Alibaba Cloud Resource Access Management (RAM) is an identity and access control service which enables you to centrally manage your users (including employees, systems or applications) and securely control their access to your resources through permission levels. RAM thereby allows you to securely grant access permissions for Alibaba Cloud resources to only your selected high-privileged users, enterprise personnel and partners. This helps to ensure secure and appropriate usage of your cloud resources and protects from any unsolicited access to your account.
Benefits
-
Enhanced Security
Follows Multi-Factor Authentication (MFA) technique to ensure protection for your account
-
Usability
Allows you to simply access and configure RAM using web-based Alibaba Cloud Management Console or APIs
-
Complimentary Service with Alibaba Cloud Subscription
Enables centralized management without paying extra charges; pay only for other services used by your RAM users
Provides one consolidated bill for all expenses incurred by resource operations performed by all users present in multiple accounts falling under one enterprise account
-
Centralized management
Create, manage, rename and delete RAM users, groups and roles; grant necessary permissions
Use unified management of access permissions and identity credentials for Alibaba Cloud resources
Revoke permissions from multiple resources or user accounts in accordance with your needs
Feature
-
Identity Management
User Identity Management
Create and manage user identities and grant permissions using the primary account
Multi-factor Authentication
Supports MFA devices that comply with TOTP protocol standard (RFC 6238) to keep user passwords secure and assign special permissions like shutting down virtual hosts
Independent Password Policy Management
Create custom password strength policies for users and set the number of allowed logon attempts, password validity periods, and other password policies
User Groups
Create and manage user groups for assigning the same set of permissions to multiple users
Access Keys
Set access keys for users wanting to perform operations using the console. You can also set up API access keys for users who require programmatic access
-
SSO (Identity Federation)
User-based SSO
You can configure your IdP to specify a RAM user in the SAML assertion and use the RAM user to access Alibaba Cloud.
Role-based SSO
You can configure your IdP to specify a RAM role in the SAML assertion and use the RAM role to access Alibaba Cloud.
-
Access Management
Execution Permission
Set permissions for allowing or denying execution of certain operations on specific resources under certain conditions
Custom Access Management
Use custom policies to manage user permissions effectively
Group Permission
The group permission mechanism allows for scenario-specific access management to reduce the burdens associated with permission management
User Access Management
Grant user or user group access to users under your account, or even other Alibaba Cloud accounts
-
Security Token Service
Access Permission
Security Token Service grants specific cloud resource access permissions to mobile clients, giving your mobile customers direct access to cloud resources
Custom Validity
Supports custom token validity periods for enhanced security
-
High Flexibility
Fine-grained Access Management
Allows you to grant permission for one or multiple operations on a single resource. For example, a resource owner can grant permission to create, perform operations or delete resources
Multi-dimensional Access Management
Restricts access permissions by IP, time, and other factors
Version Management Mechanism
Retain multiple versions of each authorization policy to eliminate risk of unwanted policy deletion
-
Usage and Billing
Free of Charge
RAM is offered at no additional cost. You are charged only for other Alibaba products/services used by RAM users/roles
Consolidated Bill
Your account receives a consolidated bill for all expenses incurred from resource operations performed by all RAM users/roles
How it works
Enterprise User Account Management and Permission Allocation
An enterprise has a project for which it has purchased multiple cloud resources like ECS/RDS/SLB instances and OSS buckets. Employees with different responsibilities and permissions need to perform various operations. They can be allocated independent user or operator accounts to perform only those resource operations to which they have permissions. This way the enterprise does not compromise on security and can also grant/revoke permissions for any user account at any time. Also, charges for resource operations are billed collectively to the enterprise that is the primary account.
