Configure the account baseline - Cloud Governance Center

Before you create accounts in the account factory, you must configure the account baseline, including common baseline items related to identities, permissions, networking, and security. This improves the efficiency of creating an account.

Procedure

Log on to the Cloud Governance Center console.
In the left-side navigation pane, choose Landing Zone > Account Factory.
On the Account Factory page, click Settings in the Orchestration for Account Baseline section.
In the Orchestration for Account Baseline dialog box, select the account baseline that you want to configure and click Confirm.
If the default baseline no longer meets your requirements, click Create Baseline to create multiple baselines for orchestration. You can create baseline templates for accounts that are used for different purposes. This way, you can create an account that is used for a specific purpose based on a baseline template that you created. In this example, the default baseline is used.
If you no longer use a baseline, click the icon to the right of the baseline to delete the baseline. The system automatically checks whether the baseline is used by an account. If no account uses the baseline, the baseline can be deleted.
Change the name of a baseline.
1. Click the icon to the right of a baseline.
2. In the Edit Baseline Property dialog box, enter a name and a description.
3. Click OK.
Add baseline items.
You cannot delete the following built-in default baseline items: Billing Method, Bind CloudSSO Permissions, and Guardrails. You can add baseline items based on the default baseline items.
1. Click Add Baseline Items.
2. In the Add Baseline Item dialog box, select the baseline items that you want to add and click Add.
  If Baseline Item A depends on Baseline Item B, Baseline Item B is automatically selected after you select Baseline Item A. For example, after you select Security Group, VPC is automatically selected.
Configure the parameters of the baseline items.
Click the or icon to the right of a baseline item to configure the parameters for the baseline item.
Click Save.

Baseline items

Supported baseline items

Baseline item	Description	Dependent baseline item	References
Billing Method (default baseline item)	You can specify a billing account for the members in your resource directory. This way, you can manage the fees that are generated for your enterprise in a centralized manner.	None	None
Bind CloudSSO Permissions (default baseline item)	You can configure identities and permissions for multiple members in the resource directory. This helps reduce the risks that are related to identity management and permissions management, and improve the efficiency of multi-account management.	None	Configure identities and permissions
Guardrails (default baseline item)	You can configure and enable the protection rules of Cloud Config for all members in your resource directory in the Cloud Governance Center console. You can manage the protection rules in a centralized manner in the Cloud Governance Center console. This ensures that the basic configurations of Cloud Governance Center and the resource structure that is created in Cloud Governance Center are not modified. This also ensures the security of multi-account environments.	None	Configure protection rules in a centralized manner
RAM Password Policy	You can specify password complexity requirements to improve the account security of Resource Access Management (RAM) users. Common password rules include the password length, supported characters, and password validity period.	None	Configure a password policy for RAM users
VPC	A virtual private cloud (VPC) is a private network in the cloud. Each VPC consists of CIDR blocks, vSwitches, and access control lists (ACLs).	None	What is a VPC?
Security Group	A security group acts as a virtual firewall to control the inbound and outbound traffic of Elastic Compute Service (ECS) instances to improve security.	VPC	Overview
Account Contact	You can configure contacts for an account to receive notifications. Alibaba Cloud does not disclose or provide the contact information to third parties.	None	What do I do if the contact specified for an account cannot receive notification messages related to finance or Alibaba Cloud services?
Message	You can configure recipients for each type of messages. We recommend that you configure recipients to receive important notifications that are related to accounts, services, and exceptions. This prevents business loss caused by missing notifications.	Account Contact	What do I do if the contact specified for an account cannot receive notification messages related to finance or Alibaba Cloud services?
Activate Service	Only an account that has administrative permissions can be used to activate specific Alibaba Cloud services. If you log on as a RAM user that does not have administrative permissions, you may fail to activate services. To prevent this issue, you can configure the Activate Service baseline item to specify the selected Alibaba Cloud services that are automatically activated when you create an account. Note Service-linked roles are required to activate specific Alibaba Cloud services. Cloud Governance Center automatically creates the required service-linked roles when you activate the Alibaba Cloud services. For more information, see the “Service-linked roles that are automatically created when you activate specific Alibaba Cloud services” section of this topic.	None	What is CEN? What is CDT? What is CloudMonitor? What is Key Management Service? What do I do if an error occurs when I activate a specific Alibaba Cloud service?
RAM Role	You can create RAM roles for an Alibaba Cloud account that has administrative permissions on the resource directory. The account, as a trusted entity, can assume a RAM role to perform O&M, which reduces risks.	None	RAM role overview
ECS Key Pair	Push a key pair to a specific account. You can specify a key pair when you create an instance or bind a key pair after you create an instance. Then, you can use the key to connect to the instance.	None	Overview
ECS Shared Image	A shared image can be deployed on ECS instances that belong to different accounts. You can share an image with other Alibaba Cloud accounts.	None	Share a custom image
Predefined Tag	A predefined tag is a tag that you create in advance and is available for resources in all Alibaba Cloud regions. You can create predefined tags in the stage of tag planning and add them to specific cloud resources in the stage of tag implementation.	None	Create a predefined tag
RAM User Security Settings	You can manage global security settings of RAM users to improve the security of the RAM users. You can specify whether to allow RAM users to change their passwords and whether to enable multi-factor authentication (MFA) devices, and specify the validity period of a logon session.	None	Manage security settings of RAM users
Configure RAM role-based SSO	You can implement role-based single sign-on (SSO) based on a Security Assertion Markup Language (SAML) identity provider (IdP). Role-based SSO allows an enterprise to manage users in the local IdP without the need to synchronize users from the IdP to Alibaba Cloud. In addition, employees of the enterprise can log on to Alibaba Cloud by using a specific RAM role.	None	Manage a SAML IdP

