant different permissions to each group.
This way, RAM users in each group are assigned the same permissions. Example:
- You can associate a user group with an authorization policy to deny access to specific ECS resources from IP addresses that are outside your corporate network.
- You can move a RAM user from one user group to another to change the permissions of
the users. Assume that you have two user groups: SysAdmins and Developers. The two
groups are assigned different permissions.
- SysAdmins: This user group needs permissions to create and manage ECS instances. You can associate the SysAdmins group with an authorization policy that allows its group members to perform all ECS operations to create and manage instances, images, snapshots, and security groups.
- Developers: This user group only needs permissions to use ECS instances. You can associate the Developers group with an authorization policy that allows its group members to call the DescribeInstances, StartInstance, StopInstance, RunInstance, and DeleteInstance operations.
Authorization policies
- System policies: the authorization policies provided by Alibaba Cloud. Some commonly used system
policies for ECS instances or default policies included in RAM roles are as follows:
- AliyunECSReadOnlyAccess: grants read-only permissions on ECS instances.
- AliyunECSFullAccess: grants full administrative permissions on ECS instances.
- AliyunECSNetworkInterfaceManagementAccess: grants permissions to manage ENIs.
- AliyunECSImageImportDefaultRole: This role has permission to allow ECS instances to access OSS when you import custom images.
- AliyunECSImageExportDefaultRole: This role has permission to allow ECS instances to access OSS when you export custom images.
- AliyunECSDiskEncryptDefaultRole: This role has permission to access KMS when you encrypt images.
- Custom policies: the user-defined authorization policies. These policies are suitable for users who are familiar with various Alibaba Cloud APIs and require fine-grained access control. For more information about how to create a custom policy, see Step 2 (optional). Create a custom authorization policy.
Prerequisites
You have logged on to the RAM console using your Alibaba Cloud account.
Procedure
In the following example, the Alibaba Cloud account creates a RAM user in the RAM console and grants user-defined or system permissions to the RAM user.
Step 1. Create a RAM user
You can perform the following steps to create a RAM user in the RAM console:
Step 2 (optional). Create a custom authorization policy
In addition to the system policies provided by Alibaba Cloud, you can create custom policies in the RAM console by performing the following steps:
Step 3. Authorize the RAM user
You can perform the following steps to authorize the RAM user in the RAM console:
What to do next
After authorization is complete, the assigned permissions take effect immediately. The RAM user then can log on to the RAM console to manage the target cloud resources.