All Products
Search
Document Center

Resource Access Management:Manage RAM user security settings

Last Updated:Jul 03, 2026

Configure uniform security policies for all Resource Access Management (RAM) users in your Alibaba Cloud account to establish a standard security baseline and improve overall account security. Policies include global security settings, multi-factor authentication (MFA), and network access control.

Procedure

  1. Log on to the RAM console by using your Alibaba Cloud account or a RAM user that has administrative permissions, such as the AliyunRAMFullAccess policy.

  2. In the left-side navigation pane, choose Settings. You can configure policies in the Security, MFA, and Network Access Control sections.

    Note

    All settings apply to all RAM users in your account. Carefully evaluate the risks of high-risk settings, such as Allow users to manage AccessKey.

Global security settings

Centrally manage permissions for RAM users to modify their own credentials (passwords, MFA devices, and AccessKeys) and set lifecycles for logon sessions and idle credentials.

In the Security section, click Modify, configure the parameters as described in the following table, and then click OK.

Parameter

Description

Recommendation

Allow users to manage password

If you select Enable, RAM users can manage their own logon passwords.

This setting is Enable by default.

  • For high-security environments: We recommend disabling this setting to let administrators centrally manage password lifecycles.

  • For agile development environments: We recommend Enable this setting to allow users to manage their own passwords.

Allow users to manage MFA devices

If you select Enable, RAM users can bind or unbind their own MFA devices.

This setting is Enable by default.

  • For high-security environments: We recommend disabling this setting to require users to use MFA devices bound by an administrator.

  • For agile development environments: We recommend Enable this setting to allow users to manage their own MFA devices.

Allow users to manage AccessKey

If you select Enable, all RAM users can manage their own AccessKeys, including creating, disabling, and deleting them.

This setting is disabled by default.

In production environments, we recommend disabling this setting to let RAM administrators centrally manage and rotate AccessKeys.

Login session duration

The duration of a RAM user's console logon session. Unit: hours. Valid values: 1–24.

Default value: 6.

Note

When a user logs on to the console by assuming a RAM role or by using role-based SSO, the session duration is also limited by the Login session duration setting. The resulting session duration will not exceed this value. For more information, see Assume a RAM role and SAML response for role-based SSO.

To balance convenience and security, we recommend setting this to a standard workday length, such as 8 hours.

Allow to keep login session for a long time

If you select Enable, RAM users can remain logged on in the Alibaba Cloud app and Alibaba Cloud ECS client for up to 90 days.

This setting is disabled by default.

Note

If Alibaba Cloud Security detects an anomalous logon, the session is immediately invalidated, and the user must log on again.

This setting is suitable for users who require long-term access to manage resources from mobile devices or clients.

Allow users to login with passkey

If you select Enable, RAM users can log on to Alibaba Cloud with a bound passkey. For more information about passkeys, see What is a passkey?

This setting is Enable by default.

We recommend Enable this setting to improve logon security and convenience.

User maximum idle time

The maximum number of days a RAM user can be idle before their console logon access (excluding single sign-on) is automatically disabled.

Valid values: 730, 365, 180, or 90 days. Default value: 365 days.

Effective time: The setting takes effect the next day (UTC+8).

Note

A RAM user cannot log on to the console if both of the following conditions are met:

  • The time since the user's last logon exceeds the specified idle period, or the user has never logged on since being created more than the idle period ago.

  • The RAM user's logon configuration has not been updated in the last 7 days.

We recommend a value of 90 or 180 days to promptly clean up idle accounts and reduce security risks.

AccessKey maximum idle time

The maximum number of days that an AccessKey of an Alibaba Cloud account or RAM user can be idle before it is automatically disabled.

Valid values: 730, 365, 180, or 90 days. Default value: 730 days.

Effective time: The setting takes effect the next day (UTC+8).

Note

An AccessKey is disabled if both of the following conditions are met:

  • The time since the AccessKey was last used exceeds the maximum idle period.

  • The AccessKey's status has not been updated in the last 7 days.

We recommend a value of 90 days to promptly disable idle AccessKeys and prevent misuse if they are compromised.

Multi-factor authentication (MFA) settings

Multi-factor authentication (MFA) adds a second layer of security for user logons and sensitive operations. Configure a global MFA policy to enforce consistent authentication requirements.

In the MFA section, click Modify, configure the parameters as described in the following table, and then click OK.

Parameter

Description

Allowed MFA devices

The secondary authentication methods available to RAM users when they log on to the console or perform sensitive operations:

  • MFA Devices: Uses a virtual MFA device for secondary authentication. This option is enabled by default and cannot be modified.

  • Passkey: Uses a passkey for secondary authentication. This option is enabled by default and cannot be modified.

  • Secure Email: Uses a security email for secondary authentication. You must bind a security email for the RAM user for this method to take effect.

    Note

    Secure Email is supported only for secondary authentication during sensitive operations.

All options are selected by default.

MFA for RAM user sign-in

Whether to enforce MFA for all RAM users when they log on with a username and password:

  • Force all users: Enforces MFA for all RAM users at logon.

    Note

    If you select Force all users, the secondary authentication for sensitive operations feature is enabled for all RAM users. This means RAM users must re-authenticate with MFA when they perform sensitive operations on the console.

  • Depend on each user: Uses the MFA setting specified for each RAM user. For more information, see Manage RAM user logon settings.

  • Required Only for Unusual Logon: Enforces MFA only in cases of untrusted logons, such as from a new logon location or device.

    Note

    If you use the specific condition key acs:MFAPresent in a permission policy, such as in the scenario described in Use RAM to restrict access to cloud resources for only MFA-enabled RAM users, setting this option to Required Only for Unusual Logon causes the policy condition to evaluate to false during normal logons. To ensure the condition works as expected, we recommend that you select Depend on each user.

The default selection is Force all users.

Allow to remember MFA validation for 7 days

If you select Enable, users will not be prompted for MFA again for 7 days when logging on from the same device. This remembered status is invalidated if a different RAM user logs on to the same device.

This setting is disabled by default.

Network access control settings

Network Access Control lets you restrict access to your Alibaba Cloud account to specific source IP addresses, creating an important security boundary.

Important
  • Before you configure Network Access Control, you must add a stable, controllable IP address (such as your office network egress IP) to the allowlist. This serves as an emergency access point in case a misconfiguration prevents all users, including yourself, from logging on.

  • If a RAM user cannot log on due to an IP restriction, contact an administrator to log on with the Alibaba Cloud account and modify the logon mask.

In the Network Access Control section, configure the parameters as described in the following table, and then click OK.

Click Modify next to the target parameter to open the configuration page.

Parameter

Description

Allowed network address while sign-in

The source IP addresses from which users are allowed to log on to the console by using a password or SSO. Leave this blank to allow access from any IP address.

Format: Only IPv4 addresses are supported. Separate multiple addresses with a space, comma, or semicolon.

Limit: You can add up to 200 IP addresses.

Allowed network address while calling APIs by AccessKey

  • The source IP addresses from which API calls can be made. This is an account-level policy that applies to all AccessKeys. Leave this blank to allow access from any IP address.

  • You can also set a more specific network restriction for an individual AccessKey, which takes precedence over this account-level policy. For more information, see AccessKey network access restriction policy.