By Shantanu Kaushik
Cloud computing has made way for multi-tier processing and access systems. Different environments allow for different models of SDLC, and the information delivery mechanism has also evolved to support wider system implementation. Deployments want to keep a close eye on Security, compliance, and access authorization.
Alibaba Cloud Resource and Access Management (RAM) allows a system administrator to create and manage RAM users for employees, systems, applications, customers, and any other required identities. These identities can be easily managed with Alibaba Cloud RAM to assign permissions to different users to access Alibaba Cloud resources.
In a scenario where multiple users collaborate and manage cloud resources within an organization, Alibaba Cloud RAM allows the administrator to keep the Alibaba Cloud account and password confidential. Alibaba Cloud RAM also allows the administrator to grant users the minimum required permissions to ensure high security.
In this article, we will list all of the usage scenarios and product scope associated with Alibaba Cloud RAM.
An enterprise may decide to migrate from on-premises to a cloud computing system while deploying using Alibaba Cloud products and services, such as the Elastic Compute Service (ECS), Object Storage Service (OSS) with Server Load Balancer (SLB), and a choice of a database system. The administrator needs to assign different tasks to different teams (user groups) or individual users.
These users will be assigned different tasks and will need various permissions to complete the tasks. Alibaba Cloud RAM will facilitate every need related to authorization and permission management in this scenario. Let's take a look at the information flow architecture for this scenario on the chart below:
You can see how multiple users/teams are assigned for a particular project. Alibaba Cloud RAM is a gateway for them to access any cloud resource that the enterprise has deployed. This controlled access offers a lot of features and benefits, including resource management and moderated access depending on the requirement. The exact task requirements and resource usage reports can be compared to analyze employee or team performance. This could lead to a better-managed system with optimal usage and team collaboration exercises.
In this scenario, you can:
In many situations, an enterprise outsources tasks to other enterprises. These tasks could be operations and maintenance (O&M), monitoring, or many other things. The parent enterprise has to grant certain permissions to the enterprise they are outsourcing to for that enterprise to access its resources.
Let's start by looking at the information flow architecture for this scenario on the chart below:
Here, the resource access has been provided by the parent or master enterprise to the other enterprise for O&M and monitoring. The Account I is used for granting or revoking access. The second enterprise can allow one or more of its employees/users to perform operations and maintenance on allocated resources and generate reports to be sent to the master organization.
When a role is created and the necessary permissions are granted, these are for cross-account access management. Alibaba Cloud RAM allows these cross-account resources to be accessed through the console by creating sub-users and providing them with the necessary authorization for their roles.
There are scenarios where an enterprise requires limited or temporary access to certain applications. These mobile applications may be running on multiple mobile devices would need to be controlled to facilitate proper resource access management.
Alibaba Cloud RAM's solution is STS-tokens. The enterprise will be able to minimize security issues by providing each mobile application with an access token that will contain assigned permission and time allotted for access. STS-tokens are security credentials that have a limited validity period. Authorizing a mobile app to access Alibaba Cloud resources is a perfect example of the Security Token Service (STS) with Resource Access Management (RAM).
Let's take a look at the architecture for this scenario on the chart below:
Here, the enterprise creates a RAM user to access the AppServer and grants authorization to this user for the assigned role. This assigned role was pre-defined by the enterprise using the Alibaba Cloud RAM console in a centralized manner. To grant different level permissions, a policy was created, and this policy was bound to the defined role. All of the steps are listed below:
Let's take a look at the chart below:
An enterprise is set up to deploy applications on the Alibaba Cloud Elastic Compute Service (ECS) instances. They need to implement proper authentication and access control. Let's see what the system administrator needs to follow to utilize this usage scenario.
This scenario indicates the use of the Alibaba Cloud API Gateway to call other Alibaba Cloud services. Alibaba Cloud RAM can provide an STS-token to your application and enable the API operation. At the same time, an administrator can define resource access for a user or a group to allow seamless access.
The AccessKey pairs can be included in the application code or saved in a different configuration file for the application. However, it is not advisable to save the AccessKey as a plain text document within an ECS instance. This could lead to AccessKey disclosure due to image sharing.
Another complication may arise while storing AccessKey pairs within the ECS instance. While performing O&M, if the AccessKey pairs change, the ECS instances will have to be updated and redeployed.
Alibaba Cloud RAM provides a unified interface and a centralized management approach for a seamless user experience. It is available free of charge with most Alibaba Cloud products. It is deeply integrated throughout products and solutions offered by Alibaba Cloud, including elastic compute resources, such as Elastic Compute Service (ECS), databases, storage products, security products, such as Anti-DDoS, and middleware products, such as EDAS, IoT, machine learning. This form of default integration creates an unbeatable promise for an enterprise to confidently deploy their services using Alibaba Cloud.
Alibaba Cloud RAM – Part 2: Overcoming IAM Challenges with Alibaba Cloud RAM
DevOps Team Building – Define and Collaborate in the Real World
2,599 posts | 762 followers
FollowAlibaba Clouder - December 23, 2020
Alibaba Clouder - December 23, 2020
Alibaba Clouder - November 26, 2020
Alibaba Clouder - March 15, 2019
JDP - April 23, 2021
Alibaba Clouder - January 25, 2019
2,599 posts | 762 followers
FollowOrganize and manage your resources in a hierarchical manner by using resource directories, folders, accounts, and resource groups.
Learn MoreSecure your cloud resources with Resource Access Management to define fine-grained access permissions for users and groups
Learn MoreMake identity management a painless experience and eliminate Identity Silos
Learn MoreA Web browser-based admin tool that allows you to use command line tools to manage Alibaba Cloud resources.
Learn MoreMore Posts by Alibaba Clouder