Advantages
-
- Bind the primary account to an MFA device and configure MFA for the primary account to prevent risks caused by disclosure of primary account password
-
- Activate RAM
-
- Create user accounts and RAM user accounts for different employees (or application systems) and set logon passwords or create access keys as needed
-
- Create a group for multiple employees with same responsibilities and add users to the group
-
- Create custom policies and grant permissions by binding one or more policies to groups/users
Temporary Access Management for Mobile Apps
An enterprise does not want to allow all apps to use the AppServer to transmit data. However, mobile apps run on mobile devices and controlling these devices is not possible. The enterprise also wants to minimize security risks by giving each app an access token with minimal permissions and reducing the access duration.
Resource Operations and Access Management Between Enterprises
Enterprise A has purchased multiple cloud resources and granted cloud resource O&M, monitoring management, and other tasks to Enterprise B. Enterprise B can allocate access permissions for A’s resources to one or more of its employees. B needs to precisely control the operations its employees can perform on A’s resources. A needs to revoke B’s permissions at will if the O&M entrustment contract is revoked.
FAQs
1. How do I get started with Alibaba Cloud RAM?
Once you have signed up for Alibaba Cloud, you can either use web-based Alibaba Cloud Management Console or RAM APIs (for programmatic access) to create users and groups as well as assign them permissions to access different resources.
2. How does a sub-user sign into the Alibaba Cloud Management Console?
Visit the logon page or refer to the links on the Management Console dashboard.
3. Which Alibaba Cloud products and services support RAM integration?
Please refer to documentation Alibaba Cloud services that support RAM.
4. What is a RAM-role?
A RAM-Role is a virtual user (shadow account) or a type of RAM user. This user has a fixed identity and can be granted policies. However, a RAM-Role must be assumed by an authorized real user.
5. Which operation permissions are granted to a new RAM-user?
By default, a new RAM user has no operation permissions. A RAM user represents an operator and must be explicitly authorized to perform any operation. The user can perform resource operations through the RAM console or APIs, only after being authorized.
6. What are policies?
A policy is a group of permissions described using Policy Language. It can precisely define the authorized resource set and operation set, as well as the authorization conditions.
7. How do I view all system policies supported by Alibaba Cloud?
To view all the system policies supported by Alibaba Cloud, log on to the RAM console and go to the Policies page to view a list of all system policies.
8. What is a RoleARN?
A RoleARN is the global resource descriptor that specifies a role. RoleARNs follow Alibaba Cloud’s ARN naming rules.
For example, the RoleARN for the “devops” role of an Alibaba Cloud account: acs:ram::1234567890123456:role/devops.
9. How do I delete a policy with multiple versions?
Policies which have been edited and saved multiple times will have several attached "versions". Once these have been deleted from the RAM console, the remaining "default" policy can be deleted, which will completely remove the policy from your Alibaba Cloud account.
10. How do I assign commonly used permissions?
Alibaba Cloud provides System Policies, a set of commonly used permissions that you can attach to RAM users, groups, and roles. These policies are a group of comprehensive permission sets created and managed by Alibaba Cloud, such as read-only permission for ECS or full permissions for ECS. You can use these policies but not modify them.
11. How do I create a custom policy?
1. Access the RAM console, select Policies.
2. Click “Create Policy.”
3. Select a template from the list (for example, AliyunOSSReadOnlyAccess).
4. Edit the name, remarks, and content of the policy as needed.
5. After making necessary changes, click “OK” to create the custom policy.
12. How do I attach a policy to a group?
1. Log on to the RAM console and choose Identities > Groups.
2. Select a group, and click “Add Permissions” to go to the Add Permissions page.
3. Select the name of the relevant policy to grant permissions to the group.
13. How do I assign the same set of permissions to multiple RAM users?
You can attach policies to RAM groups. All users in the group will be granted the permissions associated with the group.
14. What kinds of security credentials can RAM users have?
RAM users can access cloud services through APIs or by logging into the Alibaba Cloud Management console with the help of access keys. You can also enable Multi-Factor Authentication (MFA) which requires another verification code (second security factor provided by the user’s MFA device) after entering username and password. This provides another layer of security for your account.
Upgraded Support For You
1 on 1 Presale Consultation, 24/7 Technical Support, Faster Response, and More Free Tickets.