Use a RAM user to perform operations on Cloud Backup - Cloud Backup

To reduce the security risks for your Alibaba Cloud account, you can manage Cloud Backup resources as a Resource Access Management (RAM) user. This topic describes how to create a RAM user and authorize the RAM user to access Cloud Backup and perform operations.

Background information

In actual scenarios, you may need to perform O&M operations on Cloud Backup or access Cloud Backup resources as a RAM user. In the preceding scenarios, you can create a RAM user and grant the RAM user the permissions to access or manage Cloud Backup resources. To ensure data security, we recommend that you follow the principle of least privilege (PoLP) when you grant permissions on Cloud Backup to the RAM user. For more information about RAM users, see Introduction.

Step 1: Create a RAM user

To manage user permissions by using RAM, you must create RAM users and then grant different permissions to each RAM user.

To create a RAM user, perform the following steps:

Step 2: Grant permissions to the RAM user

By default, a new RAM user has no permissions. Before you can use the RAM user to perform operations in the Cloud Backup console or call API operations, you must grant the required permissions to the RAM user.

Cloud Backup provides two system policies:

AliyunHBRFullAccess: grants a RAM user the full access permissions on Cloud Backup. This policy may cause high risks. Proceed with caution.
AliyunHbrReadOnlyAccess: grants a RAM user the read-only permissions on Cloud Backup.

You can also attach custom policies to the RAM user in the RAM console to achieve fine-grained access control. For more information, see Create custom policies.

In this example, the AliyunHBRReadOnlyAccess policy is attached to a RAM user.

Log on to the RAM console as a RAM administrator.
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Grant Permission panel, search for and select AliyunHBRReadOnlyAccess in Policy. The policy is selected to the Selected Policy section on the right.
Note
In the Selected Policy section on the right, you can click the cross sign (×) next to a policy to remove the policy.
Confirm the authorization result. Then, click Grant permissions.

Step 3: Use the RAM user to perform backup operations

Log on to the Cloud Backup console as the RAM user and perform backup and restore operations.

Log on to the Cloud Backup console.
In the left-side navigation pane, select different backup features and perform backup and restore operations.
When you back up a resource for the first time, Cloud Backup automatically creates a service-linked role to obtain the permissions to access the resource. Follow the steps in the wizard to create the service-linked role. For more information, see Service-linked roles for Cloud Backup.

More policy references

You can grant the permissions on a backup vault to a RAM user. For example, you can authorize the RAM user only to back up or restore data by using the backup vault.

You can grant permissions by using the following sample policies. To create a custom policy, copy one of the scripts and paste the script in the RAM console. Then, attach the custom policy to the RAM user. For more information, see Isolate backup permissions and recovery permissions.

To disallow a RAM user to restore data from a backup vault, use the following sample policy:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "hbr:CreateRestore",
                "hbr:CreateRestoreJob",
                "hbr:CreateHanaRestore",
                "hbr:CreateUniRestorePlan",
                "hbr:CreateSqlServerRestore"
            ],
            "Resource": [
                "acs:hbr:*:1178******531:vault/v-000******blx06",
                "acs:hbr:*:1178******531:vault/v-000******blx06/client/*"
            ]
        }
    ]
}

To disallow a RAM user to back up data to a backup vault, use the following sample policy:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "hbr:CreateUniBackupPlan",
                "hbr:UpdateUniBackupPlan",
                "hbr:DeleteUniBackupPlan",
                "hbr:CreateHanaInstance",
                "hbr:UpdateHanaInstance",
                "hbr:DeleteHanaInstance",
                "hbr:CreateHanaBackupPlan",
                "hbr:UpdateHanaBackupPlan",
                "hbr:DeleteHanaBackupPlan",
                "hbr:CreateClient",
                "hbr:CreateClients",
                "hbr:UpdateClient",
                "hbr:UpdateClientSettings",
                "hbr:UpdateClientAlertConfig",
                "hbr:DeleteClient",
                "hbr:DeleteClients",
                "hbr:CreateJob",
                "hbr:UpdateJob",
                "hbr:CreateBackupPlan",
                "hbr:UpdateBackupPlan",
                "hbr:ExecuteBackupPlan",
                "hbr:DeleteBackupPlan",
                "hbr:CreateBackupJob",
                "hbr:CreatePlan",
                "hbr:UpdatePlan",
                "hbr:CreateTrialBackupPlan",
                "hbr:ConvertToPostPaidInstance",
                "hbr:KeepAfterTrialExpiration"
            ],
            "Resource": [
                "acs:hbr:*:1178******9531:vault/v-000******blx06",
                "acs:hbr:*:1178******9531:vault/v-000******blx06/client/*"
            ]
        }
    ]
}

What to do next

Log on to the Alibaba Cloud Management Console as a RAM user