To protect your Alibaba Cloud account and cloud resources, never use your Alibaba Cloud account to access Data Security Center (DSC). Instead, use Resource Access Management (RAM) identities — RAM users, RAM user groups, and RAM roles — to access DSC with scoped, auditable permissions.
Security checklist
Before configuring access to DSC, confirm each of the following:
[ ] Create RAM users for all individuals; do not share account credentials
[ ] Separate RAM users for human access from RAM users for programmatic access
[ ] Enable multi-factor authentication (MFA) for all RAM users with console access
[ ] Grant permissions based on the principle of least privilege
[ ] Store AccessKey credentials in environment variables, not in code
[ ] Organize RAM users into RAM user groups for centralized permission management
[ ] Use RAM roles with Security Token Service (STS) tokens for cross-service or application access
[ ] Enable single sign-on (SSO) if your organization uses an enterprise identity provider
[ ] Revoke or reassign permissions when a team member's responsibilities change
RAM users
A RAM user represents a single identity — either a person or an application — within your Alibaba Cloud account. RAM users can be created by the Alibaba Cloud account or by RAM users and RAM roles that have administrative permissions.
After you grant a RAM user the required permissions, the RAM user can access Alibaba Cloud resources through the Alibaba Cloud Management Console or by calling API operations.
When creating a RAM user, set the Access Mode parameter based on how the identity will be used:
| Access mode | Use when | Authentication method |
|---|---|---|
| Console Access | The identity belongs to a human user | Username and password (plus MFA if enabled) |
| Using permanent AccessKey to access | The identity belongs to an application or script | AccessKey ID and AccessKey secret |
| Both | The same identity needs console and API access | Both methods apply |
Manage human users
Create a dedicated admin RAM user. Use your Alibaba Cloud account to create a RAM user with administrative permissions, then use that RAM user to create and manage all other RAM users.
Enable MFA for console access. MFA requires users to provide a second factor — a time-based code from an authenticator device — in addition to their password. This reduces the risk of unauthorized access if a password is compromised.
Apply the principle of least privilege. Grant each RAM user only the minimum permissions required for their role. Start with narrower permissions and expand as you confirm actual requirements. Overly broad permissions increase the impact if an account is compromised.
Enable SSO for enterprise environments. If your organization uses an enterprise identity provider, configure user-based SSO to let users log in to Alibaba Cloud with their existing corporate credentials. SSO removes a separate set of credentials to manage, centralizes access control, and improves audit coverage.
Manage programmatic access
Separate programmatic RAM users from human RAM users. Applications and scripts that call APIs should use dedicated RAM users — not the same accounts used by people. This prevents an unintended action by a person from affecting an application's access, and vice versa.
Never embed AccessKey credentials in code. Hardcoding an AccessKey ID or AccessKey secret in source code risks exposing the credentials — for example, through a public code repository. An exposed AccessKey pair compromises all resources in your account. Use STS tokens instead, or store credentials as environment variables.
Related topics
RAM user groups
A RAM user group is a collection of RAM users that share the same permissions. When you grant a permission to a group, every RAM user in that group inherits it — no need to assign permissions individually.
Use RAM user groups to reflect your team structure. For example, create a group for security auditors, another for data analysts, and another for administrators. Each group gets only the permissions its role requires.
Manage RAM user groups
Apply the principle of least privilege at the group level. Define group permissions by job function. Overly broad group permissions propagate to every user in the group.
Update group membership when responsibilities change. Remove a RAM user from a group as soon as their role changes and they no longer need that group's permissions. Stale memberships are a common source of privilege creep.
Revoke group permissions when they are no longer needed. Periodically review what each group can access. Remove permissions that are no longer required — even if no immediate harm is apparent.
Related topics
RAM roles
A RAM role is a virtual identity with no permanent credentials — no logon password, no AccessKey pair. A RAM role is assumed by a trusted entity (such as a RAM user, an Alibaba Cloud service, or an external application), which receives a short-lived STS token scoped to the role's permissions.
This model is better suited for applications, automated jobs, and cross-account access than long-term AccessKey credentials, because the STS token expires automatically and limits the window of exposure if it is compromised.
Manage RAM roles
Avoid changing the trusted entity after a role is created. Changing the trusted entity of an existing RAM role can cause permission loss that affects running workloads. Adding new trusted entities introduces privilege escalation risks. If changes are necessary, test them in a non-production environment before applying them.
Set an appropriate STS token validity period. When a trusted entity calls the AssumeRole operation, it receives an STS token valid for a configurable duration. Set this duration to the minimum your workload requires — shorter tokens reduce the risk if a token is intercepted.
The maximum STS token validity period equals the maximum session duration configured for the RAM role. Set the maximum session duration for each RAM role to an appropriate value.
Enable SSO for role-based enterprise access. If your organization's identity provider supports role-based federation, configure role-based SSO to let users assume RAM roles through your corporate identity provider. This centralizes access control, simplifies multi-account permission management, and improves audit coverage.