Before you build a landing zone, the system automatically checks whether the current Alibaba Cloud account meets the requirements for a management account. You can specify a management account based on the check result.
Background information
A management account is used to create a resource directory and is the super administrator of the resource directory. The management account has full permissions on its member accounts and the resource directory. You can use only an enterprise account to enable a resource directory. Each resource directory has only one management account. You can use a management account to perform the following operations:
- Manage compliance policies for all members.
- Configure cloud services such as Security Center and Cloud Config for all member accounts.
- Manage bills and payment-related information for all member accounts.
Check item
When you go to the LandingZone Setup page, the system automatically checks the qualification of the current account and provides the check results. The following table describes the check results.
| Check item | Description | Check result |
|---|---|---|
| Resource Check |
Checks whether other cloud resources exist within the current logon account. A management account is responsible for governing and managing member accounts. We recommend that you do not deploy other cloud resources within this account. |
|
| Access Key Check |
Checks whether the AccessKey pair of an Alibaba Cloud account is created within the current logon account. To ensure the security of your business, we recommend that you do not create an AccessKey pair for an Alibaba Cloud account. The leak of the AccessKey pair may expose the resources of the Alibaba Cloud to high security risks. If an Alibaba Cloud account is used as a management account, the account can be used to manage more resources and its AccessKey pair is exposed to higher security risks. Note The check is performed only if you log on to the Cloud Governance Center console by
using an Alibaba Cloud account.
|
|
| RAM User Check |
Checks the number of RAM users within the current logon account. A larger number of RAM users indicates that more individuals can use the current logon account. If the logon account is used as a management account, permission management may be out of control. |
|
| Overdue Payment Check |
Checks whether the current logon account has overdue payments. Overdue payments within an account affect the activation and use of cloud services. |
|
Suggestions
You can specify a management account based on the check results and the suggestions that are provided in the following table.
| Check result | Suggestion |
|---|---|
| All check items passed the check. | Use the current logon account as a management account. |
| Some or all check items failed the check. |
The system automatically displays the Details dialog box that shows the failed check items. You can fix the failed check items based on the following suggestions:
Note If you do not fix the failed check items, you can also perform subsequent operations.
Specific security risks may exist. We recommend that you fix the failed check items.
|