Using your Alibaba Cloud account directly to access ApsaraMQ for RabbitMQ exposes all resources under that account if credentials are compromised. Unless otherwise required, use Resource Access Management (RAM) to create separate identities -- users, user groups, and roles -- with scoped permissions, so each person or application accesses only the resources it needs.
RAM users
A RAM user is an identity that belongs to an Alibaba Cloud account. After you grant a RAM user the required permissions, the RAM user can access Alibaba Cloud resources within the Alibaba Cloud account to which the RAM user belongs through the Alibaba Cloud Management Console or by calling API operations.
Alibaba Cloud accounts, RAM users with administrative rights, and RAM roles with administrative rights can all create RAM users.
Access modes
When you create a RAM user, set the Access Mode parameter to one of the following options:
| Access mode | Description |
|---|---|
| Console Access | The RAM user logs on to the Alibaba Cloud Management Console with a username and password. |
| Using permanent AccessKey to access | The RAM user calls API operations with an AccessKey pair. |
| Both | The RAM user has both console and API access. |
Create separate RAM users for people who need console access and for applications that need API access. This separation prevents impacts of unintended operations.
Security practices
Create an admin RAM user first. Use your Alibaba Cloud account to create a RAM user with administrative rights. Then use that RAM user -- not your Alibaba Cloud account -- to create and manage other RAM users.
Enable MFA for console access. Turn on multi-factor authentication (MFA) for every RAM user that logs on to the console. MFA adds a second verification step beyond the password.
Grant least-privilege permissions. Grant only the minimum permissions a RAM user needs. Overly broad permissions increase the risk of accidental changes or unauthorized access.
Keep AccessKey pairs out of code. Never embed an AccessKey ID or AccessKey secret in source code. A leaked AccessKey pair exposes every resource in the account. Use Security Token Service (STS) tokens or environment variables instead.
Enable SSO when available. If your organization uses an enterprise identity provider, enable single sign-on (SSO) so RAM users can log on through your existing identity management system.
RAM user groups
A RAM user group lets you manage permissions for multiple RAM users at once. Instead of attaching policies to each RAM user individually, attach them to a group and add users to that group.
Security practices
Grant least-privilege permissions at the group level. Scope group policies to the minimum permissions required by group members.
Remove users when responsibilities change. When a RAM user's duties change, remove them from groups that no longer match their responsibilities.
Revoke unused group permissions. Periodically review group policies and revoke any permissions the group no longer needs.
RAM roles
A RAM role is a virtual identity with no permanent credentials -- no password and no AccessKey pair. You attach policies to the role, but the role can only be used after a trusted entity assumes it. The trusted entity then receives a temporary STS token to access Alibaba Cloud resources as that role.
How role assumption works
A trusted entity calls the AssumeRole API operation.
STS returns a temporary token with the permissions attached to the RAM role.
The trusted entity uses the token to access Alibaba Cloud resources until the token expires.
The maximum validity period of an STS token equals the maximum session duration configured for the RAM role. Set this duration to an appropriate value to reduce security risks.
Security practices
Lock down trusted entities after creation. Avoid changing the trusted entity of a RAM role after the RAM role is created. Removing a trusted entity can cause permission loss; adding one may lead to privilege escalation. Test any changes thoroughly before applying them to a RAM role.
Set appropriate session durations. Set the maximum session duration for a RAM role to an appropriate value to reduce security risks. Shorter STS token lifetimes reduce the window of exposure if a token is compromised.
Enable SSO for role-based access. If your organization uses an enterprise identity provider, enable SSO so federated users can assume roles directly from your identity management system.