Well-Architected Framework:Identity management

Cloud identities fall into two categories: human identities and programmatic identities.

A human identity represents an individual—such as a security administrator, operations engineer, or developer—who manages cloud resources through the Alibaba Cloud console, CLI, or specialized clients.

A programmatic identity represents an application or service that accesses cloud resources and data through Alibaba Cloud APIs.

Identity management on Alibaba Cloud follows two core least-privilege principles: minimize exposure duration and minimize exposure surface.

Minimize exposure duration by using temporary identities or temporary credentials instead of static ones, and rotate static credentials regularly.

Minimize exposure surface by storing keys and credentials securely and never sharing or reusing them across applications or identity types.

The following sections cover best practices for each identity type.

Human identities

Avoid using the root identity

The root identity has full permissions for all account resources. If its password leaks, the risk is critical. Sharing this identity among multiple people increases compromise likelihood and prevents accountability tracing in operational logs. Except in a few specific scenarios, use Resource Access Management (RAM) identities to access cloud resources instead. To protect the root identity, follow the practices in the "Establish a more secure sign-in mechanism" section below.

Implement unified authentication for human identities

A centralized Identity Provider (IdP) simplifies identity management and keeps on-premises and cloud identities consistent. Personnel changes require updates in one location only, eliminating separate RAM user credentials. Some organizations further restrict IdP access to the corporate intranet.

Alibaba Cloud supports SAML 2.0-based SSO. Integrate your IdP through RAM SSO for unified human identity authentication. For organizations with multiple Alibaba Cloud accounts, use CloudSSO to centralize SSO configuration across accounts.

Establish a more secure sign-in mechanism

Leaked credentials allow attackers to sign in and cause irreparable damage. Protect all human identity credentials with the following practices:

1. Increase password strength. Require longer passwords with a mix of numbers, uppercase and lowercase letters, and special characters. For RAM users, administrators can set password strength rules to enforce complexity requirements.

2. Avoid password reuse. Sharing passwords across services or users expands the exposure surface. If one credential is compromised, attackers can access all services using the same password. Assign unique passwords to each service and user.

3. Rotate passwords regularly. The longer a password exists, the higher the leak risk. For RAM users, administrators can set a password expiration policy in the password strength rules to enforce periodic rotation.

4. Use multi-factor authentication (MFA). MFA adds a second verification layer when signing in or performing sensitive operations. Alibaba Cloud supports multiple verification methods, including virtual MFA devices and U2F security keys. Enable MFA for all human identities. Organizations using an on-premises IdP should also enable MFA on the IdP side.

Use role assumption instead of static identities

Temporary identities minimize exposure surface and reduce credential leak risk. Role-based access also lets you model permissions by job function, standardizing access control.

Manage human identities through SSO based on role assumption.

Programmatic identities

Do not use Alibaba Cloud account AccessKeys

An Alibaba Cloud account AccessKey grants unrestricted full administrative control equivalent to the root identity. It cannot be scoped by conditions such as source IP or access time, and its permissions cannot be narrowed. Always use RAM user AccessKeys for programmatic access.

Avoid sharing AccessKeys

Shared AccessKeys require overly broad permissions and amplify the blast radius of any leak. Sharing keys between environments is especially risky—a leak in a less-secured test environment can directly compromise production.

Create a unique AccessKey for each application, module, and environment. Grant each key only the permissions required for its specific use case.

Rotate AccessKeys regularly

The longer an AccessKey exists, the higher the leak risk. Periodically create a new key, replace the active one, then disable and delete the old key. Use Secrets Manager in KMS to automate this rotation process.

Rotate all other programmatic credentials regularly as well.

Use temporary credentials instead of static credentials

A static AccessKey consists of a fixed AccessKey ID and Secret that persist until deleted. Static credentials carry significant risks—for example, a developer might hardcode a key and push it to a public repository, causing a leak.

Use role assumption to obtain a temporary Security Token Service (STS) token instead of a static AccessKey. STS tokens expire automatically after the role's maximum session duration (hours), limiting the window of exposure.

Alibaba Cloud integrates STS tokens with the following deployment methods:

1. For Elastic Compute Service (ECS) instances, use an instance RAM role. Your application can then obtain a temporary authorization token through the instance metadata service.

2. For Container Service for Kubernetes (ACK), use the RRSA feature to bind a RAM role to a specific ServiceAccount and assume it at the pod level for an STS token.

3. For Function Compute, grant the service to which the function belongs permissions to access other Alibaba Cloud services to obtain an STS token.

Regardless of deployment method, use the official Alibaba Cloud SDKs. Set the appropriate credentials configuration for your deployment type, and the SDK handles STS token caching and refresh automatically.