Permission management in the cloud controls which operations an identity can perform on specific resources under certain conditions. Alibaba Cloud provides the following authorization methods:
Identity-based authorization: This primarily involves granting permissions to RAM users, user groups, or roles.
Resource-based authorization: Some cloud products allow permissions to be attached directly to specific resources. For example, OSS bucket policy enables you to grant access permissions to RAM users from other accounts and to anonymous users with specific IP address restrictions.
Control Policy: Control policies are access control mechanisms based on resource structures (resource folders or members) for multi-account organizations that have enabled Resource Directory (RD). They uniformly manage permission boundaries for resource access at various levels within the resource directory, establishing enterprise-wide access control principles or specialized local principles. Control policies only define permission boundaries and do not actually grant permissions.
Session Policy: During role assumption, you can specify a session policy that defines the permissions available in the current session, further narrowing the scope of role permissions. Like control policies, session policies only limit permissions and do not actually grant them.
Regardless of the authorization method, appropriate permission settings prevent unauthorized access and protect the security of cloud assets and data. The core principle of permission management in the cloud is permission minimization, granting only necessary permissions to identities and ensuring permissions are minimal but sufficient.
Based on this principle, Alibaba Cloud offers the following best practices for authorizing different identity types.
Permission management for human identities
Function-based authorization
In an organization, people with different responsibilities need to access different types of resources in the cloud. Security administrators often need to access security products such as Security Center and Cloud Firewall, while database administrators typically only need to access database-related products such as ApsaraDB RDS. However, for the same responsibility, especially for basic functions such as finance, database administrators, security administrators, and auditors, the range of resources that need to be accessed and managed is often consistent. Therefore, it is recommended to abstract permissions based on personnel functions to simplify the authorization process and reduce management costs.
After abstracting function permissions, you can organize personnel identities by adding them to designated functional user groups, improving authorization efficiency.
Resource scope-based authorization
Although the core principle of permission management is to minimize authorization, customizing permissions for each personnel identity in a large organization would greatly reduce management efficiency. Therefore, authorizing based on the resource scope corresponding to the business applications managed by personnel can simplify authorization logic, increase permission policy reuse, and achieve a balance between permission minimization and management efficiency.
In the cloud, it is recommended to distinguish resources for different business applications through Alibaba Cloud accounts or resource groups. If an enterprise uses multiple Alibaba Cloud accounts to manage cloud resources, you can use Resource Directory to build an enterprise organizational structure for centralized and orderly management of accounts and resources. Different business applications are distinguished by account dimension, and the entire cloud account is selected as the application scope during authorization. If an enterprise uses a single Alibaba Cloud account to manage all cloud resources, project teams can use resource groups as containers for resource isolation and permission management, selecting specific resource groups as the application scope during authorization.
Through reasonable resource planning and authorizing by resource scope during cloud usage, you can improve overall permission management efficiency.
Permission management for program identities
Fine-grained authorization
Except for specific business scenarios, the operations that applications need to perform on Alibaba Cloud resources are predictable. You should use custom permission policies to define the minimum permissions required by the program identity. For example, if a user community needs to display user profile pictures and support picture uploads, the program only needs GetObject and PutObject permissions for specific OSS buckets. Conversely, if you directly use system policies and grant AliyunOSSFullAccess permissions to the program, once the program identity is leaked, attackers would have all permissions for all OSS buckets under that cloud account, creating an extremely high risk.
General best practices
Regular permission reviews
After authorization is complete, you need to regularly audit the granted permissions to ensure that each identity's permissions continue to meet the principle of least privilege. Key scenarios to focus on include the following:
Privileged identities: Administrators with permissions to all products and identities with all permissions to management and governance products such as RAM are key audit targets. Ensure these identities reasonably possess these privileges.
Idle permissions: Besides privileged identities, you can also use cloud operation audit logs to determine whether other product permissions for an identity are idle.
Setting permission boundaries
For organizations with multiple Alibaba Cloud accounts, you can use Resource Directory control policies to limit the permission scope of RAM identities within member accounts and disable some high-risk operations to reduce identity leakage risks. For example, you can prohibit members from deleting domain names or modifying domain name resolution records, or prohibit members from deleting log records.
Before attaching control policies, it is recommended to first conduct small-scale tests to ensure the effectiveness of the policy aligns with expectations, and then attach it to all target nodes (resource folders, members).