To ensure the security of your Alibaba Cloud account and cloud resources, do not use your Alibaba Cloud account to access Network Intelligence Service (NIS) unless it is necessary. We recommend that you use the identities provided by Resource Access Management (RAM), including RAM users and RAM roles, to access NIS.
RAM users are created by Alibaba Cloud accounts, RAM users, or RAM roles that have administrator permissions. RAM users are allowed to log on to consoles or access Alibaba Cloud resources within the Alibaba Cloud accounts only if the RAM users acquire the required permissions. We recommend that you take the following precautions:
Use your Alibaba Cloud account to create a RAM user and grant administrator permissions to RAM users. Then, you can use the RAM users to create and manage other RAM users.
Separate RAM users for individuals from RAM users for programs.
You can use the RAM console or OpenAPI Explorer to create RAM users. If you use the RAM console, you must provide the username and password of your Alibaba Cloud account. If you use OpenAPI Explorer, you must provide your Access Key pair. Specify only one method for the same type of scenario in case of human errors. If you use the RAM console, we recommend that you enable multi-factor authentication to reinforce security.
Grant permissions to RAM users based on the principle of least privilege.
Least-privilege permissions refer to the minimum permissions necessary to perform an operation, excluding other permissions. Least-privilege permissions improve data security and prevent permission abuse.
Do not embed your AccessKey ID or AccessKey secret in code. Otherwise, your AccessKey pair may be leaked, which raises security risks for all resources within your account.
Enable single sign-on (SSO) for RAM users to allow the RAM users to log on to and access Alibaba Cloud resources from the identity management systems of their enterprises.
RAM user groups
If you use your Alibaba Cloud account to create multiple RAM users, you can classify them into different groups to facilitate permission management. For example, you can grant the same permissions to RAM users in the same RAM user group. We recommend that you take the following precautions:
Grant permissions to RAM user groups based on the principle of least privilege.
Remove a RAM user from the RAM user group if the work duties of the RAM user change.
Remove a RAM user from the RAM user group if the RAM user no longer needs the permissions of the RAM user group.
A RAM role is a virtual identity to which policies can be attached. Different from a RAM user, a RAM role does not have permanent identity credentials, such as a logon password or an AccessKey pair. A RAM role can be used only after the role is assumed by a trusted entity. After the trusted entity assumes the RAM role, the trusted entity can obtain a temporary identity credential. The credential is the Security Token Service (STS) token of the RAM role and is used to access the resources on which the RAM role has permissions.
We recommend that you comply with the following rules when you use RAM roles:
Do not frequently change the trusted entity of a RAM user after it is created. Changing the trusted entity of a RAM user may cause permission loss, which affects operations on your service. If you add a trusted entity, security risks may arise due to privilege escalation. Make sure that the modifications are fully tested before you apply them to a RAM user.
Enable SSO for RAM roles to allow the RAM roles to log on to and access Alibaba Cloud resources from the identity management systems of their enterprises.