Elastic Compute Service:Use resource groups for horizontal permission management

Security risks

In the default permission model, a Resource Access Management (RAM) user who is granted ECS management permissions, such as AliyunECSFullAccess, has full operational permissions on all ECS instances and their related resources within the account. This flat authorization pattern poses critical security risks as your business scales and teams grow:

• Risk of permission abuse and operational errors: An administrator from Department A can easily view, modify, or even delete core production servers that belong to Department B. The consequences can be disastrous, whether the action is malicious or accidental.

• Lack of the principle of least privilege: The RAM user has permissions that far exceed what is necessary for their job. This directly violates the principle of least privilege. This principle is a core component of a defense in depth strategy. It ensures that any user, program, or process has only the minimum permissions required to perform its task.

• Audit and compliance challenges: When all operations are mixed together, it is difficult to clearly track and audit which department or project made changes to resources. This creates significant challenges for meeting compliance requirements.

Best practices

You can use resource groups and identity-based RAM policies to build logical management borders within your Alibaba Cloud account. The following scenario involves two departments, DepartmentA and DepartmentB, and shows how to build a secure horizontal permission management system.

Scenario: Create separate ECS administrators for Department A and Department B who can only manage the resources of their own department.

1. Create resource groups

   1. Log on using an Alibaba Cloud account or a RAM identity (a RAM user or RAM role) that has resource group management permissions.

   2. Go to the Resource Group console. Click Create Resource Group, fill in the required information, and then click OK.

      • Resource Group Identifier: Enter DepartmentA.

      • Resource Group Name: Enter Department A Resource Group.

   3. Repeat the steps to create a resource group with the ID DepartmentB.

2. Create RAM users

   1. Go to the RAM console. In the navigation pane on the left, choose Identities > Users.

   2. Click Create User and fill in the information as prompted.

      1. Logon Name/Display Name: Enter AdminA.

      2. Access Mode: Select Console Access and configure the password policy.

   3. Click OK and complete the security authentication.

   4. Repeat the steps to create the user AdminB.

3. Grant permissions to the resource groups

   1. Return to the Resource Group console page.

   2. Find the DepartmentA resource group and click Manage Permission in the Actions column.

   3. Click Grant Permission.

      1. Resource Scope: The default is the current resource group, DepartmentA.

      2. Principal: Select RAM User and select the AdminA user that you just created from the list.

      3. Policy: In the search box, enter ecs. Select the AliyunECSFullAccess and AliyunBSSFullAccess system policies.

      4. Click OK.

   4. Repeat the steps to grant permissions to the AdminB user for the DepartmentB resource group.

4. Verify the isolation

   • Log out of your current account. Then, log on to the Alibaba Cloud Management Console using the credentials for AdminA and AdminB separately.

   • After you log on as AdminA: Create a custom instance. For the resource group, select Department A Resource Group.

     Go to the ECS console - Instances page. You can see only the ECS instances that were created in the DepartmentA resource group.

   • After you log on as AdminB: You will observe similar but completely isolated behavior. All operations are restricted to the DepartmentB resource group.