Scenario description

Assume that enterprise A purchases several types of cloud resources, such as ECS instances, RDS instances, SLB instances, and OSS buckets, for cloudization of a project (Project-X). Employees at enterprise A need to operate these resources, such as purchasing, O&M, and online application. Because different employees have different responsibilities, they require different permissions.

  • For security or reliability reasons, A does not want to disclose its account AccessKey (AK) to its employees. Instead, A prefers to create different RAM user accounts for the employees and associate each RAM user account with different permissions.
  • The employees can operate resources only under their permissions with their RAM user accounts, and the RAM user accounts do not need to pay for bills. The account owner pays for all bills.
  • The account owner can revoke the permissions of a RAM user and delete the RAM user account at any time.

Requirement analysis

The analysis of the preceding scenario is as follows:

  • A does not share its account with employees to avoid uncontrollable risks caused by possible disclosure of the account password or AK.
  • Different employees are allocated independent user accounts (or operator accounts) with independent permissions, so that their responsibilities are consistent with their permissions.
  • All the operations performed by all user accounts can be audited.
  • Costs of each operator are calculated separately. The account owner pays for all bills.


Use the user account authorization and management function provided by RAM, as shown in the following figure.

Figure 1. Solution overview

The procedure is as follows:

  1. Set up MFA to prevent risks caused by possible disclosure of the account password.
  2. Activate RAM.
  3. Create RAM users for different employees (or application systems) and set logon passwords or create AKs for them as needed.
  4. Create a RAM user group. If multiple employees have the same responsibility, we recommend that you create a group for them.
  5. Grant permissions. Attach one or more policies to the group or users. For finer-grained authorization, you can create custom policies and then attach them to the group or users.