Resource Access Management (RAM) is a service provided by Alibaba Cloud that allows you to manage user identities and resource access permissions. You can use RAM to assign user identities and cloud service-specific roles and grant access permissions on Alibaba Cloud resources.
Identities
Identities in RAM include physical identities (RAM users and user groups) and virtual identities (RAM roles):
RAM users have separate logon passwords and AccessKey pairs. RAM user groups are used to centrally manage RAM users with similar responsibilities. You can attach policies to RAM users and user groups. This eliminates the need to share the password of your Alibaba Cloud account when multiple RAM users in the account simultaneously access resources and reduces the risk of sensitive information leakage. Follow the principle of least privilege when you grant permissions to RAM users or user groups. This way, the security of all resources in your account is not compromised even if information leakage occurs.
A RAM role is a virtual identity to which policies can be attached. However, the RAM role has no separate logon password or AccessKey pair. Before a RAM role is granted permissions, the RAM role must be assumed by a trusted entity. When cloud services communicate, after you attach a RAM role to a trusted entity such as an Elastic Compute Service (ECS) instance, the trusted entity assumes the RAM role, obtains temporary Security Token Service (STS) credentials, and uses the credentials to access API operations of other cloud services. This prevents high-risk operations, such as writing an AccessKey pair to a configuration file, and improves the security of AccessKey pairs.
Permissions
A policy defines permissions and consists of a few basic elements. For more information, see Policy elements. You can attach policies to an identity (a RAM user, user group, or role) to control which actions the identity can perform, on which resources, and under which conditions.
Policies are categorized into system policies and custom policies.
System policies are the common policies predefined by Alibaba Cloud. System policies cannot be modified. The following table describes specific ECS-related system policies.
System policy name
Description
AliyunECSFullAccess
Grants permissions to perform all operations on all ECS resources, including the permissions to create, view, and delete ECS resources.
AliyunECSReadOnlyAccess
Grants read-only permissions on ECS resources.
AliyunECSNetworkInterfaceManagementAccess
Grants permissions to manage elastic network interfaces (ENIs), including the permissions to create, view, and delete ENIs.
AliyunECSAssistantFullAccess
Grants permissions to manage Cloud Assistant commands, including the permissions to create, run, view, and delete Cloud Assistant commands.
AliyunECSAssistantReadonlyAccess
Grants read-only permissions on Cloud Assistant commands.
AliyunECSImageExportRolePolicy
Grants permissions required to export images, including the read permissions on Object Storage Service (OSS) buckets and the read and write permissions on OSS objects.
AliyunECSImageImportRolePolicy
Grants permissions required to import images, including the write permissions on OSS buckets and the read and write permissions on OSS objects.
AliyunECSInstanceForYundunSysTrustRolePolicy
Grants permissions required for security-enhanced ECS instances to use the Alibaba Cloud trusted system.
AliyunECSDiskEncryptRolePolicy
Grants permissions required to encrypt disks.
For more information about system policies, see Example system policies.
Custom policies: You can create and maintain custom policies as needed. For information about how to create custom policies and sample custom policies, see Create custom policies and Overview of sample policies.
Usage examples
Perform the following operations to control resource access for employees inside an enterprise:
Create a SysAdmins user group for employees who need to create and manage resources and attach policies for granting permissions to perform all operations on all resources to the user group.
Create a Developers user group for employees who need to use resources and attach policies for granting permissions to call the StartInstance, StopInstance, and DescribeInstances operations to the user group.
Create RAM users for employees and add the users to different user groups based on the demands of the employees.
To enhance network security, attach policies to deny the resource access of RAM users if the RAM users are using an IP address from outside the enterprise.
If employees change from a developer to an administrator, move their corresponding RAM users from the Developers user group to the SysAdmins user group.
If RAM users in the Developers user group require more permissions, modify the policies of the user group to grant required permissions to all RAM users in the group.
Attach one of the following RAM roles to an ECS instance to allow the instance to use temporary credentials to access other Alibaba Cloud services:
AliyunECSImageExportDefaultRole: The AliyunECSImageExportRolePolicy system policy is attached to this role. After this role is attached to an ECS instance, the instance has the permissions required to export images.
AliyunECSImageImportDefaultRole: The AliyunECSImageImportRolePolicy system policy is attached to this role. After this role is attached to an ECS instance, the instance has the permissions required to import images.
AliyunECSInstanceForYundunSysTrustRole: The AliyunECSInstanceForYundunSysTrustRolePolicy system policy is attached to this role. After this role is attached to an ECS instance, the instance has the permissions required to use the Alibaba Cloud trusted system.
AliyunECSDiskEncryptDefaultRole: The AliyunECSDiskEncryptRolePolicy system policy is attached to this role. After this role is attached to an ECS instance, the instance has the permissions required to encrypt disks.