You can modify the security settings of Resource Access Management (RAM) users, including the settings for global security, multi-factor authentication (MFA), and network access control, to improve the account security of RAM users. The security settings of RAM users take effect on all RAM users.
Global security settings
Log on to the RAM console as a RAM user who has administrative rights.
In the Security section of the Settings page, click Modify. In the panel that appears, configure the global security parameters. The following table describes the parameters.
Parameter
Description
Allow users to manage password
Specifies whether to allow RAM users to manage their passwords. If you select Enable, RAM users are allowed to manage their passwords.
Allow users to manage MFA devices
Specifies whether to allow RAM users to bind MFA devices to or unbind MFA devices from their accounts. If you select Enable, RAM users are allowed to bind MFA devices to or unbind MFA devices from their accounts.
Allow users to manage AccessKey
Specifies whether to allow RAM users to manage their AccessKey pairs. If you select Enable, RAM users are allowed to manage their AccessKey pairs.
Login session duration
Specifies the validity period of logon sessions of RAM users. Unit: hours. Valid values: 1 to 24. Default value: 6.
NoteIf you assume a RAM role or use single sign-on (SSO) to log on to the Alibaba Cloud Management Console, the validity period of your session is no greater than the value of the Login session duration parameter. For more information, see Assume a RAM role and SAML response for role-based SSO.
Allow to keep login session for a long time
Specifies whether to allow RAM users to keep logged on to the Alibaba Cloud app and Alibaba Cloud Client for up to 90 days. If you select Enable, RAM users are allowed to keep logged on to the Alibaba Cloud app and Alibaba Cloud Client for up to 90 days.
NoteIf the Alibaba Cloud security platform identifies an unusual logon, the logon status becomes invalid and the RAM users are required to log on again.
Allow users to login with passkey
Specifies whether RAM users can use passkeys to log on to the Alibaba Cloud Management Console. If you select Enable, RAM users can use passkeys for logon. For more information, see What is a passkey?
Click OK.
MFA settings
Log on to the RAM console as a RAM user who has administrative rights.
In the MFA section of the Settings page, click Modify. In the panel that appears, configure the MFA parameters. The following table describes the parameters.
Parameter
Description
Allowed MFA devices
Specifies the MFA methods for RAM users to implement two-step authentication when RAM users perform console logon and sensitive operations. Valid values:
MFA Devices: A virtual MFA device is used for MFA. This option is selected by default, and you cannot clear the option.
Passkey: A passkey is used for MFA. This option is selected by default, and you cannot clear the option.
MFA for RAM user sign-in
Specifies whether MFA is required for all RAM users when they log on to the Alibaba Cloud Management Console by using usernames and passwords. Valid values:
Force all users: specifies that MFA is required for all RAM users.
NoteIf you select Force all users for the MFA for RAM user sign-in parameter, MFA for sensitive operations is enabled for all RAM users. If a RAM user wants to perform a sensitive operation in the Alibaba Cloud Management Console, risk control is triggered and the RAM user is required to pass MFA. For more information, see MFA for sensitive operations.
Depend on each user: specifies that user-specific settings are applied. For more information, see Manage console logon settings for a RAM user.
Only when sign-in abnormally: specifies that MFA is required only in scenarios in which a logon is initiated from a different location or device other than the usual logon locations or devices.
NoteIf you set the MFA for RAM user sign-in parameter to Only when sign-in abnormally and you use the condition key
acs:MFAPresentin a policy, MFA is not required for RAM users who initiate usual logons. The verification result for the condition key is failed. If you want the condition key to take effect, we recommend that you set the MFA for RAM user sign-in parameter to Depend on each user.
Allow to remember MFA validation for 7 days
Specifies whether to allow the current logged-on device to remember the MFA status of a RAM user for seven days. If you select Enable, the current logged-on device is allowed to remember the MFA status of a RAM user for seven days. Within seven days after logon, MFA is not required for the RAM user. However, if the RAM user logs out of the current device, MFA is required for the next logon.
Click OK.
Settings for network access control
Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, click Settings. In the Network Access Control section, configure the Allowed network address while sign-in and Allowed source network address while calling APIs by AccessKey parameters.
Parameter
Description
Allowed network address while sign-in
Specifies the IP addresses that can be used to log on to the Alibaba Cloud Management Console by using usernames and passwords or SSO. If you set the parameter to Disabled, all IP addresses can be used to log on to the Alibaba Cloud Management Console. You can specify up to 40 IP addresses.
Allowed source network address while calling APIs by AccessKey
Specifies the IP addresses that can be used to call Alibaba Cloud API operations by using AccessKey pairs.
This parameter is used to configure account-level AccessKey pair-based policies for network access control. Account-level AccessKey pair-based policies for network access control take effect on all AccessKey pairs of an Alibaba Cloud account, including the AccessKey pairs of the Alibaba Cloud account and the AccessKey pairs of the RAM users that belong to the Alibaba Cloud account. If you set the parameter to Disabled, no network access control is implemented over all AccessKey pairs. You can also configure an AccessKey pair-level policy for network access control for a single AccessKey pair. An AccessKey pair-level policy for network access control has a higher priority than an account-level AccessKey pair-based policy.
For more information, see Configure AccessKey pair-based policies for network access control.
Click OK.