With the RAM user feature of Resource Access Management (RAM), you can split permissions, grant different permissions to RAM users as needed, and avoid security risks caused by the exposure of Alibaba Cloud account keys.
The following examples describe how to use RAM to implement access control:
Use RAM users to manage permissions
Enterprise A has purchased a variety of Alibaba Cloud products for a project (Project-X), such as ECS instances, RDS instances, SLB instances, and OSS buckets. Multiple employees need to perform operations on these cloud resources. Different employees require different permissions to fulfill their duties. Enterprise A has the following requirements:
- For security or trust reasons, A does not want to directly disclose the cloud account key to employees, but hopes to create independent accounts for employees.
- The RAM users can perform operations on resources only after they are granted the corresponding permissions. A can revoke permissions on a user account at any time, or delete the user account it created at any time.
- You do not need to perform separate metering and billing for user accounts, and all expenses are borne by A.
To meet the preceding requirements, you can use the authorization management function of RAM to implement user decentralization and unified resource management.
Use RAM roles to access resources across accounts
Alibaba Cloud Account A and Alibaba Cloud Account B represent different enterprises. A purchases a variety of cloud resources to carry out business, such as ECS instances, RDS instances, SLB instances, and OSS buckets.
- Enterprise A wants to focus on business systems, and authorizes tasks such as cloud resource O&M, monitoring, and management to Enterprise B.
- Enterprise B can further assign A's resource access permissions to one or more employees of B, and B can finely control its employees' operation permissions on resources.
- If the O&M relationship between A and B is terminated, A can revoke the authorization to B at any time.
To meet the preceding requirements, you can use RAM roles to implement cross-account authorization and resource access control.
The following table lists the system policies supported by ARMS.
ARMS full access permissions
ARMS read-only permissions
To grant the read-only permissions on all ARMS features to a specific resource group, you must attach the AliyunARMSReadOnlyAccess policy to and grant the ReadTraceApp permission to the resource group. Otherwise, ARMS cannot display the application list that belongs to the authenticated resource group.