Resource Access Management:Best practices for identity and permissions

Best practice: An Alibaba Cloud account is like the root user in Linux. It has full permissions and is not suitable for daily use. Follow these best practices:

1. Create a RAM user with administrator privileges specifically for daily management and technical operations.

2. Use your Alibaba Cloud account only when absolutely necessary. Securely store its password and related credentials, such as multi-factor authentication (MFA) credentials.

3. Perform all daily operations using the RAM administrator user. This prevents exposing your Alibaba Cloud account in daily work environments.

Recommended actions:

• Create individual RAM users: First, create a RAM user with administrator permissions. For more information, see Create a RAM user as an administrator. Then, create an individual RAM user for each member of your organization. For more information, see Create and authorize a RAM user.

• Enable MFA for your Alibaba Cloud account: Complete the security hardening for your Alibaba Cloud account by following the instructions in Configure MFA for an account. Use the account only when necessary and securely store its password and MFA credentials.

Best practice: For human identities, it is critical to protect usernames and passwords. You can improve logon security in several ways. Complex passwords, regular rotation, and MFA significantly increase the difficulty of cracking password credentials.

Operations guide for RAM features:

• Increase password complexity: Set a password policy for RAM users to increase the security of their passwords. You can configure the minimum length, complexity requirements, expiration period (such as a maximum of 90 days), and the number of logon retries.

• Enforce MFA for RAM users: MFA provides a strong, second layer of defense in addition to a password. It can effectively block unauthorized logons even if a password is leaked. You can require all RAM users under your account to Use MFA For Logon. For more information, see Manage security settings for a RAM user.

Best practice: Use single sign-on (SSO) to delegate identity authentication to a unified corporate identity provider (IdP). This avoids maintaining a separate password system in the cloud. Additionally, employee onboarding, offboarding, and permission changes can all be managed in the IdP. This centralizes identity lifecycle management.

Recommended action: Use the SSO management feature of RAM to federate your corporate IdP, such as Active Directory or Okta, with Alibaba Cloud's identity system based on the Security Assertion Markup Language (SAML) 2.0 or OpenID Connect (OIDC) protocol. Based on your environment and logon needs, configure user-based SSO or role-based SSO.

Best practice: A permanent AccessKey is valid forever until it is manually deleted. If an AccessKey is leaked, the threat is persistent. In contrast, a temporary Security Token Service (STS) token obtained by assuming a RAM Role automatically expires after the role's maximum session duration (measured in hours). Even if an STS token is accidentally leaked, the time window for exploitation is extremely small.

Recommended action: Use an AccessKey-free solution, such as ECS instance role assumption, container instance role assumption, or Function Compute role assumption, to obtain an STS token. This approach completely avoids exposing AccessKeys. For more information, see Best practices for using access credentials to access Alibaba Cloud OpenAPI.

Best practice: In scenarios where you cannot use an STS token, such as for local development and debugging, you may have to use a permanent AccessKey. In this case, avoid using the AccessKey of your Alibaba Cloud account. Ensure that each AccessKey is used for only one application in one environment, and rotate it regularly.

Recommended actions:

• Avoid using the AccessKey of an Alibaba Cloud account: In scenarios where you must use an AccessKey, we recommend that you use the AccessKey of a RAM user with appropriate permissions instead.

• Avoid sharing AccessKeys: Create separate RAM Users and dedicated AccessKeys for each application and environment (development, testing, and production). For more information, see Create an AccessKey.

• Grant least privilege: Grant a least privilege policy to the AccessKey associated with the RAM User for the specific scenario. Periodically detect over-privileged permissions and manage policy grants as needed.

• Do not hard-code credentials: Never write an AccessKey in plaintext in a code repository. Instead, manage the AccessKey by configuring system environment variables or using KMS credential management.

• Access restriction: Configure a network access policy to restrict access for the AccessKey to specific IP addresses. For more information, see AccessKey Network Access Restriction Policy.

• Promptly disable and revoke idle AccessKeys: Set the maximum idle period for an AccessKey to a value less than 365 days. A period of 90 days is recommended. For more information, see Manage RAM user security settings.

• Monitor and audit: Use ActionTrail to monitor AccessKey usage and promptly detect abnormal behavior.

Best practice: Grant an identity only the minimum permissions required to complete its intended tasks. This minimizes the potential impact if credentials are stolen.

Recommended actions:

• Use custom policies: In non-administrator scenarios, avoid using broad system policies, such as Administrator. Instead, create custom permission policies for fine-grained authorization. In the policy, clearly specify the resources (Resource), operations (Action/NotAction), and conditions (Condition).

• Review permissions regularly: Periodically detect over-privileged permissions and manage policy grants as needed.

Best practice: Attach permissions based on job responsibilities. You can simplify permission changes for a single RAM User by adjusting the RAM User Group to which the user belongs. This approach improves management efficiency and ensures consistency across roles.

Recommended actions:

1. Create RAM user groups: Create RAM user groups based on job roles within your organization, such as groups for network administrators or application developers.

2. Configure permission policies: Grant permissions to RAM user groups based on job responsibilities, instead of attaching policies directly to RAM Users.

Best practice: For organizations with multiple Alibaba Cloud accounts, use control policies in a Resource Directory to limit the permission scope of RAM identities within member accounts.

Recommended action: In a multi-account environment with Resource Directory enabled, when a RAM User or RAM Role in a member account accesses Alibaba Cloud services, Alibaba Cloud first checks the control policy and then checks the RAM permissions within the account. For more information, see Control Policy. Before you attach a control policy, we recommend that you first run a small-scale test to verify that the policy is effective and works as expected. Then, you can attach the policy to all target nodes, such as folders or members.