To ensure the security of your Alibaba Cloud account and cloud resources, do not use your Alibaba Cloud account to access Alibaba Cloud services unless otherwise required. We recommend that you access Alibaba Cloud services as a Resource Access Management (RAM) user or by assuming a RAM role.
RAM user
RAM users are created by Alibaba Cloud accounts, RAM users that have the administrator permissions, or RAM roles that have the administrator permissions. After a RAM user is granted the required permissions, the RAM user can log on to the Alibaba Cloud Management Console or call API operations to access resources within the Alibaba Cloud account to which the RAM user belongs.
We recommend that you take note of the following items:
Use your Alibaba Cloud account to create a RAM user and grant the administrator permissions to the RAM user. Then, you can create and manage other RAM users as the RAM user.
Separate RAM users for individuals from RAM users for programs.
You can create RAM users in the RAM console or by calling an API operation. If you use the RAM console, you must provide the username and password of your Alibaba Cloud account. If you call an API operation, you must specify your AccessKey pair. We recommend that you separate RAM users for individuals from RAM users for programs to prevent accidental operations. If you use the RAM console, we recommend that you enable multi-factor authentication (MFA) to increase security.
Grant permissions to RAM users based on the principle of least privilege.
Least-privilege permissions refer to the minimum permissions that are required to perform an operation. Least-privilege permissions improve data security and prevent permission abuse.
Do not embed your AccessKey ID or AccessKey secret in code. Otherwise, your AccessKey pair may be leaked, which raises security risks for all resources within your account. We recommend that you use Security Token Service (STS) or configure environment variables to obtain access permissions.
Enable single sign-on (SSO) for RAM users to allow the RAM users to log on to the Alibaba Cloud Management Console and access Alibaba Cloud resources from the identity management systems of their enterprises.
Related operations
RAM user group
If you use your Alibaba Cloud account to create multiple RAM users, you can group the RAM users to facilitate permission management. For example, you can grant the same permissions to RAM users in the same RAM user group. We recommend that you take note of the following items:
Grant permissions to RAM user groups based on the principle of least privilege.
Remove a RAM user from a RAM user group if the work duties of the RAM user change.
Revoke the permissions that are granted to a RAM user group if the permissions are no longer required.
Related operations
RAM role
A RAM role is a virtual identity to which policies can be attached. A RAM role does not have permanent identity credentials, such as a logon password or an AccessKey pair. A RAM role can be used only after the role is assumed by a trusted entity. After a RAM role is assumed by a trusted entity, the trusted entity can obtain a Security Token Service (STS) token. Then, the trusted entity can use the STS token to access Alibaba Cloud resources as the RAM role.
We recommend that you take note of the following items:
Do not frequently change the trusted entity of a RAM role after the RAM role is created. If you change the trusted entity of a RAM role, permission loss may occur, which affects your business. If you add a trusted entity, security risks may arise due to privilege escalation. Make sure that the modifications are fully tested before you apply them to a RAM role.
After the RAM user of a trusted entity is granted the required permissions, the trusted entity can call the AssumeRole operation to obtain an STS token, which can be used to assume a RAM role. For more information, see AssumeRole. An STS token is valid only for a limited period of time. We recommend that you set the validity period to an appropriate value to reduce security risks.
NoteThe maximum validity period of an STS token is the longest session duration specified for the RAM role. We recommend that you specify an appropriate session duration for a RAM role to reduce security risks.
Enable SSO for RAM roles to allow the RAM roles to log on to the Alibaba Cloud Management Console and access Alibaba Cloud resources from the identity management systems of their enterprises.