All Products
Search
Document Center

Resource Access Management:Require MFA for accessing cloud resources

Last Updated:May 20, 2026

This topic describes how to use RAM to require multi-factor authentication (MFA) when RAM users access cloud resources, such as ECS.

Prerequisites

  • Before you create a custom policy, make sure you understand the basic elements and syntax of the permission policy language. For more information, see Basic elements of a permission policy and Policy structure and syntax.

  • Download and install the Google Authenticator app on your mobile device. Download the app as follows:

    • For iOS: Search for Google Authenticator in the App Store.

    • For Android: Search for Google Authenticator in your preferred app store.

      Note

      The Google Authenticator app for Android requires a separate barcode scanner to scan QR codes. You must also install a barcode scanner app from your app store.

Step 1: Create a custom policy

  1. Sign in to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Permissions > Policies.

  3. On the Policies page, click Create Policy.

    image

  4. On the Create Policy page, click the JSON Editor tab.

    image

  5. Enter the policy document.

    Example policy: Only RAM users with MFA enabled can access ECS resources in the console. You can implement this by using the Condition element to set the value of acs:MFAPresent to true.

    {
        "Statement": [
            {
                "Action": "ecs:*",
                "Effect": "Allow",
                "Resource": "*",
                "Condition": {
                    "Bool": {
                        "acs:MFAPresent": "true"
                    }
                }
            }
        ],
        "Version": "1"
    }
    Note

    The Condition element applies only to the actions specified in this permission policy. You can modify the policy document to restrict access to other cloud resources as needed.

  6. At the top of the page, click Optimize, and then click Perform to perform advanced optimization on the policy.

    This feature performs the following tasks:

    • Splits resources or conditions for incompatible actions.

    • Reduces the resource scope for greater precision.

    • Removes duplicate statements or merges statements.

  7. On the Create Policy page, click OK.

  8. In the Create Policy dialog box, enter a policy name and Description, then click OK.

Step 2: Create a RAM user

  1. Sign in to the RAM console using your Alibaba Cloud account or as a RAM user with administrative permissions (a user to which the AliyunRAMFullAccess policy is attached).

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, click Create User.

  4. On the Create User page, in the User Account Information section, configure the user's basic information.

    • Logon Name (required): The name can contain letters, digits, periods (.), hyphens (-), and underscores (_), and be up to 64 characters long.

    • Display Name (optional): The name can be up to 128 characters long.

    • Tag (optional): Click edit, and then enter a tag key and tag value. Tags help you categorize and manage users.

    Note

    Click Add User to create multiple RAM users in bulk.

  5. In the Access Mode section, select an access mode based on the user type.

    Important
    • As a security best practice, select only one access mode per user. This creates a clear separation between human users who require console access and applications that require programmatic access.

    • If an AccessKey pair is leaked, your account's security is compromised. Prioritize using Security Token Service (STS) tokens, which are temporary credentials, to reduce the risk of leaks. For more information, see Best practices for using access credentials to call Alibaba Cloud APIs.

    Console access

    Select Console Access.

    • Set Logon Password: You can choose to automatically generate a password or set a custom one. A custom password must meet the configured password complexity requirements. For more information, see Set a password policy for RAM users.

    • Password Reset: Select whether the RAM user must reset their password at the next sign-in.

    • Enable MFA: By default, multi-factor authentication (MFA) is required for all users to sign in. To change this setting, see Manage security settings for RAM users. RAM users must bind an MFA device when they first sign in. For more information, see Bind an MFA device.

    Programmatic access

    Select Using permanent AccessKey to access.

    After enabling this option, the system automatically creates an AccessKey ID and an AccessKey secret for the RAM user.

    Important

    A RAM user's AccessKey secret is displayed only during creation and cannot be retrieved later. You must immediately download or copy and save the AccessKey secret. A leaked AccessKey pair severely compromises the security of all resources under your account. For more information, see Create an AccessKey pair.

Step 3: Grant permissions

Grant the custom policy that you created in Step 1 to the RAM user that you created in Step 2.

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, find the target RAM user and click Actions column > Attach Policy.

    You can also select multiple RAM users and click Attach Policy below the user list for batch authorization.

  4. In the Grant Permission panel, configure the following settings:

    • Resource scope:

      • Account level: Permissions apply to all resources in your Alibaba Cloud account.

      • Resource group level: Permissions apply only within the specified resource group. The RAM user must switch to the authorized resource group in the top navigation bar after logging on to the console.

        Note
        1. The system marks high-risk system policies (such as AdministratorAccess and AliyunRAMFullAccess) with a warning indicator. These policies typically grant full control over all cloud resources or full management of RAM. Grant these policies with caution.

        2. For resource group authorization examples, see Control access to ECS instances with resource groups.

    • Principal:

      The principal is the RAM user to receive permissions. When initiated from the Users page, the system auto-selects the current RAM user. When initiated from the Grants page, you must manually select the RAM user. Batch selection is supported.

    • Permission policy:

      • System policy: Search and select directly. Use the search box to filter by product name (e.g., ECS, OSS), access level (e.g., ReadOnly, FullAccess), or full policy name.

      • Custom policy: You must Create a custom policy before you can grant it.

    • (Optional) Description: Enter the authorization reason or scenario for audit purposes.

    • Click Confirm.

  5. Review the authorization result and click Close.

Step 4: Enable MFA

Enable MFA for the RAM user you created in Step 2. For more information, see Bind an MFA device for a RAM user.