Alibaba Cloud Resource Access Management (RAM) is an identity and access control service which enables you to centrally manage your users (including employees, systems or applications) and securely control their access to your resources through permission levels. RAM thereby allows you to securely grant access permissions for Alibaba Cloud resources to only your selected high-privileged users, enterprise personnel and partners. This helps to ensure secure and appropriate usage of your cloud resources and protects from any unsolicited access to your account.
Create, manage, rename and delete RAM users, groups and roles; grant necessary permissions
Utilize unified management of access permissions and identity credentials for Alibaba Cloud resources
Revoke permissions from one or multiple resources or user account based on business requirement
Fine-grained Authorization: Allows you to grant permission for one or multiple operations on a single resource
For example, a resource owner can grant permission to create, perform operations or delete resources
Multi-dimensional Authorization: Restricts access permissions by IP, time and other dimensions
Version Management Mechanism: Retain multiple versions of each authorization policy to eliminate risk of unwanted deletion of policy
Multiple Authorization Scenario Support
Allows you to define and control various authorization policies for specific Alibaba Cloud resources meeting certain business conditions
Lets you grant read-only, full, or customized permissions to users, partners and enterprise employee accounts
Enables you to define user or service specific roles
Follows Multi-Factor Authentication (MFA) technique to ensure protection for your account
Allows you to simply access and configure RAM using web-based Alibaba Cloud Management Console or APIs
Complimentary Service with Alibaba Cloud Subscription
Enables centralized management without paying extra charges; pay only for other services used by your RAM users
Provides one consolidated bill for all expenses incurred by resource operations performed by all users present in multiple accounts falling under one enterprise account
Alibaba Cloud Resource Access Management or RAM is a cloud-based management service designed to centrally control resource access and collectively manage users. With RAM you can create, manage and keep track of different users or groups accessing your cloud resources and grant various levels of access permissions
User Identity Management: Create and manage user identities and grant permissions using the primary account
Multi-factor Authentication: Supports MFA devices that comply with TOTP protocol standard (RFC 6238) to keep user passwords secure and assign special permissions like shutting down virtual hosts
Independent Password Policy Management: Create custom password strength policies for users and set the number of allowed login attempts, password validity periods, and other password policies
User Groups: Create and manage user groups for assigning same set of permissions to multiple users
Access Keys: Set access keys for users wanting to perform operations using the console. You can also set API access keys if users want to call APIs
Execution Permission: Set permissions for allowing or denying execution of certain operations on specific resources under certain conditions
Custom Authorization: Use custom authorization policies to manage user permissions effectively
Group Permission: The grouped authorization mechanism allows for scenario-specific authorization to reduce burden of permission management
User Authorization: Grant user or user group authorization to users under your or other Alibaba Cloud account
Authorization Policy Management
Custom Policy: Create, modify, and delete custom authorization policies for detailed requirements, such as controlling operation permissions for a certain ECS instance or resource operator request to come from a specified IP address
Resource Access: Users can access resources and perform operations on them using console, APIs, or client tools like aliyuncli
Alibaba Security Token Service
Access Permission: Security Token Service grants specific cloud resource access permissions to mobile clients, giving your mobile customers direct access to cloud resources
Custom Validity: Supports custom token validity periods for enhanced security
User Resource Access Methods: Provides users with security channels (such as SSL) to request access to specific cloud resources at the designated time and from the specified source IP
Role and External Account Identity Federation Management: Associate RAM roles with external identity systems (such as your local enterprise domain accounts or app accounts) and directly use an external identity to log on to a RAM role to access Alibaba Cloud console or API
Cloud Resources: Control data instances created by RAM users in a centralized manner, so that you have full control over these instances and data after a user has left your organization
Usage and Billing
Free of Charge: RAM is offered at no additional cost. You are charged only for other Alibaba products/services used by RAM users
Consolidated Bill: Your account receives a consolidated bill for all expenses incurred from resource operations performed by all RAM users/accounts
Listed below are a few common RAM scenarios:
1. Enterprise User Account Management and Permission Allocation
An enterprise has a project for which it has purchased multiple cloud resources like ECS/RDS/SLB instances and OSS buckets. Employees with different responsibilities and permissions need to perform various operations. They can be allocated independent user or operator accounts to perform only those resource operations to which they have permissions. This way the enterprise does not compromise on security and can also grant/revoke permissions for any user account at any time. Also, charges for resource operations are billed collectively to the enterprise that is the primary account.
Recommended configuration for this scenario:
RAM-user accounts and authorization management function
Bind the primary account to an MFA device and configure MFA for the primary account to prevent risks caused by disclosure of primary account password
Create user accounts and RAM user accounts for different employees (or application systems) and set login passwords or create access keys as needed
Create a group for multiple employees with same responsibilities and add users to the group
Create custom authorization policies and grant permissions by binding one or more policies to groups/users
2. Temporary Authorization Management for Mobile Apps
An enterprise does not want to allow all apps to use the AppServer to transmit data. However, mobile apps run on mobile devices and controlling these devices is not possible. The enterprise also wants to minimize security risks by giving each app an access token with minimal permissions and reducing the access duration.
