This topic describes how to use your Alibaba Cloud account to configure security policies for Resource Access Management (RAM) users.

Procedure

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Settings.
  3. On the Security Settings tab, click Modify RAM User Security Settings.
  4. In the Modify RAM User Security Settings panel, configure the parameters.
    • Remember MFA for Seven Days: specifies whether to allow RAM users to remember the multi-factor authentication (MFA) devices for seven days.
    • Manage Passwords: specifies whether to allow RAM users to change their passwords.
    • Manage AccessKey Pairs: specifies whether to allow RAM users to manage their AccessKey pairs.
    • Manage MFA Devices: specifies whether to allow RAM users to enable and disable MFA devices.
    • MFA for RAM User Logons: specifies whether MFA is required for all RAM users when the RAM users use usernames and passwords to log on to the Alibaba Cloud Management Console. If you set this parameter to Apply User-specific Configuration, user-specific settings are applied.
      Note If you select Enable for All Users for the MFA for RAM User Logons parameter, MFA for sensitive operations is enabled for all RAM users. If a RAM user wants to perform a sensitive operation in the Alibaba Cloud Management Console, risk control is triggered and the RAM user is required to pass MFA again. For more information, see MFA for sensitive operations.
    • Manage DingTalk: specifies whether RAM users can bind or unbind their DingTalk accounts.
    • Logon Session Validity Period: specifies the validity period of a logon session. The validity period is measured in hours. Valid values: 1 to 24. Default value: 6.
      Note If you assume a RAM role or use single sign-on (SSO) to log on to the Alibaba Cloud Management Console, the validity period of your session is no greater than the value of the Logon Session Validity Period parameter. For more information, see Assume a RAM role and SAML response for role-based SSO.
    • Logon Address Mask: specifies the IP addresses from which you can log on to the Alibaba Cloud Management Console by using a password or SSO. By default, this parameter is left empty, which indicates that logon from all IP addresses is allowed. If you enter IP addresses in this field, console logons, including password-based and SSO-based logon, from these IP addresses are limited. However, API calls that are initiated from these IP addresses by using AccessKey pairs are not limited. You can enter up to 25 IP addresses. If you enter more than one IP address, separate the IP addresses with semicolons (;). The total length of the IP addresses can be a maximum of 512 characters.
  5. Click OK.
    Note The settings take effect on all the RAM users of your Alibaba Cloud account.