All Products
Search
Document Center

Elastic Compute Service:Avoid using your Alibaba Cloud account and grant role-based permissions to RAM users

Last Updated:May 15, 2026

Protect your Alibaba Cloud account by enabling MFA, disabling its AccessKey, and delegating daily operations to RAM users or CloudSSO.

Security risks

Your Alibaba Cloud account has full permissions over all resources. Using it for daily operations poses these risks:

  • Malicious damage: If the credentials (password or AccessKey) of your Alibaba Cloud account are leaked, an attacker gains full control over your cloud environment. The attacker can delete servers, steal or ransom core data, install backdoors, or exploit your resources for malicious activities such as mining. This can cause irreversible business loss and data breaches.

  • Violation of least privilege: Using your Alibaba Cloud account for daily operations violates the principle of least privilege, which requires granting only the minimum permissions needed to complete a task. An Alibaba Cloud account has unlimited permissions that far exceed daily O&M or developer needs.

  • Difficult audits: When all operations are performed by the Alibaba Cloud account, tracing which employee or application performed a sensitive operation becomes difficult, which hinders security audits and event response.

  • Classified protection compliance: Separating user and role permissions, following the principle of least privilege, and avoiding a single all-powerful account are basic requirements of security compliance standards such as ISO/IEC 27001 and China's Classified Protection of Cybersecurity.

Best practices

Protect your Alibaba Cloud account

  1. Enable MFA: Attach a virtual MFA device to your Alibaba Cloud account. This adds a dynamic verification code (mobile token or hardware-protected key) on top of password authentication to prevent unauthorized access if your password is leaked.

  2. Manage logon behavior:

  3. Disable the AccessKey of your Alibaba Cloud account: Instead, create a RAM user and grant permissions based on the principle of least privilege.

  4. Audit and monitor regularly: Use ActionTrail to monitor logon events of your Alibaba Cloud account and check for abnormal behavior.

  5. Use RAM users for daily operations: Create a RAM user as an account administrator. Create separate RAM users for different roles and grant permissions as needed.

Plan RAM users and access control

Create accounts, roles, and permissions based on job responsibilities. The following example shows role assignments in a typical enterprise:

  1. Account administrator

    Used only to create RAM users, roles, and access permissions. Grant AliyunRAMFullAccess to this account. Although it cannot directly manage resources of other Alibaba Cloud services, it can create privileged accounts. This is a highly sensitive account; protect it as follows:

    • Do not create an AccessKey for the account.

    • Do not create RAM roles with the same permissions.

    • Enable MFA and restrict the source IP addresses for logon.

  2. Resource administrator

    Used to create and manage resources such as ECS instances, VPCs, vSwitches, network interface cards, disks, security groups, snapshots, and images. Grant the AliyunECSFullAccess, AliyunVPCFullAccess, and AliyunEIPFullAccess policies. To attach a RAM role to an ECS instance, also grant the sts:AssumeRole permission.

    Suggestion: For many cloud resources, use resource groups to isolate resources. Create a separate ECS resource administrator account for each resource group to separate permissions horizontally.
  3. O&M engineer

    Assigned to users who log on to and operate ECS instances (for example, start and stop). Not granted permissions to modify resources, network interface cards, or disks. Customize RAM permissions:

