All Products
Search
Document Center

Resource Management:Overview

Last Updated:Sep 05, 2024

Trusted services refer to the Alibaba Cloud services that are integrated with the Resource Directory service. After an Alibaba Cloud service is integrated with Resource Directory, the service can access the information of the related resource directory, such as the members and folders in the resource directory. You can use the management account of your resource directory or a delegated administrator account of a trusted service to manage your business in the trusted service based on your resource directory. This simplifies the unified management of cloud services activated by your enterprise. For example, after Cloud Config is integrated with Resource Directory, you can use the management account of your resource directory to view related information in Cloud Config. The information includes the resources of all members in the resource directory and the configuration history and compliance statuses of the resources. You can also monitor the compliance of resource configurations in Cloud Config.

Use a trusted service

Trusted services can be used by calling API operations or by using their consoles. This section describes how to use a trusted service in its console.

  1. Log on to the Resource Management console by using an Alibaba Cloud account and enable a resource directory. This Alibaba Cloud account is the management account of the resource directory.

    For more information, see Enable a resource directory.

  2. In the Resource Management console, build an organizational structure for your enterprise. You can create members in the resource directory or invite existing Alibaba Cloud accounts to join the resource directory.

    For more information, see Create a folder, Create a member, and Invite an Alibaba Cloud account to join a resource directory.

  3. (Optional) In the Resource Management console, specify a member as a delegated administrator account of the trusted service.

    If you do not specify a delegated administrator account for the trusted service, you can use only the management account to manage your business in the trusted service.

    For more information about how to specify a delegated administrator account for a trusted service, see Add a delegated administrator account.

    Note

    This step applies only to trusted services that support delegated administrator accounts.

  4. In the console of the trusted service, use the management account or delegated administrator account to enable the multi-account management feature. Then, select the members that you want to manage in a unified manner based on the organizational structure of your resource directory, and manage the operations on the selected members.

    This step varies based on the specific trusted service. For more information, see the References column in the Supported trusted services section.

Supported trusted services

Trusted service

Trusted service identifier

Description

Support for delegated administrator accounts

References

Cloud Config

config.aliyuncs.com

After Cloud Config is integrated with Resource Directory, you can use the management account of your resource directory to view related information in Cloud Config. The information includes the resources of all the members in the resource directory and the configuration history and compliance statuses of the resources. You can also monitor the compliance of resource configurations in Cloud Config.

Yes

Account group overview

ActionTrail

actiontrail.aliyuncs.com

After ActionTrail is integrated with Resource Directory, you can use the management account of your resource directory to create multi-account trails in ActionTrail. A multi-account trail delivers the events of all members in a resource directory to an Object Storage Service (OSS) bucket or a Simple Log Service Logstore.

Yes

Multi-account trail overview

Security Center

sas.aliyuncs.com

After Security Center is integrated with Resource Directory, Security Center provides an interface that displays security risks detected for all the members in your resource directory.

Yes

Use the multi-account management feature

Cloud Firewall

cloudfw.aliyuncs.com

After Cloud Firewall is integrated with Resource Directory, you can use Cloud Firewall to centrally manage the public IP addresses of the resources within multiple accounts. You can also configure defense policies for the public IP addresses and view log analysis results in a unified manner. This implements centralized security control.

Yes

Use centralized account management

Dynamic Content Delivery Network (DCDN)

multiaccount.dcdn.aliyuncs.com

After DCDN is integrated with Resource Directory, DCDN can provide the multi-account management feature and unify the management of domain names that belong to different accounts and products.

No

None

Hybrid Cloud Monitoring

cloudmonitor.aliyuncs.com

After Hybrid Cloud Monitoring is integrated with Resource Directory, Hybrid Cloud Monitoring can monitor the resources within multiple Alibaba Cloud accounts used by your enterprise in a centralized manner.

Yes

Overview of Hybrid Cloud Monitoring

CloudSSO

cloudsso.aliyuncs.com

After CloudSSO is integrated with Resource Directory, you can use the management account of your resource directory to centrally manage the accounts of users who use Alibaba Cloud services in your enterprise in CloudSSO. You can configure single sign-on (SSO) between your enterprise identity management system and Alibaba Cloud. In addition, you can configure access permissions for users on the members of your resource directory in a centralized manner.

Yes

Overview of multi-account permission assignment

Log Audit Service

audit.log.aliyuncs.com

After Log Audit Service is integrated with Resource Directory, Log Audit Service can automatically collect the logs of Alibaba Cloud services from multiple accounts, and store, audit, and analyze the logs in a centralized manner.

Yes

Configure multi-account collection

Resource Orchestration Service (ROS)

ros.aliyuncs.com

After ROS is integrated with Resource Directory, you can use the management account of your resource directory to deploy the resources that are required by your system within the members of the resource directory. This achieves centralized resource management in a multi-account environment.

