All Products
Search

This Product

    Resource Access Management:Use RAM to limit the period of time in which users are allowed to access Alibaba Cloud resources

    Document Center

    Resource Access Management:Use RAM to limit the period of time in which users are allowed to access Alibaba Cloud resources

    Last Updated:Dec 20, 2024

    This topic describes how to use Resource Access Management (RAM) to limit the period of time in which users are allowed to access Alibaba Cloud resources. This ensures a higher level of data security.

    Scenario

    An enterprise has purchased multiple types of Alibaba Cloud resources. The resources include Elastic Compute Service (ECS) instances, ApsaraDB RDS instances, Server Load Balancer (SLB) instances, and Object Storage Service (OSS) buckets. To ensure business and data security, the enterprise requires users to access Alibaba Cloud resources only during working hours.

    To allow a RAM user to access Alibaba Cloud resources only during a specific period of time, create a custom policy and attach the policy to the RAM user.

    Step 1: Create a custom policy

    1. Log on to the RAM console as a RAM user who has administrative rights.

    2. In the left-side navigation pane, choose Permissions > Policies.

    3. On the Policies page, click Create Policy.

      image

    4. On the Create Policy page, click the JSON tab.

      image

    5. Enter the policy document.

      The following policy indicates that the authorized RAM user can access Alibaba Cloud ECS only before 17:00 on August 12, 2019 (UTC+8). In this case, the acs:CurrentTime parameter in the Condition element is set to 2019-08-12T17:00:00+08:00. 

      {
  "Statement": [
    {
      "Action": "ecs:*",
      "Effect": "Allow",
      "Resource": "*",
      "Condition": {
          "DateLessThan": {
              "acs:CurrentTime": "2019-08-12T17:00:00+08:00"
          }
      }
    }
  ],
  "Version": "1"
}
      Note

      The Condition element applies only to the actions specified for the current policy. You can change the value 2019-08-12T17:00:00+08:00 based on your business requirements.

    6. Click Optional advanced optimize in the upper part. In the Optional advanced optimize message, click Perform to optimize the policy.

      The system performs the following operations during the advanced optimization:

      • Split resources or conditions that are incompatible with actions.

      • Narrow down resources.

      • Deduplicate or merge policy statements.

    7. On the Create Policy page, click OK.

    8. In the Create Policy dialog box, configure the Name and Description parameters and click OK.

    Step 2: Create a RAM user

    1. Log on to the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, click Create User. image

    4. In the User Account Information section of the Create User page, configure the following parameters:

      • Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).

      • Display Name: The display name can be up to 128 characters in length.

      • Tag: Click the edit icon and enter a tag key and a tag value. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.

      Note

      You can click Add User to create multiple RAM users at a time.

    5. In the Access Mode section, select an access mode and configure the required parameters.

      To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This way, the RAM user for an individual is separated from the RAM user for a program.

      • Console Access

        If the RAM user represents an individual, we recommend that you select Console Access for the RAM user. This way, the RAM user can use a username and password to access Alibaba Cloud. If you select Console Access, you must configure the following parameters:

        • Set Console Password: You can select Automatically Regenerate Default Password or Reset Custom Password. If you select Reset Custom Password, you must specify a password. The password must meet the complexity requirements. For more information, see Configure a password policy for RAM users.

        • Password Reset: specifies whether the RAM user is required to reset the password upon the next logon.

        • Enable MAF: specifies whether to enable multi-factor authentication (MFA) for the RAM user. After you enable MFA, you must bind an MFA device to the RAM user. For more information, see Bind an MFA device to a RAM user.

      • Using permanent AccessKey to access

        If the RAM user represents a program, you can select Using permanent AccessKey to access for the RAM user. This way, the RAM user can use an AccessKey pair to access Alibaba Cloud. If you select OpenAPI Access, the system automatically generates an AccessKey ID and AccessKey secret for the RAM user. For more information, see Obtain an AccessKey pair.

        Important

        • An AccessKey secret for a RAM user is displayed only when you create an AccessKey pair. You cannot query the AccessKey secret in subsequent operations. Therefore, you must back up your AccessKey secret.

        • An AccessKey pair is a permanent credential for application access. If the AccessKey pair of an Alibaba Cloud account is leaked, the resources that belong to the account are exposed to potential risks. To prevent credential leak risks, we recommend that you use Security Token Service (STS) tokens. For more information, see Best practices for using an access credential to call API operations.

    6. Click OK.

    7. Complete security verification as prompted.

    Step 3: Attach the policy to the RAM user

    Attach the policy that you created in Step 1 to the RAM user that you created in Step 2.

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, find the required RAM user, and click Add Permissions in the Actions column.

      image

      You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.

    4. In the Grant Permission panel, grant permissions to the RAM user.

      1. Configure the Resource Scope parameter.

      2. Configure the Principal parameter.

        The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.

      3. Configure the Policy parameter.

        A policy contains a set of permissions. Policies can be classified into system policies and custom policies. You can select multiple policies at a time.

        • System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.

          Note

          The system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.

        • Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.

      4. Click Grant permissions.

    5. Click Close.