    {
      "Version": "1",
      "Statement": [
        // 1. Read-only permissions to view resource status
        {
          "Effect": "Allow",
          "Action": [
            // View ECS resources
            "ecs:DescribeInstances",        // View instance status
            "ecs:DescribeInstanceStatus",   // Query instance status information
            "ecs:DescribeNetworkInterfaces", // View network interface card status
            "ecs:DescribeDisks",            // View disk status (inferred from the document context)
            "ecs:DescribeSecurityGroups",   // View security group status
            "ecs:DescribeSecurityGroupReferences", // Query authorized security groups
            // View VPCs and vSwitches
            "vpc:DescribeVpcs",             // Query VPC status
            "vpc:DescribeVSwitches",        // Query vSwitch status
            "vpc:DescribeVSwitchAttributes" // Query detailed vSwitch configurations
          ],
          "Resource": "*"  // Allows access to all resources
        },
        // 2. Workbench permissions (logon and read)
        {
          "Effect": "Allow",
          "Action": [
            "ecs-workbench:LoginInstance",  // Permission to log on to an instance using Workbench
            "ecs:DescribeTerminalSessions"  // View Workbench session records
          ],
          "Resource": "*"
        },
        // 3. Cloud Assistant permissions (read, log on, and execute commands)
        {
          "Effect": "Allow",
          "Action": [
            // Read permissions for Cloud Assistant
            "ecs:DescribeCommands",         // View the list of commands
            "ecs:DescribeInvocations",       // View command execution records
            "ecs:DescribeInvocationResults", // View command execution results
            "ecs:DescribeCloudAssistantStatus", // Query the status of Cloud Assistant
            // Permissions to execute commands using Cloud Assistant
            "ecs:InvokeCommand",             // Execute a command
            "ecs:RunCommand"                 // Immediately execute a command
          ],
          "Resource": "*",
          // Restricts command execution to regular users (security best practice)
          "Condition": {
            "StringNotEqualsIgnoreCase": {
              "ecs:CommandRunAs": ["system", "root"]  // Prohibits the use of the root or system account
            }
          }
        }
      ]
    }

    Note: In this policy, "Resource": "*" allows managing all instances. To reduce risks:

    Consider the following:

    • Use resource groups or tags to limit the scope of operations.

    • Use fine-grained resource ARNs instead of wildcard characters to grant permissions as needed.

  4. Application role

    Applications may also need to access Alibaba Cloud services such as OSS and Simple Log Service (SLS). Create a dedicated account or role for each application. Do not share accounts between users and applications, or between different applications:

    • Prohibit the application account from logging on to the console.

    • If your application is deployed on ECS (including container service), do not use an AccessKey. Attach a RAM role to the instance instead.

Use CloudSSO for centralized identity management

Use CloudSSO if any of the following applies:

  • Multiple employees need RAM accounts with the same permissions.

  • Multiple employees share one RAM account.

  • Employees may leak cloud platform credentials such as AccessKeys or logon passwords.

CloudSSO is a multi-account unified identity management and access control service based on a resource directory (RD). Users log on once with a single set of credentials and access multiple cloud applications without re-entering passwords. Use CloudSSO to centrally manage enterprise users on Alibaba Cloud. After configuring SSO between your enterprise identity management system and Alibaba Cloud, you can centrally assign access permissions across all RD accounts.

  • No cloud credentials required: Employees no longer need Alibaba Cloud logon passwords or AccessKeys, reducing credential leakage risk.

  • Unified identity authentication: Users log on with internal enterprise accounts (such as company mailboxes or Active Directory accounts) for a seamless experience.

  • Centralized permission management: Use access configurations to centrally assign role permissions to users or user groups with fine-grained control.

  • Standard protocol support: Integrates with enterprise IdPs based on the SAML 2.0 protocol.

See Get started with CloudSSO.

Compliance

Check operations performed by your Alibaba Cloud account

ECS Insight

  1. Go to ECS Insight.

  2. Click the Security tab, then click Use of RAM Users and RAM Roles for Functional Operations. View instances where the Alibaba Cloud account was used to log on and manage cloud resources, and view its high-frequency operations.

ActionTrail

Prerequisites: Create a single-account trail or multi-account trail and deliver events to SLS.

Procedure:

  1. Go to the ActionTrail console. In the navigation pane on the left, choose Event > Advanced Event Query.

  2. In the Query Range section, set Trail to the trail that you created.

  3. In the Query Range section, on the Template Library tab, choose System Template > Account/AccessKey Pair Events. Select Events of Console Logons by Using Cloud Account or Events of Access by Using AccessKey Pair of Cloud Account.

  4. Set a time range for the query and click Run.

    • ActionTrail queries events from the last 7 days by default.

    • Click Alert Events on the right to set an alert for the current event. See Create a custom alert rule.

    • Modify the default SQL statement of the system template and click Save to save it as a custom template.

  5. View the query results.

    • Raw Logs: On the Raw Log tab, click View Details in the Operation column to view the event details and JSON format.

    • Histogram: On the Query Histogram tab, view the event occurrence histogram.