Resource Access Management (RAM) is a web service that helps you securely control access to Alibaba Cloud resources. With RAM, you can centrally manage users, security credentials such as access keys, and permissions that control which cloud resources users and applications can access.
Billing
RAM is available free of charge. It is enabled by default, and cannot be disabled.
Why use RAM?
When you first create an Alibaba Cloud account, you begin with a single identity that has complete access to all services and resources in the account. Sharing the account's credentials for daily operations poses several security risks:
Excessive permissions and security risks: The Alibaba Cloud account has unrestricted permissions. If the account credentials are leaked, your cloud resources are exposed to severe security risks.
Lack of accountability: All operation logs are attributed to the Alibaba Cloud account. If a security incident occurs, you cannot trace the action to a specific individual, which makes security audits and accountability ineffective.
Violation of least privilege: You cannot grant "view-only billing" permissions for finance staff or "operate only in a specific environment" permissions for developers. This violates the principle of least privilege (PoLP).
As a security best practice, do not use Alibaba Cloud accounts for everyday tasks. Instead, use RAM to create separate identities for people and applications and grant them only the permissions they need.
Key features
Identity management: Create and manage various identities, such as RAM users, RAM user groups, and RAM roles.
Identity authentication: Provide multiple authentication methods, including passwords, AccessKey pairs, Multi-Factor Authentication (MFA), and single sign-on (SSO).
Authorization management: Implement fine-grained access control for identities based on policies.
Identity federation: Support integration with enterprise IdPs to achieve unified identity management and SSO.
Access auditing: Identify the permissions held by RAM identities and record the last time they were used.
Identity, authentication, and authorization
RAM provides the framework for managing authentication and authorization in Alibaba Cloud.
Identity
An identity is an entity that can request to perform an action on a cloud resource. It is the entity to which you grant permissions. Identities in RAM can be understood from two distinct perspectives: their functional purpose and their technical implementation.
By functional purpose
There are two main types: human identities and machine identities.
Human identities: These are the people in your organization—like developers, operations engineers, or security engineers—who typically access Alibaba Cloud's resources interactively through the console or CLI.
Machine identities: These are non-human actors, such as applications or services, that access Alibaba Cloud's resources and data non-interactively through APIs.
By technical implementation
RAM provides three types of identities: RAM user, RAM user group, and RAM role.
Identity type | Definition | Use case |
RAM user |
| Assigning stable, long-term permissions to a specific person, system, or application. |
RAM user group |
| Managing permissions for multiple users with the same job function (such as developers and administrators), simplifying access management at scale. |
RAM role |
| Delegating access securely. Common scenarios include cross-account access, granting permissions to Alibaba Cloud services, and enabling identity federation. |
These two classification models are complementary. Both RAM users and RAM roles can be configured to function as either a workforce or a workload identity.
Alibaba Cloud account vs. RAM user
An Alibaba Cloud account is equivalent to the root user in Linux. It is the most privileged principal. A RAM user is an identity you create in your account that has specific, custom permissions. The core differences between them are as follows:
Item | Alibaba Cloud account | RAM user |
Identity role | The owner of resources. Has full ownership of all assets and the highest permissions. | A user of resources and services. Permissions are granted by the Alibaba Cloud account. A RAM user usually corresponds to a specific person or application. |
Owns cloud resources | Yes | No. Resources are owned by the Alibaba Cloud account. |
Default permissions | Full permissions. Cannot be restricted. | No permissions by default. Must be granted permissions by the Alibaba Cloud account. |
Recommended use | Only for key management operations, such as authorization, payment, and account management. | Daily development, O&M, deployment, and other tasks. |
Best practices for securing your Alibaba Cloud account
Create a RAM user with administrator privileges specifically for daily management and technical operations.
Use your Alibaba Cloud account only when absolutely necessary. Securely store its password and related credentials, such as multi-factor authentication (MFA) credentials.
Perform all daily operations using the RAM administrator user. This prevents exposing your Alibaba Cloud account in daily work environments.
Authentication
Authentication is the process of verifying an identity's credentials to confirm who they are. Before any action is taken, the user or service must be authenticated.
Credentials come in various forms, such as a username and password, one-time passcode, or AccessKey pair used for programmatic access.
You can enhance security with:
MFA: Adds a layer of protection by requiring users to provide at least two different types of credentials to verify their identities, such as a password combined with a one-time passcode.
SSO: Allows users to with their existing corporate credentials via an identity provider (IdP), eliminating the need for separate Alibaba Cloud passwords.
Authorization
Authorization is the process of confirming whether an authenticated identity has permission to access a specific resource.
The core differences between authentication and authorization are as follows:
Authentication answers the question, "Who are you?" to verify an identity.
Authorization answers the question, "What are you allowed to do?" to grant or deny permissions.
Authentication always comes first; once an identity is verified, authorization rules are checked to grant or deny access.
In RAM, you manage access by creating policies and attaching them to identities, ensuring they can only access the resources and perform the actions you have permitted.
