Before you create accounts in the account factory, you must configure the account baseline, including common baseline items related to identities, permissions, networking, and security. This improves the efficiency of creating an account.
Log on to the Cloud Governance Center console.
In the left-side navigation pane, click Account Factory.
On the Account Factory page, click Settings in the Orchestration for Account Baseline section.
In the Orchestration for Account Baseline dialog box, select the account baseline that you want to configure and click Confirm.
If the default baseline no longer meets your requirements, click Create Baseline to create multiple baselines for orchestration. You can create baseline templates for accounts that are used for different purposes. This way, you can create an account that is used for a specific purpose based on a baseline template that you created. In this example, the default baseline is used.
If you no longer use a baseline, click the icon to the right of the baseline to delete the baseline. The system automatically checks whether an account uses the baseline. If no account uses the baseline, the baseline can be deleted.
Change the name of a baseline.
Click the icon to the right of a baseline.
In the Edit Baseline Property dialog box, enter a name and a description.
Add baseline items.
You cannot delete the following built-in default baseline items: Billing Method, Bind CloudSSO Permissions, and Guardrails. You can add baseline items based on the default baseline items.
Click Add Baseline Items.
In the Add Baseline Item dialog box, select the baseline items that you want to add and click Add.
If Baseline Item A depends on Baseline Item B, Baseline Item B is automatically selected after you select Baseline Item A. For example, after you select Security Group, VPC is automatically selected.
Configure the parameters of the baseline items.
Click the or icon to the right of a baseline item to configure the parameters of the baseline item.
Supported baseline items
Dependent baseline item
Billing Method (default baseline item)
You can specify a billing account for member accounts in your resource directory. This way, you can manage the fees that are generated for your enterprise in a centralized manner.
Bind CloudSSO Permissions (default baseline item)
You can configure identities and permissions for multiple member accounts in the resource directory. This helps reduce the risks that are related to identity management and permissions management, and improve the efficiency of multi-account management.
Guardrails (default baseline item)
You can configure and enable the protection rules of Cloud Config for all member accounts in your resource directory in the Cloud Governance Center console. You can manage the protection rules in a centralized manner in the Cloud Governance Center console. This ensures that the basic configurations of Cloud Governance Center and the resource structure that is created in Cloud Governance Center are not modified. This also ensures the security of multi-account environments.
RAM Password Policy
You can specify password complexity requirements to improve the account security of Resource Access Management (RAM) users. Common password rules include the password length, supported characters, and password validity period.
A virtual private cloud (VPC) is a private network in the cloud. Each VPC consists of CIDR blocks, vSwitches, and access control lists (ACLs).
A security group acts as a virtual firewall to control the inbound and outbound traffic of Elastic Compute Service (ECS) instances to improve security.
You can configure contacts for an account to receive notifications. Alibaba Cloud does not disclose or provide your contact information to third parties.
You can configure recipients for each type of messages. We recommend that you configure recipients to receive important notifications that are related to accounts, services, and exceptions. This prevents business loss that may be caused by missing notifications.
Only an account that has administrative permissions can be used to activate specific Alibaba Cloud services. If you log on as a RAM user that does not have administrative permissions, you may fail to activate services. To prevent this issue, you can configure the Activate Service baseline item to specify the selected Alibaba Cloud services that are automatically activated when you create an account.
Service-linked roles are required to activate specific Alibaba Cloud services. Cloud Governance Center automatically creates the required service-linked roles when you activate the Alibaba Cloud services. For more information, see the Service-linked roles that are automatically created when you activate specific Alibaba Cloud services section of this topic.
You can create RAM roles for an Alibaba Cloud account that has administrative permissions on the resource directory. The account, as a trusted entity, can assume a RAM role to perform O&M, which reduces risks.
ECS Key Pair
Push a key pair to a specified account. You can specify a key pair when you create an instance or bind a key pair after you create an instance. Then, you can use the key to connect to the instance.
ECS Shared Image
A shared image can be deployed on ECS instances that belong to different accounts. You can share an image with other Alibaba Cloud accounts.
A preset tag is a tag that you create in advance and is available for the resources in all Alibaba Cloud regions. You can create preset tags in the stage of tag planning and add them to specific cloud resources in the stage of tag implementation.
RAM User Security Settings
You can manage global security settings of RAM users to improve the security of the RAM users. You can specify whether to allow RAM users to change their passwords, whether to enable MFA devices, and the validity period of a logon session.
Configure RAM role-based SSO
You can implement role-based single sign-on (SSO) based on a Security Assertion Markup Language (SAML) identity provider (IdP). Role-based SSO allows the enterprise to manage users in the local IdP without the need to synchronize users from the IdP to Alibaba Cloud. In addition, employees of the enterprise can log on to Alibaba Cloud by using a specific RAM role.
Service-linked roles that are automatically created when you activate specific Alibaba Cloud services
Application Real-Time Monitoring Service (ARMS)
Data Management (DMS)
Data Transmission Service (DTS)
Container Service for Kubernetes (ACK)
Simple Log Service
Classic Load Balancer (CLB)
What to do next
After you configure the account baseline, you can create an account by using the account baseline. For more information, see Create an account.