When you initialize the resource structure of your enterprise, Cloud Governance Center automatically checks whether the current logon account meets the requirements for a management account. You can specify an appropriate management account based on the check results.

Background information

A management account is an account that is used to enable a resource directory and is the super administrator of the resource directory. The management account has all administrative permissions on the resource directory and the member accounts in the resource directory. You must use a corporate account to enable a resource directory. A resource directory has only one management account. A management account has permissions to perform the following operations:

  • Manage compliance policies for all member accounts.
  • Configure cloud services such as Security Center and Cloud Config for all member accounts.
  • Manage bills and payment-related financial information for all member accounts.

Check the qualifications of the current logon account

Cloud Governance Center automatically checks the qualifications of the current logon account and provides the check results that are described in the following table.

Check item Description Check result
Resource Check

Checks whether other cloud resources exist within the current logon account.

A management account is responsible for the governance and management of member accounts. We recommend that you do not deploy other cloud resources within this account.

  • Passed: Except for the resource directory, no other cloud resources exist.
  • Failed: Other cloud resources exist.
Access Key Check

Checks whether the AccessKey pair of an Alibaba Cloud account is created within the current logon account.

For security reasons, we strongly recommend that you do not create an AccessKey pair if you use an Alibaba Cloud account. The leak of the AccessKey pair of an Alibaba Cloud account gives rise to uncontrollable security risks. If an Alibaba Cloud account is used as a management account, it covers a larger scope of management, and its AccessKey pair faces higher security risks.

  • Passed: No AccessKey pair of an Alibaba Cloud account is created.
  • Failed: The AccessKey pair of an Alibaba Cloud account is created.
RAM User Check

Checks the number of RAM users within the current logon account.

More RAM users indicate that more people can use the current logon account. If such an account is used as a management account, permission management may face uncontrollable risks.

  • Passed: The number of RAM users is less than five.
  • Failed: The number of RAM users is greater than or equal to five.
Overdue Payment Check

Checks whether the current logon account has overdue payments.

Overdue payments within an account affect the activation and use of cloud services.

  • Passed: No overdue payments exist.
  • Failed: Overdue payments exist.

You can specify an appropriate management account based on the check results and the suggestions that are described in the following table.

Check result Suggestion
All check items are passed. Use the current logon account as a management account. For more information, see Scenario 1: Use the current logon account as a management account.
Part or all of the check items are failed.
Note If you do not fix the failed check items, you can also perform follow-up operations. However, specific security risks may exist. We strongly recommend that you fix the failed check items.

Scenario 1: Use the current logon account as a management account

  1. Log on to the Cloud Governance Center console.
  2. On the Cloud Governance Center page, click Start Governance.
  3. In the Welcome to Cloud Governance Center message, click OK.
    Cloud Governance Center automatically creates a service-linked role named AliyunServiceRoleForGovernance. Cloud Governance Center uses this role to access relevant cloud services such as Resource Directory.
  4. On the Confirm Master Account page, select Proceed with Current Account in the Select Your Master Account section.
  5. Click Proceed with Current Account.

Scenario 2: Create an Alibaba Cloud account and use it as a management account

The Alibaba Cloud account that you create inherits the real-name verification information of the current logon account. In addition, a resource directory is automatically enabled within the Alibaba Cloud account. After the Alibaba Cloud account is created, log on again with the new Alibaba Cloud account.

  1. Log on to the Cloud Governance Center console.
  2. On the Cloud Governance Center page, click Start Governance.
  3. In the Welcome to Cloud Governance Center message, click OK.
    Cloud Governance Center automatically creates a service-linked role named AliyunServiceRoleForGovernance. Cloud Governance Center uses this role to access relevant cloud services such as Resource Directory.
  4. On the Confirm Master Account page, select Create Account in the Select Your Master Account section.
  5. Click Start Creating Account.
  6. On the Create Account page, enter the email address of the Alibaba Cloud account that you want to create and click Create.
  7. In the Confirmation message, click Confirm.
  8. Log on to the mailbox that you specified in Step 6. Confirm and accept the invitation by email.
  9. Reset the logon password of the new Alibaba Cloud account.
  10. Go back to the Create Account page of the Cloud Governance Center console. In the Confirmation message, click Confirm.
  11. Click Log on Again and log on with the new Alibaba Cloud account.

Scenario 3: Use another Alibaba Cloud account as a management account

If your enterprise has a more suitable Alibaba Cloud account that meets the requirements, log on again with this account.

  1. Log on to the Cloud Governance Center console.
  2. On the Cloud Governance Center page, click Start Governance.
  3. In the Welcome to Cloud Governance Center message, click OK.
    Cloud Governance Center automatically creates a service-linked role named AliyunServiceRoleForGovernance. Cloud Governance Center uses this role to access relevant cloud services such as Resource Directory.
  4. On the Confirm Master Account page, click Log on with Another Account in the Select Your Master Account section.
  5. Use another Alibaba Cloud account to log on again.