Resource Access Management (RAM) enables you to securely control access to your Alibaba Cloud resources. By creating individual RAM users for your employees and applications and applying fine-grained permissions, you can follow the principle of least privilege and improve your security posture without sharing your Alibaba Cloud account credentials.
Scenario
Consider a common scenario: Your organization uses a variety of Alibaba Cloud services, such as Elastic Compute Service (ECS), ApsaraDB for RDS, and Object Storage Service (OSS). Different teams, such as developers, database administrators, and financial analysts, require different levels of access to manage these resources.
Your organization has the following security and management objectives:
Avoid sharing Alibaba Cloud account credentials to prevent security risks.
Grant permissions based on the principle of least privilege, ensuring that each identity has only the permissions required to perform its job function.
Create individual identities for each person or application to ensure accountability.
Centralize auditing of all actions performed on your cloud resources.
Easily revoke access when an employee changes roles or leaves the company.
Maintain centralized billing under a single Alibaba Cloud account.
Solution architecture
You can meet these objectives by using RAM to create a secure and scalable permissions framework. This solution uses several core RAM components:
Alibaba Cloud account: This is the owner of all resources in the account. It should be secured with U2F security keys and not used for daily operational tasks.
RAM users: These are individual identities that you create for people or applications within your Alibaba Cloud account. By default, RAM users have no permissions.
RAM groups: To simplify permission management, you can organize RAM users into groups based on their job function (such as ecs-admins and db-operators). You grant permissions to the group, and all users in that group inherit those permissions.
RAM policies: A policy is a document that defines one or more permissions. You grant access by attaching policies to RAM users or groups. Alibaba Cloud offers both pre-defined system policies and the ability to create your own custom policies for fine-grained control.
Implementation steps
Secure your Alibaba Cloud account
As a best practice, always enable multi-factor authentication (MFA) for your Alibaba Cloud account to add a critical layer of security.Create individual RAM users
Create a unique RAM user for each person and application that needs access to your Alibaba Cloud resources. Assign a console password for human users and create an AccessKey pair for applications that need programmatic access.Organize users into groups
For easier management, create RAM groups that correspond to job roles in your organization. Add the RAM users you created to the appropriate groups.Grant permissions using policies
Attach policies to your RAM groups to grant the necessary permissions. For common tasks, you can use Alibaba Cloud's system policies. For more specific requirements, you can create custom policies that grant only the precise permissions needed.Regularly review and revoke permissions
As job roles change or employees leave, remove users from groups or detach policies to ensure that permissions remain current and adhere to the principle of least privilege.Audit user activity
All actions taken by RAM users are logged in ActionTrail. Regularly review these logs to audit activity and ensure compliance with your security policies.