Group ECS instances and related resources by department to isolate access between teams.
Security risks
By default, a RAM user granted ECS management permissions such as AliyunECSFullAccess can operate on all ECS instances and related resources in the account. This flat authorization poses security risks as teams grow:
-
Permission abuse and operational errors: An administrator from Department A can view, modify, or delete production servers belonging to Department B—whether intentionally or by accident.
-
Violation of least privilege: The RAM user holds permissions far exceeding job requirements, violating the principle of least privilege—a core tenet of defense in depth that limits every user, program, or process to the minimum access needed.
-
Audit and compliance challenges: When all operations are mixed together, tracking which department changed which resource becomes difficult, making compliance harder to achieve.
Best practices
Use resource groups and identity-based RAM policies to build logical management borders within your Alibaba Cloud account. The following scenario uses two departments, DepartmentA and DepartmentB, to demonstrate horizontal permission isolation.
Scenario: Create separate ECS administrators for Department A and Department B, each restricted to their own department's resources.
-
Create resource groups
-
Log on with an Alibaba Cloud account or a RAM identity that has resource group management permissions.
-
Go to the Resource Group console. Click Create Resource Group, fill in the required information, and click OK.
-
Resource Group Identifier: Enter
DepartmentA. -
Resource Group Name: Enter
Department A Resource Group.
-
-
Repeat to create a resource group with ID
DepartmentB.
-
-
Create RAM users
-
Go to the RAM console. In the left-side navigation pane, choose .
-
Click Create User and fill in the information as prompted.
-
Logon Name/Display Name: Enter
AdminA. -
Access Mode: Select Console Access and configure the password policy.
-
-
Click OK and complete security authentication.
-
Repeat to create user
AdminB.
-
-
Grant permissions to resource groups
-
Return to the Resource Group console.
-
Find the
DepartmentAresource group and click Manage Permission in the Actions column. -
Click Grant Permission.
-
Resource Scope: Defaults to the current resource group,
DepartmentA. -
Principal: Select RAM User and select
AdminA. -
Policy: Search for
ecs. SelectAliyunECSFullAccessandAliyunBSSFullAccess. -
Click OK.
-
-
Repeat to grant permissions to
AdminBfor theDepartmentBresource group.
-
-
Verify the isolation
-
Log out. Then log on to the Alibaba Cloud console as
AdminAandAdminBseparately. -
After you log on as
AdminA: Create a custom instance. For resource group, select Department A Resource Group.Go to the ECS console - Instances page. Only ECS instances in the
DepartmentAresource group are visible. -
After you log on as
AdminB: You see similar but completely isolated behavior. All operations are restricted to theDepartmentBresource group.
-