All Products
Search
Document Center

Agentic Cloud Governance Center:Configure the account baseline

Last Updated:Jun 24, 2026

Configure the account baseline in the account factory before creating accounts. Baseline items cover identity, permissions, networking, and security settings, improving account creation efficiency.

Procedure

  1. Log on to the Agentic Cloud Governance Center console.

  2. In the left-side navigation pane, choose Landing Zone > Account Factory.

  3. On the Account Factory page, click Settings in the Orchestration for Account Baseline section.

  4. In the Orchestration for Account Baseline dialog box, select the account baseline that you want to configure and click Confirm.

    If the default baseline no longer meets your requirements, click Create Baseline to create baselines for different account purposes. This example uses the default baseline.

    To delete a baseline, click the Delete icon next to it. A baseline can only be deleted if no account uses it.

  5. Change the name of a baseline.

    1. Click the Edit baseline name icon next to a baseline.

    2. In the Edit Baseline Property dialog box, enter a name and a description.

    3. Click OK.

  6. Add baseline items.

    The built-in baseline items Billing Method, Bind CloudSSO Permissions, and Guardrails cannot be deleted. You can add more baseline items on top of these defaults.

    1. Click Add Baseline Items.

    2. In the Add Baseline Item dialog box, select the baseline items that you want to add and click Add.

      Dependent baseline items are automatically selected. For example, selecting Security Group automatically selects VPC.

  7. Configure the parameters of the baseline items.

    Click the Edit or Configure icon next to a baseline item to configure its parameters.

  8. Click Save.

Baseline items

Supported baseline items

Baseline item

Description

Dependent baseline item

References

Billing Method (default baseline item)

Specify a billing account for resource directory members to centrally manage enterprise fees.

Not supported

No

Bind CloudSSO Permissions (default baseline item)

Configure identities and permissions for resource directory members to reduce identity and permission management risks and improve multi-account management efficiency.

None

Configure identities and permissions

Guardrails (default baseline item)

Configure and enable Cloud Config protection rules for all resource directory members from the Agentic Cloud Governance Center console. This ensures that Agentic Cloud Governance Center configurations and resource structures are not modified, securing multi-account environments.

None

Configure protection rules centrally

RAM Password Policy

Specify password complexity requirements for RAM users, such as password length, supported characters, and password validity period.

None

Configure a password policy for RAM users

VPC

A VPC is a private network in the cloud, consisting of CIDR blocks, vSwitches, and access control lists (ACLs).

None

What is a VPC?

Security group

A security group acts as a virtual firewall for ECS instances to control inbound and outbound traffic.

VPC

Overview

Account Contact

Configure account contacts to receive notifications. Alibaba Cloud does not share contact information with third parties.

None

What do I do if the contact does not receive finance and cloud product notifications?

Message

Configure recipients for each message type. We recommend that you set up recipients for account, service, and exception notifications to prevent business losses from missed alerts.

Account Contact

What do I do if the contact does not receive finance and cloud product notifications?

Activate Service

Only accounts with administrative permissions can activate certain Alibaba Cloud services. Use this baseline item to auto-activate selected services when an account is created, avoiding activation failures for RAM users without administrative permissions.

Note

Some Alibaba Cloud services require service-linked roles. Agentic Cloud Governance Center automatically creates these roles during service activation. See the "Service-linked roles that are automatically created when you activate specific Alibaba Cloud services" section of this topic.

None

RAM Role

Create RAM roles for an Alibaba Cloud account with administrative permissions on the resource directory. The account, as a trusted entity, can assume a RAM role to perform O&M, reducing risks.

None

Overview

ECS Key Pair

Push a key pair to a specific account. Specify a key pair when you create an instance, or bind one after creation. Then use the key pair to connect to the instance.

None

Introduction of SSH key pairs

ECS Shared Image

Share an image with other Alibaba Cloud accounts for deployment on their ECS instances.

None

Share a custom image

Predefined Tag

A predefined tag is created in advance and available across all Alibaba Cloud regions. Create predefined tags during tag planning and apply them to cloud resources during implementation.

None

Add tags to ApsaraDB RDS instances

RAM User Security Settings

Manage global security settings for RAM users, including whether to allow password changes, whether to enable MFA devices, and logon session validity.

None

Manage RAM user security settings

Configure RAM role-based SSO

Implement role-based SSO using a SAML identity provider (IdP). Employees log on to Alibaba Cloud through RAM roles, and user management stays in the local IdP without synchronizing users to Alibaba Cloud.

