All Products
Document Center

Server Load Balancer:Identity management

Last Updated:Aug 02, 2023

To ensure data security for your resources, you need to regulate access from users to your Server Load Balancer (SLB) resources so that only trusted users can access or manage your resources. SLB is integrated with Resource Access Management (RAM), which can manage access permissions on resources.

RAM classifies identities into physical identities and virtual identities. RAM uses different types of identity to help you manage permissions of different users.

Alibaba Cloud accounts

By default, resources are accessible only by Alibaba Cloud accounts. Other types of account must acquire the required permissions before they can access resources.

We recommend that you take note of the following items that can help protect your Alibaba Cloud account:

  • Do not use your Alibaba Cloud account to call APIs or perform routine O&M unless necessary. We recommend that you use a RAM user. Do not create an AccessKey pair for your Alibaba Cloud account. Alibaba Cloud does not store your AccessKey pair as plaintext but as a salted SHA-256 hash value.

  • We recommend that you use your Alibaba Cloud account to create a RAM user and grant permissions to the RAM user as needed, and use the RAM user to perform other operations.

    For more information, see Create a RAM user.

  • Keep your AccessKey pair strictly confidential. Do not disclose your AccessKey pair in any possible form, such as embedding it in code.

    If your AccessKey pair remains in use for more than 90 days, we recommend that you rotate the AccessKey pair in case of leakage.

    For more information, see Rotate AccessKey pairs of RAM users.

    If you want to check whether your AccessKey pair is uploaded to GitHub, use the AccessKey pair leakage detection feature of Security Center. The AccessKey pair leakage detection feature is free of charge.

  • Set a valid logon time for your Alibaba Cloud account. The specified time must be between 1 hour and 24 hours. Your Alibaba Cloud account will be automatically logged off if the logon time reaches the specified value.

    For more information, see Overview of security settings.

  • Set a logon mask for your Alibaba Cloud account. You can specify the IP addresses that can access Alibaba Cloud resources.

  • Enable multi-factor authentication for your Alibaba Cloud account and RAM users. Secondary authentication is mandatory for console logons and risk-sensitive operations.

  • The AccessKey pair of a RAM user is displayed only when you create the AccessKey pair. You can create at most two AccessKey pairs for each RAM user. Each Alibaba Cloud account can create at most five AccessKey pairs.

  • You can specify a valid period for the password of a RAM user and specify whether the RAM user is logged off when the password expires.

RAM users

RAM users are created by Alibaba Cloud accounts, RAM users, or RAM roles that have administrator permissions. RAM users are allowed to log on to consoles or access Alibaba Cloud resources within the Alibaba Cloud accounts only if the RAM users acquire the required permissions.

  • If multiple users need to access your resources, you can create RAM users to manage permissions and regulate access by granting minimum permissions to the RAM users. You do not need to share the password or AccessKey pair of your Alibaba Cloud account with the RAM users. This enhances account security.

  • Each RAM user can be assigned a separate password or AccessKey pair to minimize security risks. You can also grant minimum permissions to RAM users based on their work duties.

  • When you create a RAM user, you can specify multiple logon methods. We recommend that you specify only one logon method for each RAM user to ensure account security.

    For example, if a RAM user is used to manage applications and needs to access resources by calling API operations, you can create an AccessKey pair for the RAM user. If a RAM user is used by an employee who needs to access resources by using the console, you can create a logon password for the RAM user.

  • You can also enable single sign-on (SSO) for a RAM user to allow the RAM user to log on to and access Alibaba Cloud resources from the identity management system of the enterprise.

  • You cannot create more RAM roles if the RAM role quota is exhausted. For more information, see Limits.

RAM user groups

If you have multiple RAM users, you can add them to different groups based on their work duties. This allows you to efficiently manage RAM users and permissions.

  • If you need to grant the same permission to multiple RAM users, you can add the RAM users to the same group and create a policy for the group. After the policy is attached to the group, all the RAM users in the group can use the policy.

  • If the work duties of a RAM user change, you only need to move the RAM user to a RAM user group with the required permissions. This does not affect other RAM users.

  • If a RAM user group no longer needs a permission, you can revoke the permission from the group. After the permission is revoked, all the RAM users in the group are not allowed to access the resources that require the permission. For more information, see Revoke permissions from a user group.

RAM roles

RAM roles are a type of RAM identity recognizable by Alibaba Cloud. RAM roles are virtual identities that do not have AccessKey pairs, and must be assumed by entity users. After an entity user assumes a RAM role, the user obtains the Security Token Service (STS) token of the RAM role. The STS token can be used to access the corresponding resources.

  • By default, a RAM role does not have permissions after it is created. The RAM role must acquire the required permissions before it can be used to log on to consoles or call APIs. For more information, see Authorize RAM users.

  • You can specify a validity period for the STS token of a RAM role to implement access control.

    For more information, see What is STS?

  • You can specify a session duration for each RAM role to control the duration that a RAM role can remain logged on to a session. When the specified duration elapses, the RAM role is logged off the session and cannot perform operations.

    You can modify the session duration of a RAM role. For more information, see Specify the maximum session duration for a RAM role.