Resource Access Management:Manage the security settings of RAM users

Parameter

Description

Allow users to manage password

Specifies whether to allow RAM users to manage their passwords. If you select Enable, RAM users are allowed to manage their passwords.

Allow users to manage MFA devices

Specifies whether to allow RAM users to bind MFA devices to or unbind MFA devices from their accounts. If you select Enable, RAM users are allowed to bind MFA devices to or unbind MFA devices from their accounts.

Allow users to manage AccessKey

Specifies whether to allow RAM users to manage their AccessKey pairs. If you select Enable, RAM users are allowed to manage their AccessKey pairs.

Login session duration

Specifies the validity period of logon sessions of RAM users. Unit: hours. Valid values: 1 to 24. Default value: 6.

Allow to keep login session for a long time

Specifies whether to allow RAM users to keep logged on to the Alibaba Cloud app and Alibaba Cloud Client for up to 90 days. If you select Enable, RAM users are allowed to keep logged on to the Alibaba Cloud app and Alibaba Cloud Client for up to 90 days.

Parameter

Description

Allowed MFA devices

Specifies the MFA methods for RAM users to implement two-step authentication when RAM users perform console logon and sensitive operations. Valid value:

• MFA Devices: A virtual MFA device or a Universal 2nd Factor (U2F) security key is used for MFA. This option is selected by default, and you cannot clear the option.

MFA for RAM user sign-in

Specifies whether MFA is required for all RAM users when they log on to the Alibaba Cloud Management Console by using usernames and passwords. Valid values:

• Force all users: specifies that MFA is required for all RAM users.

  Note

  If you select Force all users for the MFA for RAM user sign-in parameter, MFA for sensitive operations is enabled for all RAM users. If a RAM user wants to perform a sensitive operation in the Alibaba Cloud Management Console, risk control is triggered and the RAM user is required to pass MFA. For more information, see MFA for sensitive operations.

• Depend on each user: specifies that user-specific settings are applied. For more information, see Manage console logon settings for a RAM user.

• Only when sign-in abnormally: specifies that MFA is required only in scenarios in which a logon is initiated from a different location or device other than the usual logon locations or devices.

  Note

  If you set the MFA for RAM user sign-in parameter to Only when sign-in abnormally and you use the condition key acs:MFAPresent in a policy, MFA is not required for RAM users who initiate usual logons. The verification result for the condition key is failed. If you want the condition key to take effect, we recommend that you set the MFA for RAM user sign-in parameter to Depend on each user.

Allow to remember MFA validation for 7 days

Specifies whether to allow the current logged-on device to remember the MFA status of a RAM user for seven days. If you select Enable, the current logged-on device is allowed to remember the MFA status of a RAM user for seven days. Within seven days after logon, MFA is not required for the RAM user. However, if the RAM user logs out of the current device, MFA is required for the next logon.