Recommended configuration for this scenario:
To complete the authorization process, the enterprise creates a role and grants permissions to the role by binding it with authorization policy
Enterprise creates a RAM-user for AppServer and authorizes this user to assume the role it created
AppServer issues STS-tokens for resource access
3. Resource Operations and Authorization Management Between Enterprises
Enterprise A has purchased multiple cloud resources and granted cloud resource O&M, monitoring management, and other tasks to Enterprise B. Enterprise B can allocate access permissions for A’s resources to one or more of its employees. B needs to precisely control the operations its employees can perform on A’s resources. A should be able to revoke B’s permissions at will if the O&M entrustment contract is revoked.
Suggested configuration for this scenario:
RAM roles for cross-account authorization
A role is created and permissions are granted for cross-account authorization
Cross-account resources can be accessed through the console by creating sub-users and authorizing them to assume the role
Utilize RAM to control permission accesses of users to your Alibaba Cloud resources and set-up various authorization policies using Alibaba Cloud management console, APIs, and documentation
Using Alibaba Cloud RAM through Management Console
The Alibaba Cloud Management Console provides a simple web-based user interface that allows you to access and configure RAM access rules, authorization policies, permissions and roles for different users.
With this console, you can also create, modify, manage and delete your users. Refer to the Quick Start Guide for step-by-step instructions on how to configure RAM through the management console.
Alibaba Cloud RAM API Reference
Use Alibaba Cloud RAM APIs to create and configure access permissions for users and groups programmatically.
Alibaba Cloud Documentation
To understand how Alibaba Cloud RAM operates, refer to the User Guide.
Using RAM, you can create and manage multiple user identities that perform various operations on Alibaba Cloud resources and allocate different authorization policies/resource access permissions to different identities or identity groups.
The following resources offer detailed information on Alibaba Cloud Resource Access Management.
1. How do I get started with Alibaba Cloud RAM?
Once you have signed up for Alibaba Cloud, you can either use web-based Alibaba Cloud Management Console or RAM APIs (for programmatic access) to create users and groups as well as assign them permissions to access different resources.
2. How does a sub-user sign into the Alibaba Cloud Management Console?
3. Which Alibaba Cloud products and services support RAM integration?
|Elastic Compute Service||√||√||ECS Permission|
|ApsaraDB for RDS||√||√||RDS Permission|
|Server Load Balancer||√||√||SLB Permission|
|Virtual Private Cloud||√||√||VPC Permission|
|Object Storage Service||√||√||OSS Permission|
|Table Store||√||√||TableStore Permission|
|Message Service||√||√||MessageService Permission|
|Alibaba Cloud CDN||√||√||CDN Permission|
|ApsaraDB for Redis||√||√|
|ApsaraDB for Memcache||√||√|
4. What is a RAM-role?
A RAM-Role is a virtual user (shadow account) or a type of RAM user. This user has a fixed identity and can be granted policies. However, a RAM-Role must be assumed by an authorized real user.
5. Which operation permissions are granted to a new RAM-user?
By default, a new RAM user has no operation permissions. A RAM user represents an operator and must be explicitly authorized to perform any operation. The user can perform resource operations through the RAM console or APIs, only after being authorized.
6. What are authorization policies?
An authorization policy is a group of permissions described using Authorization Policy Language. It can precisely define the authorized resource set and operation set, as well as the authorization conditions.
7. How do I view all system authorization policies supported by Alibaba Cloud?
To view all the system authorization policies supported by Alibaba Cloud, log on to the RAM console and go to the Authorization Policy Management page to view a list of all system authorization policies.
8. What is a RoleARN?
A RoleARN is the global resource descriptor that specifies a role. RoleARNs follow Alibaba Cloud’s ARN naming rules.
For example, the RoleARN for the “devops” role of an Alibaba Cloud account: acs:ram::1234567890123456:role/devops.
9. How do I delete an authorization policy with multiple versions?
First, you need to keep the default version and remove all other versions. Only when the unique default version is available, the authorization policy can be deleted.
10. How do I assign commonly used permissions?
Alibaba Cloud provides System Authorization Policies, a set of commonly used permissions that you can attach to RAM users, groups, and roles. These policies are a group of comprehensive permission sets created and managed by Alibaba Cloud, such as read-only permission for ECS or full permissions for ECS. You can use these policies but not modify them.
11. How do I create a custom authorization policy?
1. Access the RAM console, select Policy Management and then Custom Policies.
2. Click “New Authorization Policy.”
3. Select a template from the list (for example, AliyunOSSReadOnlyAccess).
4. Edit the name, remarks, and content of the authorization policy as needed.
5. After making necessary changes, click “Add Policy” to create the custom authorization policy.
12. How do I attach an authorization policy to a group?
1. Login to the RAM console and go to Group Management.
2. Select a group, and click “Authorize” to go to the Edit Authorization Policy page.
3. Select the name of the relevant authorization policy to grant permissions to the group.
13. How do I assign the same set of permissions to multiple RAM users?
You can attach an authorization policy to RAM groups. Then all users in the group can have the same set of access permissions specified in the authorization policy.
14. What kinds of security credentials can RAM users have?
RAM users can access cloud services through APIs or by logging into the Alibaba Cloud Management console with the help of access keys. You can also enable Multi-Factor Authentication (MFA) which requires another verification code (second security factor provided by the user’s MFA device) after entering username and password. This provides another layer of security for your account.