Service-linked roles that are automatically created when you activate specific Alibaba Cloud services

Alibaba Cloud service	Service identifier	Service-linked role	Policy
Application Real-Time Monitoring Service (ARMS)	arms.aliyuncs.com	AliyunServiceRoleForARMS	AliyunServiceRolePolicyForARMS
NAT Gateway	nat.aliyuncs.com	AliyunServiceRoleForNatgw	AliyunServiceRolePolicyForNatgw
EventBridge	source-cms.eventbridge.aliyuncs.com	AliyunServiceRoleForEventBridgeSourceCMS	AliyunServiceRolePolicyForEventBridgeSourceCMS
	connect-vpc.eventbridge.aliyuncs.com	AliyunServiceRoleForEventBridgeConnectVPC	AliyunServiceRolePolicyForEventBridgeConnectVPC
	source-actiontrail.eventbridge.aliyuncs.com	AliyunServiceRoleForEventBridgeSourceActionTrail	AliyunServiceRolePolicyForEventBridgeSourceActionTrail
Data Management (DMS)	dms.aliyuncs.com	AliyunDMSDefaultRole	AliyunDMSRolePolicy
Data Management (DMS)	dms.aliyuncs.com	AliyunServiceRoleForDMS	AliyunServiceRolePolicyForDMS
Data Transmission Service (DTS)	dts.aliyuncs.com	AliyunDTSDefaultRole	AliyunDTSRolePolicy
Data Transmission Service (DTS)	dms.aliyuncs.com	AliyunServiceRoleForDMS	AliyunServiceRolePolicyForDMS
Container Service for Kubernetes (ACK)	cs.aliyuncs.com	AliyunCSDefaultRole	AliyunCSDefaultRolePolicy
		AliyunCSKubernetesAuditRole	AliyunCSKubernetesAuditRolePolicy
		AliyunCSManagedArmsRole	AliyunCSManagedArmsRolePolicy
		AliyunCSManagedCmsRole	AliyunCSManagedCmsRolePolicy
		AliyunCSManagedCsiRole	AliyunCSManagedCsiRolePolicy
		AliyunCSManagedKubernetesRole	AliyunCSManagedKubernetesRolePolicy
		AliyunCSManagedLogRole	AliyunCSManagedLogRolePolicy
		AliyunCSManagedNetworkRole	AliyunCSManagedNetworkRolePolicy
		AliyunCSManagedVKRole	AliyunCSManagedVKRolePolicy
		AliyunCSServerlessKubernetesRole	AliyunCSServerlessKubernetesRolePolicy
		AliyunCSManagedNlcRole	AliyunCSManagedNlcRolePolicy
		AliyunCSManagedAutoScalerRole	AliyunCSManagedAutoScalerRolePolicy
	oos.aliyuncs.com	AliyunOOSLifecycleHook4CSRole	AliyunOOSLifecycleHook4CSRolePolicy
Function Compute	fc.aliyuncs.com	AliyunFCDefaultRole	AliyunFCDefaultRolePolicy
Simple Log Service	log.aliyuncs.com	AliyunLogArchiveRole	AliyunLogArchiveRolePolicy
Classic Load Balancer (CLB)	slb.aliyuncs.com	SLBLogDefaultRole	AliyunSLBRolePolicy
Classic Load Balancer (CLB)	slb.aliyuncs.com	AliyunSLBHealthDiagnoseRole	AliyunSLBHealthDiagnoseRolePolicy
Microservices Engine (MSE)	mse.aliyuncs.com	AliyunServiceRoleForMSE	AliyunServiceRolePolicyForMSE
VPN Gateway	vpn.aliyuncs.com	AliyunServiceRoleForVpn	AliyunServiceRolePolicyForVpn

What to do next

After you configure the account baseline, you can create an account by using the account baseline. For more information, see Use the account baseline to create an account.