Authentication methods in RAM
Comparison
RAM supports multiple authentication methods for different use cases:
Console logon
Authentication method | Definition | Use case |
Username and password | A set of credentials used for logging on to the console. | A RAM user logs on to the console for interactive operations. |
MFA | An additional layer of security on top of username and password authentication. | Used with a password to enhance console logon security. By default, all RAM users are required to perform MFA when logging on. |
Passkey | A passwordless authentication solution based on the FIDO2 standard, allowing users to authenticate using their devices' biometrics (such as a fingerprint or facial ID) or a PIN. | Enhancing console logon security by preventing password attacks like password spraying and phishing. Suitable for scenarios that have high security requirements or require passwordless login. |
SSO | Users authenticate through their enterprise IdP and can access multiple trusted cloud services with a single logon. | Enterprise users access Alibaba Cloud using their existing identity authentication system (such as Microsoft Entra ID or Okta). |
Programmatic access
Authentication method | Definition | Use case |
AccessKey pair | An AccessKey pair comprises an AccessKey ID and an AccessKey secret, which serve as long-term credentials for a RAM user. | Making programmatic calls from applications or services. For improved security, when possible we recommend using temporary credentials instead of long-term AccessKey pairs. |
Security Token Service (STS) token | A temporary credential obtained when a trusted identity assumes a RAM role. It includes a temporary AccessKey pair and a security token, has a limited validity period, and expires automatically. | The recommended method for programmatic access. Ideal for scenarios like cross-account access, identity federation, and granting temporary permissions to applications, because it provides enhanced security by limiting the credential's lifetime. |
Long-term vs. temporary credentials
Long-term credentials: Credentials that remain valid long-term unless manually disabled, deleted, or modified. Examples: a password and an AccessKey pair.
Temporary credentials: Credentials with a limited validity period (such as from 15 minutes to a few hours) that automatically become invalid upon expiration. Example: an STS token.
Temporary credentials are more secure than long-term ones. If a long-term credential is leaked, it can be used indefinitely until it is revoked. In contrast, a temporary credential has a short lifetime. Even if it is leaked, the impact is limited, reducing the security risk. Therefore, you should prioritize using temporary credentials. For more information, see Best practices for using an access credential to call API operations.
An STS token is issued by the Alibaba Cloud STS service when a trusted identity assumes a RAM role. For more information, see Obtain temporary identity credentials.
Policies in RAM
After an identity is authenticated, RAM evaluates the attached policies to determine whether the identity has the necessary permissions to access the target resource. RAM follows a "deny by default" principle: any access request that is not explicitly allowed is implicitly denied.
Policy types
Permissions are managed through a policy, which is a set of rules that defines permissions. RAM supports the following two types of policies:
System policy: Created and managed by Alibaba Cloud, these policies cover common use cases, but you cannot modify the permissions they define.
Custom policy: Policies that you can create and manage yourself. By writing a policy document in JSON format, you can precisely define allowed or denied actions, resources, and conditions for fine-grained access control.
For more information, see Policy overview.
Authorization scope
Permissions can be scoped to an entire Alibaba Cloud account or limited to specific projects and environments using resource groups.
For more information, see Policy models.
Conditional access control
You can achieve fine-grained access control by defining conditions in your custom policies. This allows you to implement strategies like attribute-based access control (ABAC), where access is determined by evaluating attributes in real-time. Common use cases include restricting requests to a specific CIDR block or requiring MFA for certain actions.
Conditions can include system-defined attributes, such as identity attributes, resource attributes, and request environment attributes, along with custom attributes like tags.
Conditions can only be configured in custom policies.
For more information, see Elements of a policy.
Identity federation
RAM supports SSO based on the SAML 2.0 and OpenID Connect (OIDC) protocols, also known as identity federation.
Why use identity federation?
In multi-cloud and enterprise IT environments, employees often need to access multiple internal systems and cloud services, which involves frequently switching accounts and remembering different passwords. This not only affects operational efficiency but also increases security risks.
With identity federation, you can allow users from your corporate IdP, such as Microsoft Entra ID or Okta, to log on to Alibaba Cloud using their existing credentials. This approach offers the following advantages:
Simplified logon: Employees simply log on once to your corporate IdP to access Alibaba Cloud, eliminating the need to maintain multiple sets of usernames and passwords.
Centralized security policies: Enterprise security policies (such as MFA, password policies, and IP address restrictions) are configured and enforced centrally at the IdP level.
Centralized management and auditing: User access is managed centrally in your IdP. When an employee leaves your enterprise, their access to Alibaba Cloud is automatically revoked, reducing management overhead and security risks.
Supported SSO methods
RAM supports the following two SSO methods to meet the needs of different use cases:
User-based SSO
This method maps users from an IdP to corresponding RAM users in Alibaba Cloud. Users then log on to the Alibaba Cloud Management Console as their mapped RAM users.Role-based SSO
With this method, federated users assume a RAM role to obtain temporary credentials. This method supports cross-account access, and aligns better with security best practices by avoiding the creation of long-term credentials.
For more information, see SSO overview.
Security and auditing
Use the following best practices to enhance the security and auditability of your Alibaba Cloud account.
Identity and access management
Auditing and governance
Log actions with ActionTrail: You can use ActionTrail to record all actions performed by RAM identities, which can be used for security audits, compliance reviews, and issue tracing. For more information, see Use ActionTrail to query events.
Identity and access governance: You must continuously detect security risks related to identities and permissions, such as long-inactive AccessKey pairs or non-compliant password policies.
Access analysis: RAM helps you identify and analyze access from the Internet and over-privileged identities within your account, and provides governance suggestions.
For more information, see Best practices for identity and access management.