Assume an enterprise A buys several types of cloud resources such as ECS instances, RDS instances, Server Load Balancer instances and OSS buckets, and that employees at the enterprise A need to perform operations on these resources such as buying, O&M, or online application. Because different employees have different responsibilities, they require different permissions. For security reasons, the Alibaba Cloud account owner of the enterprise A does not want to disclose its account access key to its employees. Rather, the account owner prefers to create different RAM user accounts for their employees and associate each RAM user account with different permissions. The employees then can perform resource operations only under their permissions with their RAM user accounts and charges are not billed to these accounts. All expenses are charged to the account owner. The account owner can also revoke the permissions of a RAM user account at any time, as well as delete it.
- Employees should not share the primary account avoid uncontrollable risks caused by the disclosure of the account’s password or access key.
- Different employees are allocated independent user accounts (or operator accounts) with independent permissions, so that their responsibilities are consistent with their permissions.
- All the operations of all user accounts can be audited.
- Charges are not calculated for each operator; the primary account is billed for all fees incurred.
Use RAM-user accounts and the authorization management function, as shown in the following figure:
The procedure is as follows:
- Bind the primary account to an MFA device and configure MFA for the primary account to prevent risks caused by disclosure of the primary account password.
- Activate RAM.
- Create RAM-User accounts for different employees (or application systems) and set logon passwords or create access keys for them as needed.
- Create a group. If there are multiple employees with the same responsibilities, it is recommended creating a group for them and adding the users to the group.
- Grant permissions. Bind one or more authorization policies to groups or users. For more fine-grained authorization, you can create custom authorization policies and then bind them to groups or users.