None

Manage SAML identity providers

Service-linked roles that are automatically created when you activate specific Alibaba Cloud services

Cloud service

Service identifier

Service-linked role

Permission Policy

ARMS

arms.aliyuncs.com

AliyunServiceRoleForARMS

AliyunServiceRolePolicyForARMS

NAT Gateway (NAT)

nat.aliyuncs.com

AliyunServiceRoleForNatgw

AliyunServiceRolePolicyForNatgw

EventBridge

source-cms.eventbridge.aliyuncs.com

AliyunServiceRoleForEventBridgeSourceCMS

AliyunServiceRolePolicyForEventBridgeSourceCMS

connect-vpc.eventbridge.aliyuncs.com

AliyunServiceRoleForEventBridgeConnectVPC

AliyunServiceRolePolicyForEventBridgeConnectVPC

source-actiontrail.eventbridge.aliyuncs.com

AliyunServiceRoleForEventBridgeSourceActionTrail

AliyunServiceRolePolicyForEventBridgeSourceActionTrail

Data Management (DMS)

dms.aliyuncs.com

AliyunDMSDefaultRole

AliyunDMSRolePolicy

dms.aliyuncs.com

AliyunServiceRoleForDMS

AliyunServiceRolePolicyForDMS

Data Transmission Service (DTS)

dts.aliyuncs.com

AliyunDTSDefaultRole

AliyunDTSRolePolicy

dms.aliyuncs.com

AliyunServiceRoleForDMS

AliyunServiceRolePolicyForDMS

Container Service for Kubernetes (ACK)

cs.aliyuncs.com

AliyunCSDefaultRole

AliyunCSDefaultRolePolicy

AliyunCSKubernetesAuditRole

AliyunCSKubernetesAuditRolePolicy

AliyunCSManagedArmsRole

AliyunCSManagedArmsRolePolicy

AliyunCSManagedCmsRole

AliyunCSManagedCmsRolePolicy

AliyunCSManagedCsiRole

AliyunCSManagedCsiRolePolicy

AliyunCSManagedKubernetesRole

AliyunCSManagedKubernetesRolePolicy

AliyunCSManagedLogRole

AliyunCSManagedLogRolePolicy

AliyunCSManagedNetworkRole

AliyunCSManagedNetworkRolePolicy

AliyunCSManagedVKRole

AliyunCSManagedVKRolePolicy

AliyunCSServerlessKubernetesRole

AliyunCSServerlessKubernetesRolePolicy

AliyunCSManagedNlcRole

AliyunCSManagedNlcRolePolicy

AliyunCSManagedAutoScalerRole

AliyunCSManagedAutoScalerRolePolicy

AliyunCSManagedCsiProvisionerRole

AliyunCSManagedCsiProvisionerRolePolicy

AliyunCSManagedCsiPluginRole

AliyunCSManagedCsiPluginRolePolicy

oos.aliyuncs.com

AliyunOOSLifecycleHook4CSRole

AliyunOOSLifecycleHook4CSRolePolicy

Function Compute

fc.aliyuncs.com

AliyunFCDefaultRole

AliyunFCDefaultRolePolicy

Simple Log Service (SLS)

log.aliyuncs.com

AliyunLogArchiveRole

AliyunLogArchiveRolePolicy

Classic Load Balancer (CLB)

slb.aliyuncs.com

SLBLogDefaultRole

AliyunSLBRolePolicy

slb.aliyuncs.com

AliyunSLBHealthDiagnoseRole

AliyunSLBHealthDiagnoseRolePolicy

Microservices Engine (MSE)

mse.aliyuncs.com

AliyunServiceRoleForMSE

AliyunServiceRolePolicyForMSE

VPN Gateway

vpn.aliyuncs.com

AliyunServiceRoleForVpn

AliyunServiceRolePolicyForVpn

Platform for AI (PAI)

pai.aliyuncs.com

AliyunPaiCustomerClusterManagementRole

AliyunPaiCustomerClusterManagementRolePolicy

AliyunPAIDatasetAccDefaultRole

AliyunPAIDatasetAccDefaultRolePolicy

AliyunPAIDLCAccessingOSSRole

AliyunPAIDLCAccessingOSSRolePolicy

AliyunPAIAccessingOSSRole

AliyunPAIAccessingOSSRolePolicy

AliyunPAIDLCDefaultRole

AliyunPAIDLCDefaultRolePolicy

AliyunPAIDSWDefaultRole

AliyunPAIDSWDefaultRolePolicy

langstudio.pai.aliyuncs.com

AliyunPAILangStudioDefaultRole

AliyunPAILangStudioDefaultRolePolicy

odps.aliyuncs.com

AliyunODPSPAIDefaultRole

AliyunODPSPAIRolePolicy

Related operations

After you configure the account baseline, create accounts using the baseline. Create an account from the account baseline.