All Products
Search
Document Center

Elastic Compute Service:RAM overview

Last Updated:Sep 08, 2023

Resource Access Management (RAM) allows you to manage the identities and permissions of Alibaba Cloud services and users to implement access control over resources.

Identities

Identities in RAM include physical identities (RAM users and user groups) and virtual identities (RAM roles).

  • A RAM user is an entity that has a logon password and an AccessKey pair. A RAM user group is a collection of RAM users who share the same responsibilities. You can attach a set of policies to a RAM user or user group. A RAM user can represent a person or an application to interact with Alibaba Cloud, which eliminates the need to share confidential account information such as your password when you need to share your resources with other users. You must follow the principle of least privilege when you grant permissions to RAM users or user groups. This way, leaks of confidential information do not jeopardize the security of all resources within your account.

  • A RAM role is an identity that has policies attached to determine what the identity can and cannot do. A RAM role does not have a logon password or an AccessKey pair. A RAM role must be assumed by a trusted entity that wants to obtain the permissions of the role. During the communication between Alibaba Cloud services, after a trusted entity such as an Elastic Compute Service (ECS) instance assumes a RAM role, the entity can use the temporary credentials issued by Security Token Service (STS) to the role to access the APIs of other Alibaba Cloud services. This eliminates the need for high-risk operations such as writing AccessKey pairs to configuration files and ensures the security of AccessKey pairs.

Permissions

A policy is an object that defines permissions in RAM. Each policy consists of a few basic elements. For more information, see Policy elements. You can attach policies to an identity (a RAM user, user group, or role) to control what actions the identity can perform, on which resources, and under what conditions.

Policies are categorized into system policies and custom policies.

  • System policies are the common policies predefined by Alibaba Cloud. These system policies cannot be modified. The following system policies are related to ECS:

    • AliyunECSFullAccess: grants the permissions to perform all operations on all ECS resources, including the permissions to create, view, and delete ECS resources.

    • AliyunECSReadOnlyAccess: grants the read-only permissions on ECS resources.

    • AliyunECSNetworkInterfaceManagementAccess: grants the permissions to manage elastic network interfaces (ENIs), including the permissions to create, view, and delete ENIs.

    • AliyunECSAssistantFullAccess: grants the permissions to manage Cloud Assistant commands, including the permissions to create, run, view, and delete Cloud Assistant commands.

    • AliyunECSAssistantReadonlyAccess: grants the read-only permissions on Cloud Assistant commands.

    • AliyunECSImageExportRolePolicy: grants the permissions required to export images, including the read permissions on Object Storage Service (OSS) buckets and the read and write permissions on OSS objects.

    • AliyunECSImageImportRolePolicy: grants the permissions required to import images, including the write permissions on OSS buckets and the read and write permissions on OSS objects.

    • AliyunECSInstanceForYundunSysTrustRolePolicy: grants the permissions required for security-enhanced ECS instances to use the Alibaba Cloud trusted system.

    • AliyunECSDiskEncryptRolePolicy: grants the permissions required to encrypt disks.

    For more information about system policies, see Example system policies.

  • Custom policies are the policies that you create and manage within your Alibaba Cloud account. For information about and examples on how to work with custom policies, see Create a custom policy and Overview of sample policies.

Usage examples

Perform the following operations to control access to resources for employees inside an enterprise:

  1. Create a SysAdmins user group for employees who need to create and manage resources and attach policies that grant the permissions to perform all operations on all resources to the user group.

  2. Create a Developers user group for employees who need to use resources and attach policies that grant the permissions to call the StartInstance, StopInstance, and DescribeInstances operations to the user group.

  3. Create RAM users for employees and add the users to different user groups based on the needs of the employees.

  4. To enhance network security, attach policies to deny the RAM users access to resources if they are using an IP address from outside the enterprise.

  5. If employees change positions from a developer to an administrator, move their corresponding RAM users from the Developers user group to the SysAdmins user group.

  6. If RAM users in the Developers user group require more permissions, modify the policies of the user group to grant required permissions to all RAM users in the group.

Attach one of the following RAM roles to an ECS instance so that the instance can use the temporary credentials provided by the role to access other Alibaba Cloud services:

  • AliyunECSImageExportDefaultRole: The AliyunECSImageExportRolePolicy system policy is attached to this role. After this role is attached to an ECS instance, the instance has the permissions required to export images.

  • AliyunECSImageImportDefaultRole: The AliyunECSImageImportRolePolicy system policy is attached to this role. After this role is attached to an ECS instance, the instance has the permissions required to import images.

  • AliyunECSInstanceForYundunSysTrustRole: The AliyunECSInstanceForYundunSysTrustRolePolicy system policy is attached to this role. After this role is attached to an ECS instance, the instance has the permissions required to use the Alibaba Cloud trusted system.

  • AliyunECSDiskEncryptDefaultRole: The AliyunECSDiskEncryptRolePolicy system policy is attached to this role. After this role is attached to an ECS instance, the instance has the permissions required to encrypt disks.