In the best practices of Alibaba Cloud, the principle of least privilege is implemented to ensure security. A root user is an Alibaba Cloud account identity. By default, a root user has all administrative permissions on resources within the related Alibaba Cloud account. Using the root user of an account to perform operations may cause extremely high security risks and does not conform to security requirements. In a resource directory, only cloud accounts have root users. To ensure security, we recommend that you disable root users for all cloud accounts in your resource directory and use RAM users to perform related operations. You can grant permissions to RAM users based on your business requirements.
Causes
Only RAM users with required permissions can be used to perform key operations in a resource directory due to the following reasons:
RAM users can be granted permissions based on the principle of least privilege.
Security risks caused by misuse of the root user of an account can be prevented.
The operations performed by using RAM users can be recorded by the system, which facilitates auditing and tracking.
Problem descriptions and solutions
Description | Solution |
The root user of the management account of a resource directory does not have permissions to assume the RAM role of a member in the resource directory to log on to the Alibaba Cloud Management Console. | You can create a RAM user for the management account and attach the AliyunResourceDirectoryFullAccess policy to the RAM user or grant the RAM user the minimum operation permissions that are required. In addition, you must attach the AliyunSTSAssumeRoleAccess policy to the RAM user to authorize the RAM user to assume a RAM role. Then, you can assume the RAM role of the member as the RAM user to log on to the Alibaba Cloud Management Console. For more information, see Use a RAM role to log on to the Alibaba Cloud Management Console. Note The AliyunResourceDirectoryFullAccess policy defines the highest permissions on resource directories. If you want to perform only specific operations as the RAM user, we recommend that you grant the RAM user only the permissions that are required to perform the operations. For information about the permissions, see Resource Directory. |
The root user of the management account of a resource directory does not have permissions to delete a resource account from the resource directory. | You can create a RAM user for the management account and attach the AliyunResourceDirectoryFullAccess policy to the RAM user or grant the RAM user the minimum operation permissions that are required. In addition, you must enable the member deletion feature for the resource directory. For more information, see Enable or disable the member deletion feature and Delete a member of the resource account type. Note The AliyunResourceDirectoryFullAccess policy defines the highest permissions on resource directories. If you want to perform only specific operations as the RAM user, we recommend that you grant the RAM user only the permissions that are required to perform the operations. For information about the permissions, see Resource Directory. |
The root user of the management account of a resource directory does not have permissions to switch the account type of a member or bind a mobile phone number to a member for security purposes. | You can create a RAM user for the management account and attach the AliyunResourceDirectoryFullAccess policy to the RAM user or grant the RAM user the minimum operation permissions that are required. You can switch the account type of the member or bind a mobile phone number to the member for security purposes as the RAM user. Note The AliyunResourceDirectoryFullAccess policy defines the highest permissions on resource directories. If you want to perform only specific operations as the RAM user, we recommend that you grant the RAM user only the permissions that are required to perform the operations. For information about the permissions, see Resource Directory. |
Logon to the Alibaba Cloud Management Console by using the username and password of an Alibaba Cloud account is not supported for a resource account. | Members that are created in a resource directory are resource accounts. Resource accounts do not have root users. Logon to the Alibaba Cloud Management Console by using the username and password of an Alibaba Cloud account is not supported for a resource account. You can use only a RAM user or RAM role created for the resource account to log on to the Alibaba Cloud Management Console. For more information, see Use a RAM role to log on to the Alibaba Cloud Management Console or Log on to the Alibaba Cloud Management Console as a RAM user. Note In special scenarios, if you need to use the username and password of an Alibaba Cloud account to log on to the Alibaba Cloud Management Console for a resource account, you can first switch the resource account to a cloud account. For more information, see How do I use the root user of a member to log on to the Alibaba Cloud Management Console? |