This topic describes how an enterprise that has multiple cloud resources can use Resource Access Management (RAM) to manage user permissions to access the cloud resources.
An Alibaba Cloud account is created. If not, create one before proceeding. To create an Alibaba Cloud account, click Create an Alibaba Cloud account.
Enterprise A has purchased various Alibaba Cloud resources, such as Elastic Compute Service (ECS) instances, ApsaraDB for RDS instances, Server Load Balancer (SLB) instances, and Object Storage Service (OSS) buckets, to migrate a project to the cloud. Certain employees need to manage these cloud resources, and different employees require different permissions to fulfill their duties.
Enterprise A has the following requirements:
- To guarantee security, Enterprise A does not want to disclose the AccessKey pair of its Alibaba Cloud account to employees.
- Enterprise A prefers to create different RAM user accounts for the employees and grant different permissions to these user accounts. The employees are granted only the permissions that are required to fulfill their duties.
- The RAM users can only manage resources after they are granted the corresponding permissions. All the operations performed by RAM users can be audited.
- Enterprise A can revoke the permissions granted to RAM users and delete RAM user accounts at any time.
- Fees on resources incurred by RAM users are billed to the parent Alibaba Cloud account.
- Enable multi-factor authentication (MFA) for an Alibaba Cloud account to avoid the accidental disclosure of the Alibaba Cloud account password. For more information, see Enable an MFA device for an Alibaba Cloud account.
- Create RAM user accounts for different employees or apps, and specify logon passwords or create AccessKey pairs based on the business requirements. For more information, see Create a RAM user.
- If multiple employees have the same responsibility, we recommend that you create a RAM user group and add the corresponding users to this group. For more information, see Create a RAM user group.
- Attach one or more system policies to a RAM user or RAM user group. For more information, see Grant permissions to a RAM user and Grant permissions to a RAM user group. For finer-grained permission management, you can create one or more custom policies and attach them to individual RAM users or to a RAM user group. For more information, see Create a custom policy.
- Remove permissions from RAM user groups or RAM users when they no longer need the permissions. For more information, see Remove permissions from a RAM user and Remove permissions from a RAM user group.