This topic describes how an enterprise that has multiple cloud resources can use Resource Access Management (RAM) to manage user permissions to access the cloud resources.
Prerequisites
An Alibaba Cloud account is created. If not, create one before proceeding. To create an Alibaba Cloud account, click Create an Alibaba Cloud account.
Background information
Enterprise A has purchased various Alibaba Cloud resources, such as Elastic Compute Service (ECS) instances, ApsaraDB for RDS instances, Server Load Balancer (SLB) instances, and Object Storage Service (OSS) buckets, to migrate a project to the cloud. Certain employees need to manage these cloud resources, and different employees require different permissions to fulfill their duties.
Enterprise A has the following requirements:
To guarantee security, Enterprise A does not want to disclose the AccessKey pair of its Alibaba Cloud account to employees.
Enterprise A prefers to create different RAM user accounts for the employees and grant different permissions to these user accounts. The employees are granted only the permissions that are required to fulfill their duties.
The RAM users can only manage resources after they are granted the corresponding permissions. All the operations performed by RAM users can be audited.
Enterprise A can revoke the permissions granted to RAM users and delete RAM user accounts at any time.
Fees on resources incurred by RAM users are billed to the parent Alibaba Cloud account.
Solution
Enable multi-factor authentication (MFA) for an Alibaba Cloud account to avoid the accidental disclosure of the Alibaba Cloud account password. For more information, see Bind an MFA device to an Alibaba Cloud account.
Create RAM user accounts for different employees or apps, and specify logon passwords or create AccessKey pairs based on the business requirements. For more information, see Create a RAM user.
If multiple employees have the same responsibility, we recommend that you create a RAM user group and add the corresponding users to this group. For more information, see Create a RAM user group.
Attach one or more system policies to a RAM user or RAM user group. For more information, see Grant permissions to a RAM user and Grant permissions to a RAM user group. For finer-grained permission management, you can create one or more custom policies and attach them to a RAM user or RAM user group. For more information, see Create custom policies.
Remove permissions from RAM user groups or RAM users when they no longer need the permissions. For more information, see Revoke permissions from a RAM user and Revoke permissions from a RAM user group.