Trusted services refer to the Alibaba Cloud services that are integrated with the Resource Directory service. After an Alibaba Cloud service is integrated with Resource Directory, the service can access the information of the related resource directory, such as the members and folders in the resource directory. You can use the management account of your resource directory or a delegated administrator account of a trusted service to manage your business in the trusted service based on your resource directory. This simplifies the unified management of cloud services activated by your enterprise. For example, after Cloud Config is integrated with Resource Directory, you can use the management account of your resource directory to view related information in Cloud Config. The information includes the resources of all members in the resource directory, as well as the configuration history and compliance statuses of the resources. You can also monitor the compliance of resource configurations in Cloud Config.

Use a trusted service

Trusted services can be used by calling API operations or by using their consoles. This section describes how to use a trusted service in its console.

  1. Log on to the Resource Management console by using an Alibaba Cloud account and enable a resource directory. This Alibaba Cloud account is the management account of the resource directory.

    For more information, see Enable a resource directory.

  2. In the Resource Management console, build an organizational structure for your enterprise. You can create members in the resource directory or invite existing Alibaba Cloud accounts to join the resource directory.

    For more information, see Create a folder, Create a member, and Invite an Alibaba Cloud account to join a resource directory.

  3. Optional. In the Resource Management console, specify a member as a delegated administrator account of the trusted service.

    If you do not specify a delegated administrator account for the trusted service, you can use only the management account to manage your business in the trusted service.

    For more information about how to specify a delegated administrator account for a trusted service, see Add a delegated administrator account.

    Note This step applies only to trusted services that support delegated administrator accounts.
  4. In the console of the trusted service, use the management account or delegated administrator account to enable the multi-account management feature. Then, select the members that you want to manage in a unified manner based on the organizational structure of your resource directory, and manage the operations on the selected members.

    This step varies based on the specific trusted service. For more information, see the References column in the Supported trusted services section.

Supported trusted services

Trusted service Description Support for delegated administrator accounts References
Cloud Config After Cloud Config is integrated with Resource Directory, you can use the management account of your resource directory to view related information in Cloud Config. The information includes the resources of all the members in the resource directory, as well as the configuration history and compliance statuses of the resources. You can also monitor the compliance of resource configurations in Cloud Config. Yes Account group overview
ActionTrail After ActionTrail is integrated with Resource Directory, you can use the management account of your resource directory to create multi-account trails in ActionTrail. A multi-account trail delivers the events of all members in a resource directory to an Object Storage Service (OSS) bucket or a Log Service Logstore. Yes Multi-account trail overview
Security Center After Security Center is integrated with Resource Directory, Security Center provides an interface that displays security risks detected for all the members in your resource directory. Yes Use the multi-account control feature
Cloud Firewall After Cloud Firewall is integrated with Resource Directory, you can use Cloud Firewall to centrally manage the public IP addresses of the resources within multiple accounts. You can also configure defense policies for the public IP addresses and view log analysis results in a unified manner. This implements centralized security control. Yes Use centralized account management
Dynamic Route for CDN (DCDN) After DCDN is integrated with Resource Directory, DCDN can provide the multi-account management feature and unify the management of domain names that belong to different accounts and products. No

None

CloudMonitor After CloudMonitor is integrated with Resource Directory, CloudMonitor can monitor the resources within multiple Alibaba Cloud accounts used by your enterprise in a centralized manner. Yes Overview of Hybrid Cloud Monitoring
CloudSSO After CloudSSO is integrated with Resource Directory, you can use the management account of your resource directory to centrally manage the accounts of users who use Alibaba Cloud services in your enterprise in CloudSSO. You can configure single sign-on (SSO) between your enterprise identity management system and Alibaba Cloud. In addition, you can configure access permissions for users on the members of your resource directory in a centralized manner. No Overview
Log Audit Service After Log Audit Service is integrated with Resource Directory, Log Audit Service can automatically collect the logs of Alibaba Cloud services from multiple accounts, and store, audit, and analyze the logs in a centralized manner. Yes Configure multi-account collection
Resource Orchestration Service (ROS) After ROS is integrated with Resource Directory, you can use the management account of your resource directory to deploy the resources that are required by your system within the members of the resource directory. This achieves centralized resource management in a multi-account environment. Yes Stack group overview
Resource Sharing After resource sharing is enabled, you can use the management account of your resource directory to share your resources with all members in your resource directory, all members in a specific folder in your resource directory, or a specific member in your resource directory. For members that are newly added to your resource directory, the system automatically grants access permissions on shared resources to the members based on your resource sharing settings. For members that are removed from your resource directory, the system automatically revokes access permissions on shared resources from the members if the members have such permissions. No Resource Sharing overview
Cloud Governance Center After Cloud Governance Center is integrated with Resource Directory, you can view the distribution and change status of the resources within the members of your resource directory in the Cloud Governance Center console. You can also configure protection rules for the compliance audit and deliver audit logs for the members in a unified manner. No
Tag You can use the management account of your resource directory to enable the Tag Policy feature that is in multi-account mode. Then, you can use tag policies to manage the tag-related operations performed by using a member within the resource directory. No Enable the Tag Policy feature that is in multi-account mode

Enable or disable a trusted service

You can enable or disable a trusted service by using the console or API of the service. For more information, see the documentation of the service.

You can choose Resource Directory > Trusted Services in the left-side navigation pane of the Resource Management console to view the statuses of trusted services. You cannot enable or disable trusted services in the Resource Management console.

When you use some trusted services to perform specific operations, Resource Directory automatically updates the states of the trusted services to Enabled. For example, if you create a multi-account trail in ActionTrail or use a trusted service to view the resources related to Resource Directory for the first time, Resource Directory automatically updates the state of ActionTrail or the trusted service to Enabled.

When you use some trusted services to perform specific operations, Resource Directory automatically updates the states of the trusted services to Disabled. For example, if you disable a feature provided by a trusted service, Resource Directory automatically updates the state of the trusted service to Disabled. If a trusted service is disabled, the service cannot access the members or resources in your resource directory. In addition, the resources that are related to integration with Resource Directory are deleted from the trusted service.

Service-linked roles for trusted services

Resource Directory creates its service-linked role AliyunServiceRoleForResourceDirectory for each member. This role enables Resource Directory to create the roles required by trusted services. Only Resource Directory can assume this role. For more information, see Service-linked role for Resource Directory.

Trusted services create their own service-linked roles, such as the AliyunServiceRoleForConfig role of Cloud Config, only for the members that are used to perform administrative operations. These roles define the permissions required by trusted services to perform specific tasks. Only trusted services can assume their own service-linked roles.

The policy that is attached to a service-linked role is defined and used by the linked service. You are not allowed to modify or delete the policy. In addition, you are not allowed to attach policies to or detach policies from a service-linked role. For more information, see Service-linked roles.