Configure uniform security policies for all Resource Access Management (RAM) users in your Alibaba Cloud account to establish a standard security baseline and improve overall account security. Policies include global security settings, multi-factor authentication (MFA), and network access control.
Procedure
-
Log on to the RAM console by using your Alibaba Cloud account or a RAM user that has administrative permissions, such as the
AliyunRAMFullAccesspolicy. -
In the left-side navigation pane, choose Settings. You can configure policies in the Security, MFA, and Network Access Control sections.
NoteAll settings apply to all RAM users in your account. Carefully evaluate the risks of high-risk settings, such as Allow users to manage AccessKey.
Global security settings
Centrally manage permissions for RAM users to modify their own credentials (passwords, MFA devices, and AccessKeys) and set lifecycles for logon sessions and idle credentials.
In the Security section, click Modify, configure the parameters as described in the following table, and then click OK.
|
Parameter |
Description |
Recommendation |
|
Allow users to manage password |
If you select Enable, RAM users can manage their own logon passwords. This setting is Enable by default. |
|
|
Allow users to manage MFA devices |
If you select Enable, RAM users can bind or unbind their own MFA devices. This setting is Enable by default. |
|
|
Allow users to manage AccessKey |
If you select Enable, all RAM users can manage their own AccessKeys, including creating, disabling, and deleting them. This setting is disabled by default. |
In production environments, we recommend disabling this setting to let RAM administrators centrally manage and rotate AccessKeys. |
|
Login session duration |
The duration of a RAM user's console logon session. Unit: hours. Valid values: 1–24. Default value: 6. Note
When a user logs on to the console by assuming a RAM role or by using role-based SSO, the session duration is also limited by the Login session duration setting. The resulting session duration will not exceed this value. For more information, see Assume a RAM role and SAML response for role-based SSO. |
To balance convenience and security, we recommend setting this to a standard workday length, such as 8 hours. |
|
Allow to keep login session for a long time |
If you select Enable, RAM users can remain logged on in the Alibaba Cloud app and Alibaba Cloud ECS client for up to 90 days. This setting is disabled by default. Note
If Alibaba Cloud Security detects an anomalous logon, the session is immediately invalidated, and the user must log on again. |
This setting is suitable for users who require long-term access to manage resources from mobile devices or clients. |
|
Allow users to login with passkey |
If you select Enable, RAM users can log on to Alibaba Cloud with a bound passkey. For more information about passkeys, see What is a passkey? This setting is Enable by default. |
We recommend Enable this setting to improve logon security and convenience. |
|
User maximum idle time |
The maximum number of days a RAM user can be idle before their console logon access (excluding single sign-on) is automatically disabled. Valid values: 730, 365, 180, or 90 days. Default value: 365 days. Effective time: The setting takes effect the next day (UTC+8). Note
A RAM user cannot log on to the console if both of the following conditions are met:
|
We recommend a value of 90 or 180 days to promptly clean up idle accounts and reduce security risks. |
|
AccessKey maximum idle time |
The maximum number of days that an AccessKey of an Alibaba Cloud account or RAM user can be idle before it is automatically disabled. Valid values: 730, 365, 180, or 90 days. Default value: 730 days. Effective time: The setting takes effect the next day (UTC+8). Note
An AccessKey is disabled if both of the following conditions are met:
|
We recommend a value of 90 days to promptly disable idle AccessKeys and prevent misuse if they are compromised. |
Multi-factor authentication (MFA) settings
Multi-factor authentication (MFA) adds a second layer of security for user logons and sensitive operations. Configure a global MFA policy to enforce consistent authentication requirements.
In the MFA section, click Modify, configure the parameters as described in the following table, and then click OK.
|
Parameter |
Description |
|
Allowed MFA devices |
The secondary authentication methods available to RAM users when they log on to the console or perform sensitive operations:
All options are selected by default. |
|
MFA for RAM user sign-in |
Whether to enforce MFA for all RAM users when they log on with a username and password:
The default selection is Force all users. |
|
Allow to remember MFA validation for 7 days |
If you select Enable, users will not be prompted for MFA again for 7 days when logging on from the same device. This remembered status is invalidated if a different RAM user logs on to the same device. This setting is disabled by default. |
Network access control settings
Network Access Control lets you restrict access to your Alibaba Cloud account to specific source IP addresses, creating an important security boundary.
-
Before you configure Network Access Control, you must add a stable, controllable IP address (such as your office network egress IP) to the allowlist. This serves as an emergency access point in case a misconfiguration prevents all users, including yourself, from logging on.
-
If a RAM user cannot log on due to an IP restriction, contact an administrator to log on with the Alibaba Cloud account and modify the logon mask.
In the Network Access Control section, configure the parameters as described in the following table, and then click OK.
Click Modify next to the target parameter to open the configuration page.
|
Parameter |
Description |
|
Allowed network address while sign-in |
The source IP addresses from which users are allowed to log on to the console by using a password or SSO. Leave this blank to allow access from any IP address. Format: Only IPv4 addresses are supported. Separate multiple addresses with a space, comma, or semicolon. Limit: You can add up to 200 IP addresses. |
|
Allowed network address while calling APIs by AccessKey |
|