Configure the account baseline in the account factory before creating accounts. Baseline items cover identity, permissions, networking, and security settings, improving account creation efficiency.
Procedure
-
Log on to the Agentic Cloud Governance Center console.
-
In the left-side navigation pane, choose .
-
On the Account Factory page, click Settings in the Orchestration for Account Baseline section.
-
In the Orchestration for Account Baseline dialog box, select the account baseline that you want to configure and click Confirm.
If the default baseline no longer meets your requirements, click Create Baseline to create baselines for different account purposes. This example uses the default baseline.
To delete a baseline, click the
icon next to it. A baseline can only be deleted if no account uses it. -
Change the name of a baseline.
-
Click the
icon next to a baseline. -
In the Edit Baseline Property dialog box, enter a name and a description.
-
Click OK.
-
-
Add baseline items.
The built-in baseline items Billing Method, Bind CloudSSO Permissions, and Guardrails cannot be deleted. You can add more baseline items on top of these defaults.
-
Click Add Baseline Items.
-
In the Add Baseline Item dialog box, select the baseline items that you want to add and click Add.
Dependent baseline items are automatically selected. For example, selecting Security Group automatically selects VPC.
-
-
Configure the parameters of the baseline items.
Click the
or
icon next to a baseline item to configure its parameters. -
Click Save.
Baseline items
Supported baseline items
|
Baseline item |
Description |
Dependent baseline item |
References |
|
Billing Method (default baseline item) |
Specify a billing account for resource directory members to centrally manage enterprise fees. |
Not supported |
No |
|
Bind CloudSSO Permissions (default baseline item) |
Configure identities and permissions for resource directory members to reduce identity and permission management risks and improve multi-account management efficiency. |
None |
|
|
Guardrails (default baseline item) |
Configure and enable Cloud Config protection rules for all resource directory members from the Agentic Cloud Governance Center console. This ensures that Agentic Cloud Governance Center configurations and resource structures are not modified, securing multi-account environments. |
None |
|
|
RAM Password Policy |
Specify password complexity requirements for RAM users, such as password length, supported characters, and password validity period. |
None |
|
|
VPC |
A VPC is a private network in the cloud, consisting of CIDR blocks, vSwitches, and access control lists (ACLs). |
None |
|
|
Security group |
A security group acts as a virtual firewall for ECS instances to control inbound and outbound traffic. |
VPC |
|
|
Account Contact |
Configure account contacts to receive notifications. Alibaba Cloud does not share contact information with third parties. |
None |
What do I do if the contact does not receive finance and cloud product notifications? |
|
Message |
Configure recipients for each message type. We recommend that you set up recipients for account, service, and exception notifications to prevent business losses from missed alerts. |
Account Contact |
What do I do if the contact does not receive finance and cloud product notifications? |
|
Activate Service |
Only accounts with administrative permissions can activate certain Alibaba Cloud services. Use this baseline item to auto-activate selected services when an account is created, avoiding activation failures for RAM users without administrative permissions. Note
Some Alibaba Cloud services require service-linked roles. Agentic Cloud Governance Center automatically creates these roles during service activation. See the "Service-linked roles that are automatically created when you activate specific Alibaba Cloud services" section of this topic. |
None |
|
|
RAM Role |
Create RAM roles for an Alibaba Cloud account with administrative permissions on the resource directory. The account, as a trusted entity, can assume a RAM role to perform O&M, reducing risks. |
None |
|
|
ECS Key Pair |
Push a key pair to a specific account. Specify a key pair when you create an instance, or bind one after creation. Then use the key pair to connect to the instance. |
None |
|
|
ECS Shared Image |
