You can use Resource Access Management (RAM) to grant different permissions to different RAM users. This way, you can prevent security risks caused by the exposure of the AccessKey pair of your Alibaba Cloud account.
Scenarios
The following examples describe how to use RAM to implement access control:
Use RAM users to manage permissions
Enterprise A wants to migrate a project to the cloud. The enterprise has purchased several types of Alibaba Cloud services, such as Elastic Compute Service (ECS) instances, ApsaraDB RDS instances, Server Load Balancer (SLB) instances, and Object Storage Service (OSS) buckets. Multiple employees need to manage these cloud resources, and different employees require different permissions to fulfill their duties. Enterprise A has the following requirements:
For security reasons, Enterprise A does not want to disclose the AccessKey pair of its Alibaba Cloud account to employees. Instead, Enterprise A wants to create RAM users for the employees and grant different permissions to these RAM users.
Employees can perform operations on the resources as the RAM users only after the RAM users are granted the corresponding permissions. Enterprise A can revoke the permissions granted to the RAM users and delete the RAM users at any time.
No bills are generated for a RAM user. The resources used by a RAM user are metered and billed as a part of the resources used by the Alibaba Cloud account of Enterprise A.
In this case, the authorization management feature of RAM can be used to grant different permissions to RAM users and manage resources in a centralized manner.
Use a RAM role to access resources that belong to another Alibaba Cloud account
Enterprise A and Enterprise B have different Alibaba Cloud accounts. Enterprise A has purchased various Alibaba Cloud resources, such as ECS instances, ApsaraDB RDS instances, SLB instances, and OSS buckets, and has the following requirements:
Enterprise A wants to entrust tasks such as the O&M, monitoring, and management of cloud resources to Enterprise B.
Enterprise B is allowed to grant access permissions on the cloud resources owned by Enterprise A to one or more employees. Enterprise B can implement fine-grained access control on the cloud resources of Enterprise A.
If either party terminates the entrustment agreement, Enterprise A can revoke the permissions granted to Enterprise B at any time.
In this case, RAM roles can be assigned to RAM users to grant permissions and implement access control across Alibaba Cloud accounts.