Manage the security settings of RAM users - Resource Access Management

You can configure unified security settings for all Resource Access Management (RAM) users under your Alibaba Cloud account to establish a standard security baseline and enhance overall account security. This topic describes how to configure these settings, including global security settings, multi-factor authentication (MFA), and network access control.

Procedure

Log on to the RAM console by using an Alibaba Cloud account or a RAM user that has administrative permissions (for example, a user with the AliyunRAMFullAccess policy attached).
In the left-side navigation pane, click Settings. On the Settings page, you can configure the Security, MFA, and Network Access Control settings by region.
Note
All settings apply to all RAM users under the account. Carefully assess the risks before you enable high-risk settings, such as Allow RAM users to manage their own AccessKey pairs.

Global security settings

Global security settings are used to uniformly manage RAM users' permissions to modify their own credentials (such as passwords, MFA devices, and AccessKey pairs) and to set the lifecycle for logon sessions and idle credentials.

In the Security section, click Modify, set the parameters as described in the following table, and click OK.

Parameter	Description	Configuration suggestions
Allow users to manage password	Allows RAM users to change their own logon passwords. This setting is enabled by default.	For security-sensitive scenarios: Disable this setting and let RAM administrators manage password lifecycles. For agile development scenarios: Enable this setting for user convenience.
Allow users to manage MFA devices	Allows RAM users to bind or unbind their own MFA devices. This setting is enabled by default.	For security-sensitive scenarios: Disable this setting to enforce the use of administrator-bound MFA devices. For agile development scenarios: Enable this setting for user convenience.
Allow users to manage AccessKey	Allows RAM users to manage their own AccessKey pairs, including creating, disabling, and deleting them. This setting is disabled by default.	We recommend that you disable this setting in production environments. Instead, have RAM administrators centrally assign and rotate AccessKeys.
Login session duration	Specifies the validity period of a RAM user's console logon session. Unit: hours. Valid values: 1 to 24. The default value is 6. Note When a user logs on by assuming a role or through single sign-on (SSO), the session duration cannot exceed the value of this parameter. For more information, see Assume a RAM role and SAML response for role-based SSO.	For a balance between convenience and security, we recommend setting this to your typical workday length, such as 8 hours.
Allow to keep login session for a long time	Allows RAM users to stay logged on to the Alibaba Cloud mobile app and the ECS client for an extended period (up to 90 days). This setting is disabled by default. Note If an anomalous logon is detected, the session is immediately invalidated, and the user must log on again.	This setting is suitable for users who need long-term access to manage resources from a mobile device or client.
Allow users to login with passkey	Allows RAM users to log on to the Alibaba Cloud Management Console by using a passkey. For more information, see What is a passkey? This setting is enabled by default.	We recommend that you enable this setting to improve both the security and convenience of the logon process.
Max idle days for users	Specifies the maximum number of days a RAM user can be inactive before their console access (excluding SSO) is automatically disabled. Valid values : 730 days, 365 days, 180 days, and 90 days. The default value is 365 days. Effective time: The setting takes effect the next day (UTC+8). Note A RAM user's console access is disabled if both of the following conditions are met: The user's last logon was longer ago than the specified period, or the user was created longer ago than the period and has never logged on. The user's logon configuration has not been updated in the last 7 days. For more information, see Manage console logon settings for a RAM user.	We recommend setting this to 90 or 180 days to regularly clean up inactive accounts and reduce security risks.
Max idle days for AccessKey	Specifies the maximum number of days an AccessKey pair can be inactive before it is automatically disabled. This applies to the AccessKey pairs of both the Alibaba Cloud account and RAM users. Valid values: 730 Days, 365 Days, 180 Days, and 90 Days. The default value is 730 days. Effective time: The setting takes effect the next day (UTC+8). Note An AccessKey pair is disabled if both of the following conditions are met: The AccessKey pair was last used longer ago than the specified period. The status of the AccessKey pair has not been updated in the last 7 days.	We recommend setting this to 90 days to promptly disable idle AccessKey pairs and prevent them from being exploited if compromised.

MFA settings

MFA adds a second layer of security for user logons and sensitive operations. You can configure a global MFA policy here.

In the MFA section, click Modify, set the parameters as described in the following table, and click OK.

Parameter	Description
Allowed MFA devices	Specifies the MFA methods that RAM users can use for secondary authentication during console logon or sensitive operations. MFA Devices: Uses a virtual MFA device for secondary authentication. This option is enabled by default and cannot be modified. Passkey: Uses a passkey for secondary authentication. This option is enabled by default and cannot be modified. Secure Email: Uses a security email for secondary authentication. This method works only if an email address is bound to the RAM user. Note The Security Email method can only be used for secondary authentication during sensitive operations. All options are enabled by default.
MFA for RAM user sign-in	Specifies whether to enforce MFA for all RAM users when they log in to the console with a username and password. Force all users: Requires MFA for all RAM users at logon. Note If you select Force for all users, secondary authentication for sensitive operations is automatically enabled for all RAM users. Depend on each user: Adheres to the MFA configuration of each individual RAM user. For more information, see Manage console logon settings for a RAM user. Only when sign-in abnormally: Requires MFA only when a logon is considered anomalous, such as a logon from a new location or device. For all other cases, MFA is not required. Note If you use the `acs:MFAPresent` condition key in a RAM policy, setting this parameter to Only when sign-in abnormally will cause the condition to fail validation during normal logons. To ensure your policy works as expected, set this parameter to Depend on each user instead. The default setting is Force for all users.
Allow to remember MFA validation for 7 days	If enabled, users can choose to have their MFA status remembered on a specific device for 7 days. This remembered status is invalidated if the user logs off or logs on as a different RAM user on the same device. This setting is disabled by default.

Network access control settings

Network access control allows you to restrict access to your Alibaba Cloud account to a specific list of source IP addresses, serving as an important security boundary.

Important

Before you configure Network Access Control, you must add a stable, controllable IP address (such as your office network's egress IP) to the allowlist. This serves as a secure backdoor in case a misconfiguration prevents all users, including yourself, from logging on.
If a RAM user is blocked due to an IP restriction, an administrator can log on by using the Alibaba Cloud account to modify the logon mask.

In the Network Access Control section, configure the parameters as described in the following table, and click OK.

Parameter

Description

Allowed network address while sign-in

Specifies an allowlist of IPv4 addresses from which users can log on to the console by using a password or SSO. If left blank, logons are allowed from any IP address.

Format: Separate multiple IP addresses with spaces, commas (,), or semicolons (;).

Limit: You can specify up to 200 IP addresses.

Allowed source network address while calling APIs by AccessKey

Specifies an allowlist of IP addresses from which API calls can be made. This is an account-level policy that applies to all AccessKey pairs. If left blank, API calls are allowed from any IP address.
You can also set a more specific access control policy for an individual AccessKey pair, which takes precedence over this account-level policy. For more information, see Configure AccessKey pair-based policies for network access control.