Yes

Stack group overview

Resource Sharing

resourcesharing.aliyuncs.com

After resource sharing is enabled, you can use the management account of your resource directory to share your resources with all members in your resource directory, all members in a specific folder in your resource directory, or a specific member in your resource directory. For members that are newly added to your resource directory, the system automatically grants access permissions on shared resources to the members based on your resource sharing settings. For members that are removed from your resource directory, the system automatically revokes access permissions on shared resources from the members if the members have such permissions.

No

Resource Sharing overview

Cloud Governance Center

governance.aliyuncs.com

After Cloud Governance Center is integrated with Resource Directory, you can view the distribution and change status of the resources within the members of your resource directory in the Cloud Governance Center console. You can also configure protection rules for the compliance audit and deliver audit logs for the members in a unified manner.

No

Tag

tag.aliyuncs.com

You can use the management account of your resource directory to enable the Tag Policy feature that is in resource directory mode. Then, you can use tag policies to manage the tag-related operations performed by using a member in the resource directory.

Yes

Enable the Tag Policy feature that is in resource directory mode

Service Catalog

servicecatalog.aliyuncs.com

You can share product portfolios in Service Catalog with members in your resource directory. If the configurations of the product portfolios are modified, the modifications are synchronized to the members in real time. This significantly improves management efficiency.

Yes

Share or unshare the configurations of a product portfolio

Quota Center

quotas.aliyuncs.com

If a member is added to your resource directory after you create a quota template, the quota template automatically submits a quota increase request for the member.

No

Add a quota to a quota template

Resource Center

resourcecenter.aliyuncs.com

After Resource Center is activated, you can view and search for resources across accounts, services, or regions.

Yes

Enable cross-account resource search

Message Center

messagecenter.aliyuncs.com

After Message Center is integrated with Resource Directory, you can manage the message contacts of all accounts used by your enterprise in a centralized manner.

No

Manage contacts for a member

Managed Service for Prometheus

prometheus.aliyuncs.com

After Managed Service for Prometheus is integrated with Resource Directory, the Prometheus instances within multiple accounts of your enterprise can be monitored in a centralized manner.

Yes

Manage a Prometheus instance

Carbon Footprint

energy.aliyuncs.com

After Carbon Footprint is integrated with Resource Directory, you can use the management account of your resource directory to view greenhouse gas emission data of cloud resources within all Alibaba Cloud accounts of your enterprise in a centralized manner.

Yes

Cloud Product Carbon Footprint

Web Application Firewall (WAF) 3.0

waf.aliyuncs.com

After WAF 3.0 is integrated with Resource Directory, you can access cloud resources within members in a centralized manner and configure security policies for the resources in a unified manner.

Yes

Use the multi-account management feature

Anti-DDoS Origin

ddosbgp.aliyuncs.com

You can share Anti-DDoS instances among multiple accounts.

Yes

Use the multi-account management feature

Bastionhost

bastionhost.aliyuncs.com

You can use a single bastion host to manage assets within multiple accounts in a centralized manner. This helps implement unified asset O&M and management.

Yes

Use the multi-account management feature

Data Security Center (DSC)

sddp.aliyuncs.com

You can manage data assets within multiple accounts and aggregate, view, and manage classification results, data asset risks, and threat events. This helps improve the efficiency of security operations.

Yes

Use the multi-account management feature

Enable or disable a trusted service

You can enable or disable a trusted service by using the console or API of the service. For more information, see the documentation of the service.

You can choose Resource Directory > Trusted Services in the left-side navigation pane of the Resource Management console to view the statuses of trusted services. You cannot enable or disable trusted services in the Resource Management console.

When you use some trusted services to perform specific operations, Resource Directory automatically updates the states of the trusted services to Enabled. For example, if you create a multi-account trail in ActionTrail or use a trusted service to view the resources related to Resource Directory for the first time, Resource Directory automatically updates the state of ActionTrail or the trusted service to Enabled.

When you use some trusted services to perform specific operations, Resource Directory automatically updates the states of the trusted services to Disabled. For example, if you disable a feature provided by a trusted service, Resource Directory automatically updates the state of the trusted service to Disabled. If a trusted service is disabled, the service cannot access the members or resources in your resource directory. In addition, the resources that are related to integration with Resource Directory are deleted from the trusted service.

Service-linked roles for trusted services

Resource Directory creates its service-linked role AliyunServiceRoleForResourceDirectory for each member. This role enables Resource Directory to create the roles required by trusted services. Only Resource Directory can assume this role. For more information, see RAM roles in a resource directory.

Trusted services create their own service-linked roles, such as the AliyunServiceRoleForConfig role of Cloud Config, only for the members that are used to perform administrative operations. These roles define the permissions required by trusted services to perform specific tasks. Only trusted services can assume their own service-linked roles.

The policy that is attached to a service-linked role is defined and used by the linked service. You are not allowed to modify or delete the policy. In addition, you are not allowed to attach policies to or detach policies from a service-linked role. For more information, see Service-linked roles.