RAM helps manage identities and control resource access with various features.
Manage RAM users and their keys
You can create and manage RAM users and their keys under your account and attach or detach MFA devices for them.
Control access permissions of RAM users
You can attach one or more policies to a user or a user group to restrict users' operation permissions on resources.
Control resource access methods of RAM users
You can specify that users use security channels (for example, SSL) to operate on the specified cloud resources at a specified time or from specified source IP addresses.
Manage identity associations of RAM roles and external accounts
You can associate a RAM role with an external identity system (such as your local enterprise domain account or app account). In this way, you can directly use the external identity to log on to the Alibaba Cloud console or use APIs as the RAM role identity.
Control cloud resources
You can control the instances and data created by RAM users in a centralized manner. Therefore, when a user leaves your organization, you can still fully control the user's instances and data.
Pay for bills
Your account pays for all fees incurred due to resource operations performed by all RAM users.