This topic describes how to use your Alibaba Cloud account to configure security policies for RAM users.


  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Settings.
  3. On the Security Settings tab, click Modify RAM User Security Settings.
  4. In the Modify RAM User Security Settings panel, configure the parameters.
    • Remember MFA for Seven Days: specifies whether to allow RAM users to remember the multi-factor authentication (MFA) devices for seven days.
    • Manage Passwords: specifies whether to allow RAM users to change their passwords.
    • Manage AccessKey Pairs: specifies whether to allow RAM users to manage their AccessKey pairs.
    • Manage MFA Devices: specifies whether to allow RAM users to enable and disable MFA devices.
    • MFA for RAM User Logons: specifies whether MFA is required for all RAM users when the RAM users use usernames and passwords to log on to the Alibaba Cloud Management Console.
      • Enable for All Users: specifies that MFA is required for all RAM users.
        Note If you select Enable for All Users for the MFA for RAM User Logons parameter, MFA for sensitive operations is enabled for all RAM users. If a RAM user wants to perform a sensitive operation in the Alibaba Cloud Management Console, risk control is triggered and the RAM user is required to pass MFA again. For more information, see MFA for sensitive operations.
      • Apply User-specific Configuration: specifies that user-specific settings are applied. For more information, see Manage console logon settings for a RAM user.
    • Logon Session Validity Period: specifies the validity period of a logon session. The validity period is measured in hours. Valid values: 1 to 24. Default value: 6.
      Note If you assume a RAM role or use single sign-on (SSO) to log on to the Alibaba Cloud Management Console, the validity period of your session is no greater than the value of the Logon Session Validity Period parameter. For more information, see Assume a RAM role and SAML response for role-based SSO.
    • Logon Address Mask: specifies the IP addresses from which you can log on to the Alibaba Cloud Management Console by using a password or SSO. By default, this parameter is left empty, which indicates that logon from all IP addresses is allowed. If you enter IP addresses in this field, console logons, including password-based and SSO-based logon, from these IP addresses are limited. However, API calls that are initiated from these IP addresses by using AccessKey pairs are not limited. You can click Add to enter up to 25 IP addresses.
  5. Click OK.
    Note The settings take effect on all the RAM users of your Alibaba Cloud account.