edit-icon download-icon

Resource Access Management (RAM)

Last Updated: Dec 19, 2017

If DNS hosting is enabled for multiple domains, then more than one user may need to configure DNS settings for these domains. If your Alibaba Cloud account key is shared among these users, two problems arise:

  • The key has a high risk of leakage.
  • You are prone to security risks caused by misoperations because you cannot control other users’ access permissions.

RAM is a resource access control service provided by Alibaba Cloud. With RAM, you can centrally manage users (such as employees, systems, or applications) and control which resources are accessible to which users.

RAM helps you manage the resource access permissions for different users. For example, you can apply the following system authorization policies to a group for enhanced security control:

  • AliyunAlidnsFullAccess (the permission for managing Alibaba Cloud DNS)

    This grants authorized sub-accounts with the full permission for managing the DNS resources of the main account. It is also the highest permission for sub-accounts.

    1. {
    2. "Statement": [
    3. {
    4. "Action": "alidns:*",
    5. "Effect": "Allow",
    6. "Resource": "*"
    7. }
    8. ],
    9. "Version": "1"
    10. }
  • AliyunAlidnsDomainSignle (full permission on a single domain in Alibaba Cloud DNS)

    This grants authorized sub-accounts with the full permission for managing the DNS resources of a specific domain.

    1. {
    2. "Version": "1",
    3. "Statement": [
    4. {
    5. "Action": "alidns:*",
    6. "Resource": "acs:alidns:*:*:domain/example.com",
    7. "Effect": "Allow"
    8. },
    9. {
    10. "Action": [
    11. "alidns:DescribeSiteMonitorIspInfos",
    12. "alidns:DescribeSiteMonitorIspCityInfos",
    13. "alidns:DescribeSupportLines",
    14. "alidns:DescribeDomains"
    15. ],
    16. "Resource": "acs:alidns:*:*:*",
    17. "Effect": "Allow"
    18. }
    19. ]
    20. }
  • AliyunAlidnsReadOnlyAccess (read-only access permission for Alibaba Cloud DNS)

    This grants authorized sub-accounts with the permission to view but not manage the DNS resources of the main account.

    1. {
    2. "Version": "1",
    3. "Statement": [
    4. {
    5. "Action": "alidns:Describe*",
    6. "Resource": "*",
    7. "Effect": "Allow"
    8. }
    9. ]
    10. }

For more information about RAM, see RAM product documentation.

Thank you! We've received your feedback.