All Products
Search
Document Center

Resource Access Management:Manage security settings of RAM users

Last Updated:Aug 30, 2023

An Alibaba Cloud account or a Resource Access Management (RAM) user that has administrative rights can manage security settings of RAM users to improve the security of the RAM users. Security settings are global settings, which take effect on all RAM users.

Procedure

  1. Log on to the RAM console with your Alibaba Cloud account or as a RAM user that has administrative rights.

  2. In the left-side navigation pane, choose Identities > Settings.

  3. In the RAM User Security section of the Security Settings tab, click Modify RAM User Security Settings.

  4. In the Modify RAM User Security Settings panel, configure the parameters.

    • Remember MFA for Seven Days: specifies whether to allow RAM users to remember the multi-factor authentication (MFA) devices for seven days.

    • Manage Passwords: specifies whether to allow RAM users to change their passwords.

    • Manage AccessKey Pairs: specifies whether to allow RAM users to manage their AccessKey pairs.

    • Manage MFA Devices: specifies whether to allow RAM users to enable and disable MFA devices.

    • MFA for RAM User Logons: specifies whether MFA is required for all RAM users when the RAM users use usernames and passwords to log on to the Alibaba Cloud Management Console.

      • Enable for All Users: specifies that MFA is required for all RAM users.

        Note

        If you select Enable for All Users for the MFA for RAM User Logons parameter, MFA for sensitive operations is enabled for all RAM users. If a RAM user wants to perform a sensitive operation in the Alibaba Cloud Management Console, risk control is triggered and the RAM user is required to pass MFA again. For more information, see MFA for sensitive operations.

      • Apply User-specific Configuration: specifies that user-specific settings are applied. For more information, see Manage console logon settings for a RAM user.

    • Keep Logged On to Alibaba Cloud App: specifies whether to allow RAM users to keep logged on to the Alibaba Cloud app for a long period of time.

    • Logon Session Validity Period: specifies the validity period of a logon session. The validity period is measured in hours. Valid values: 1 to 24. Default value: 6.

      Note

      If you assume a RAM role or use single sign-on (SSO) to log on to the Alibaba Cloud Management Console, the validity period of your session is no greater than the value of the Logon Session Validity Period parameter. For more information, see Assume a RAM role and SAML response for role-based SSO.

    • Logon Address Mask: specifies the IP addresses from which you can log on to the Alibaba Cloud Management Console by using a password or SSO. By default, this parameter is left empty, which indicates that logon from all IP addresses is allowed. If you enter IP addresses in this field, console logons, including password-based and SSO-based logon, from these IP addresses are limited. However, API calls that are initiated from these IP addresses by using AccessKey pairs are not limited. You can click Add to enter up to 40 IP addresses.

  5. Click OK.