Share an image with other Alibaba Cloud accounts for deployment on their ECS instances. |
None |
|
|
Predefined Tag |
A predefined tag is created in advance and available across all Alibaba Cloud regions. Create predefined tags during tag planning and apply them to cloud resources during implementation. |
None |
|
|
RAM User Security Settings |
Manage global security settings for RAM users, including whether to allow password changes, whether to enable MFA devices, and logon session validity. |
None |
|
|
Configure RAM role-based SSO |
Implement role-based SSO using a SAML identity provider (IdP). Employees log on to Alibaba Cloud through RAM roles, and user management stays in the local IdP without synchronizing users to Alibaba Cloud. |
None |
Service-linked roles that are automatically created when you activate specific Alibaba Cloud services
|
Cloud service |
Service identifier |
Service-linked role |
Permission Policy |
|
ARMS |
arms.aliyuncs.com |
AliyunServiceRoleForARMS |
AliyunServiceRolePolicyForARMS |
|
NAT Gateway (NAT) |
nat.aliyuncs.com |
AliyunServiceRoleForNatgw |
AliyunServiceRolePolicyForNatgw |
|
EventBridge |
source-cms.eventbridge.aliyuncs.com |
AliyunServiceRoleForEventBridgeSourceCMS |
AliyunServiceRolePolicyForEventBridgeSourceCMS |
|
connect-vpc.eventbridge.aliyuncs.com |
AliyunServiceRoleForEventBridgeConnectVPC |
AliyunServiceRolePolicyForEventBridgeConnectVPC |
|
|
source-actiontrail.eventbridge.aliyuncs.com |
AliyunServiceRoleForEventBridgeSourceActionTrail |
AliyunServiceRolePolicyForEventBridgeSourceActionTrail |
|
|
Data Management (DMS) |
dms.aliyuncs.com |
AliyunDMSDefaultRole |
AliyunDMSRolePolicy |
|
dms.aliyuncs.com |
AliyunServiceRoleForDMS |
AliyunServiceRolePolicyForDMS |
|
|
Data Transmission Service (DTS) |
dts.aliyuncs.com |
AliyunDTSDefaultRole |
AliyunDTSRolePolicy |
|
dms.aliyuncs.com |
AliyunServiceRoleForDMS |
AliyunServiceRolePolicyForDMS |
|
|
Container Service for Kubernetes (ACK) |
cs.aliyuncs.com |
AliyunCSDefaultRole |
AliyunCSDefaultRolePolicy |
|
AliyunCSKubernetesAuditRole |
AliyunCSKubernetesAuditRolePolicy |
||
|
AliyunCSManagedArmsRole |
AliyunCSManagedArmsRolePolicy |
||
|
AliyunCSManagedCmsRole |
AliyunCSManagedCmsRolePolicy |
||
|
AliyunCSManagedCsiRole |
AliyunCSManagedCsiRolePolicy |
||
|
AliyunCSManagedKubernetesRole |
AliyunCSManagedKubernetesRolePolicy |
||
|
AliyunCSManagedLogRole |
AliyunCSManagedLogRolePolicy |
||
|
AliyunCSManagedNetworkRole |
AliyunCSManagedNetworkRolePolicy |
||
|
AliyunCSManagedVKRole |
AliyunCSManagedVKRolePolicy |
||
|
AliyunCSServerlessKubernetesRole |
AliyunCSServerlessKubernetesRolePolicy |
||
|
AliyunCSManagedNlcRole |
AliyunCSManagedNlcRolePolicy |
||
|
AliyunCSManagedAutoScalerRole |
AliyunCSManagedAutoScalerRolePolicy |
||
|
AliyunCSManagedCsiProvisionerRole |
AliyunCSManagedCsiProvisionerRolePolicy |
||
|
AliyunCSManagedCsiPluginRole |
AliyunCSManagedCsiPluginRolePolicy |
||
|
oos.aliyuncs.com |
AliyunOOSLifecycleHook4CSRole |
AliyunOOSLifecycleHook4CSRolePolicy |
|
|
Function Compute |
fc.aliyuncs.com |
AliyunFCDefaultRole |
AliyunFCDefaultRolePolicy |
|
Simple Log Service (SLS) |
log.aliyuncs.com |
AliyunLogArchiveRole |
AliyunLogArchiveRolePolicy |
|
Classic Load Balancer (CLB) |
slb.aliyuncs.com |
SLBLogDefaultRole |
AliyunSLBRolePolicy |
|
slb.aliyuncs.com |
AliyunSLBHealthDiagnoseRole |
AliyunSLBHealthDiagnoseRolePolicy |
|
|
Microservices Engine (MSE) |
mse.aliyuncs.com |
AliyunServiceRoleForMSE |
AliyunServiceRolePolicyForMSE |
|
VPN Gateway |
vpn.aliyuncs.com |
AliyunServiceRoleForVpn |
AliyunServiceRolePolicyForVpn |
|
Platform for AI (PAI) |
pai.aliyuncs.com |
AliyunPaiCustomerClusterManagementRole |
AliyunPaiCustomerClusterManagementRolePolicy |
|
AliyunPAIDatasetAccDefaultRole |
AliyunPAIDatasetAccDefaultRolePolicy |
||
|
AliyunPAIDLCAccessingOSSRole |
AliyunPAIDLCAccessingOSSRolePolicy |
||
|
AliyunPAIAccessingOSSRole |
AliyunPAIAccessingOSSRolePolicy |
||
|
AliyunPAIDLCDefaultRole |
AliyunPAIDLCDefaultRolePolicy |
||
|
AliyunPAIDSWDefaultRole |
AliyunPAIDSWDefaultRolePolicy |
||
|
langstudio.pai.aliyuncs.com |
AliyunPAILangStudioDefaultRole |
AliyunPAILangStudioDefaultRolePolicy |
|
|
odps.aliyuncs.com |
AliyunODPSPAIDefaultRole |
AliyunODPSPAIRolePolicy |
Related operations
After you configure the account baseline, create accounts using the baseline. Create an account from the account baseline.