ApsaraMQ for RocketMQ provides two mechanisms to secure your messaging resources: Resource Access Management (RAM) for account-level permissions over console and API operations, and access control lists (ACLs) for instance-level restrictions on network access and client authentication. Use these mechanisms independently or together to build layered security for your messaging infrastructure.
Choose an access control mechanism
Use the following table to determine which mechanism fits your requirements. You can combine multiple mechanisms for layered security.
| Requirement | Mechanism | What it controls |
|---|---|---|
| Control who can manage ApsaraMQ for RocketMQ resources through the console or API | RAM | API operations and console access |
| Avoid sharing your Alibaba Cloud account's AccessKey pair | RAM | Account-level delegation to RAM users |
| Restrict instance access to specific IP addresses | ACL -- IP address whitelist | Network-level access to an instance |
| Control which topics or groups a client can publish to or subscribe to | ACL -- user authentication | Client-level publish and subscribe permissions |
RAM
RAM provides account-level permission control. Instead of sharing the AccessKey pair of your Alibaba Cloud account, create RAM users with only the permissions they need.
With RAM, grant a RAM user or user group permissions to perform specific operations in the ApsaraMQ for RocketMQ console or through API operations -- for example, creating topics or deleting groups.
What RAM controls: API operations and the ApsaraMQ for RocketMQ console.
Default permissions:
Alibaba Cloud account -- All permissions are granted by default. No additional authorization is required.
RAM user -- No permissions by default. A RAM user can access resources only after you explicitly grant the required permissions.
For setup instructions, see Use RAM for access control.
ACL
ACLs provide instance-level access control through two independent mechanisms: IP address whitelists and user authentication. Use either or both together for layered security.
IP address whitelists
IP address whitelists restrict which client IP addresses can connect to an ApsaraMQ for RocketMQ instance.
The IP address whitelist applies to all connections, whether the client connects over the internet or through a VPC.
Default behavior: All client IP addresses can access the instance.
With a whitelist configured: Only IP addresses in the whitelist can access the instance.
User authentication
User authentication controls whether a client can access an ApsaraMQ for RocketMQ instance and whether the client can publish messages to or subscribe to messages from specific topics or groups. ApsaraMQ for RocketMQ supports two authentication methods:
| Method | How it works | Scope |
|---|---|---|
| Intelligent authentication (default) | The system authenticates the client using the username and password assigned to the instance. After authentication, the client can publish and subscribe to all topics and groups on the instance. | All topics and groups |
| ACL-based authentication | Create an ACL user and grant permissions to publish or subscribe to specific topics or groups. The client authenticates using the ACL user's username and password. | Specified topics and groups only |
Use intelligent authentication when all clients on an instance need the same level of access. Switch to ACL-based authentication when different clients need different permissions on the same instance.
The user authentication feature is not enabled on every ApsaraMQ for RocketMQ instance by default. If your instance does not have user authentication enabled, submit a ticket to request activation. The access control entry point in the console appears only after your application is approved.
For setup instructions, see Use ACL for access control.