To ensure the security of your Alibaba Cloud account and cloud resources, do not use your Alibaba Cloud account to access ApsaraMQ for RocketMQ unless otherwise required. In most cases, we recommend that you use RAM users and RAM roles to access ApsaraMQ for RocketMQ. RAM users and RAM roles provide fine-grained access control without exposing your primary account credentials.
RAM users
A RAM user is an identity within an Alibaba Cloud account. Alibaba Cloud accounts, RAM users, and RAM roles with administrative rights can create RAM users. After a RAM user is granted the required permissions, the RAM user can use the Alibaba Cloud Management Console or call API operations to access resources within the Alibaba Cloud account.
Access modes
When you create a RAM user, set the Access Mode parameter to one of the following options:
| Access mode | Description |
|---|---|
| Console Access | The RAM user logs on to the Alibaba Cloud Management Console with a username and password. |
| Using permanent AccessKey to access | The RAM user makes API calls with a permanent AccessKey pair. |
| Both | The RAM user has both console access and AccessKey pair-based API access. |
Security best practices
Use a dedicated admin RAM user. Create a RAM user with administrative rights, and then use that RAM user to create and manage other RAM users rather than using your Alibaba Cloud account directly.
Separate human and programmatic identities. Create distinct RAM users for individuals and for applications. This prevents unintended operations and simplifies auditing.
Enable multi-factor authentication (MFA) for all RAM users with console access.
Apply the principle of least privilege. Grant only the minimum permissions required for each task. This limits the impact of credential compromise and prevents permission abuse.
Never embed an AccessKey ID or AccessKey secret in code. A leaked AccessKey pair exposes all resources in your account. Use Security Token Service (STS) tokens or environment variables instead.
Enable single sign-on (SSO) when your organization has an existing identity management system, so RAM users can access Alibaba Cloud resources through federated authentication.
See also
RAM user groups
Group multiple RAM users to manage permissions in bulk. You can grant the same permissions to all RAM users in a group, which simplifies permission management.
Security best practices
Apply the principle of least privilege at the group level, not just the individual level.
Remove RAM users from a group when their responsibilities change.
Revoke group permissions as soon as they are no longer needed.
See also
RAM roles
A RAM role is a virtual identity to which policies can be attached. Unlike RAM users, a RAM role has no permanent identity credentials -- no logon password and no AccessKey pair. A RAM role can only be used after a trusted entity assumes it and receives a temporary STS token.
To assume a RAM role:
A trusted entity calls the AssumeRole operation.
STS returns a temporary token with a limited validity period.
The trusted entity uses the token to access Alibaba Cloud resources as the RAM role.
Security best practices
Keep the trusted entity stable. Changing the trusted entity of a RAM role after creation can cause permission loss. Adding a new trusted entity may lead to privilege escalation. Test all changes thoroughly before applying them.
Set an appropriate token validity period. STS tokens are valid for a limited time. Shorter validity periods reduce the window of exposure if a token is compromised.
NoteThe maximum validity period of an STS token equals the maximum session duration configured for the RAM role. Set the maximum session duration to an appropriate value.
Enable SSO for RAM roles when your organization uses an external identity provider, so users can assume roles through federated authentication.