Trusted services refer to the Alibaba Cloud services that are integrated with the Resource Directory service. After an Alibaba Cloud service is integrated with Resource Directory, the service can access the information of the related resource directory, such as the members and folders in the resource directory. You can use the management account of your resource directory or a delegated administrator account of a trusted service to manage your business in the trusted service based on your resource directory. This simplifies the unified management of cloud services activated by your enterprise. For example, after Cloud Config is integrated with Resource Directory, you can use the management account of your resource directory to view related information in Cloud Config. The information includes the resources of all members in the resource directory and the configuration history and compliance statuses of the resources. You can also monitor the compliance of resource configurations in Cloud Config.
Use a trusted service
Trusted services can be used by calling API operations or by using their consoles. This section describes how to use a trusted service in its console.
Log on to the Resource Management console by using an Alibaba Cloud account and enable a resource directory. This Alibaba Cloud account is the management account of the resource directory.
For more information, see Enable a resource directory.
In the Resource Management console, build an organizational structure for your enterprise. You can create members in the resource directory or invite existing Alibaba Cloud accounts to join the resource directory.
For more information, see Create a folder, Create a member, and Invite an Alibaba Cloud account to join a resource directory.
(Optional) In the Resource Management console, specify a member as a delegated administrator account of the trusted service.
If you do not specify a delegated administrator account for the trusted service, you can use only the management account to manage your business in the trusted service.
For more information about how to specify a delegated administrator account for a trusted service, see Add a delegated administrator account.
NoteThis step applies only to trusted services that support delegated administrator accounts.
In the console of the trusted service, use the management account or delegated administrator account to enable the multi-account management feature. Then, select the members that you want to manage in a unified manner based on the organizational structure of your resource directory, and manage the operations on the selected members.
This step varies based on the specific trusted service. For more information, see the References column in the Supported trusted services section.
Supported trusted services
Trusted service | Trusted service identifier | Description | Support for delegated administrator accounts | References |
Cloud Config | config.aliyuncs.com | After Cloud Config is integrated with Resource Directory, you can use the management account of your resource directory to view related information in Cloud Config. The information includes the resources of all the members in the resource directory and the configuration history and compliance statuses of the resources. You can also monitor the compliance of resource configurations in Cloud Config. | Yes | |
ActionTrail | actiontrail.aliyuncs.com | After ActionTrail is integrated with Resource Directory, you can use the management account of your resource directory to create multi-account trails in ActionTrail. A multi-account trail delivers the events of all members in a resource directory to an Object Storage Service (OSS) bucket or a Simple Log Service Logstore. | Yes | |
Security Center | sas.aliyuncs.com | After Security Center is integrated with Resource Directory, Security Center provides an interface that displays security risks detected for all the members in your resource directory. | Yes | |
Cloud Firewall | cloudfw.aliyuncs.com | After Cloud Firewall is integrated with Resource Directory, you can use Cloud Firewall to centrally manage the public IP addresses of the resources within multiple accounts. You can also configure defense policies for the public IP addresses and view log analysis results in a unified manner. This implements centralized security control. | Yes | |
Dynamic Content Delivery Network (DCDN) | multiaccount.dcdn.aliyuncs.com | After DCDN is integrated with Resource Directory, DCDN can provide the multi-account management feature and unify the management of domain names that belong to different accounts and products. | No | None |
Hybrid Cloud Monitoring | cloudmonitor.aliyuncs.com | After Hybrid Cloud Monitoring is integrated with Resource Directory, Hybrid Cloud Monitoring can monitor the resources within multiple Alibaba Cloud accounts used by your enterprise in a centralized manner. | Yes | |
CloudSSO | cloudsso.aliyuncs.com | After CloudSSO is integrated with Resource Directory, you can use the management account of your resource directory to centrally manage the accounts of users who use Alibaba Cloud services in your enterprise in CloudSSO. You can configure single sign-on (SSO) between your enterprise identity management system and Alibaba Cloud. In addition, you can configure access permissions for users on the members of your resource directory in a centralized manner. | Yes | |
Log Audit Service | audit.log.aliyuncs.com | After Log Audit Service is integrated with Resource Directory, Log Audit Service can automatically collect the logs of Alibaba Cloud services from multiple accounts, and store, audit, and analyze the logs in a centralized manner. | Yes | |
Resource Orchestration Service (ROS) | ros.aliyuncs.com | After ROS is integrated with Resource Directory, you can use the management account of your resource directory to deploy the resources that are required by your system within the members of the resource directory. This achieves centralized resource management in a multi-account environment. | Yes | |
Resource Sharing | resourcesharing.aliyuncs.com | After resource sharing is enabled, you can use the management account of your resource directory to share your resources with all members in your resource directory, all members in a specific folder in your resource directory, or a specific member in your resource directory. For members that are newly added to your resource directory, the system automatically grants access permissions on shared resources to the members based on your resource sharing settings. For members that are removed from your resource directory, the system automatically revokes access permissions on shared resources from the members if the members have such permissions. | No | |
Cloud Governance Center | governance.aliyuncs.com | After Cloud Governance Center is integrated with Resource Directory, you can view the distribution and change status of the resources within the members of your resource directory in the Cloud Governance Center console. You can also configure protection rules for the compliance audit and deliver audit logs for the members in a unified manner. | No | |
Tag | tag.aliyuncs.com | You can use the management account of your resource directory to enable the Tag Policy feature that is in resource directory mode. Then, you can use tag policies to manage the tag-related operations performed by using a member in the resource directory. | Yes | Enable the Tag Policy feature that is in resource directory mode |
Service Catalog | servicecatalog.aliyuncs.com | You can share product portfolios in Service Catalog with members in your resource directory. If the configurations of the product portfolios are modified, the modifications are synchronized to the members in real time. This significantly improves management efficiency. | Yes | |
Quota Center | quotas.aliyuncs.com | If a member is added to your resource directory after you create a quota template, the quota template automatically submits a quota increase request for the member. | No | |
Resource Center | resourcecenter.aliyuncs.com | After Resource Center is activated, you can view and search for resources across accounts, services, or regions. | Yes | |
Message Center | messagecenter.aliyuncs.com | After Message Center is integrated with Resource Directory, you can manage the message contacts of all accounts used by your enterprise in a centralized manner. | No | |
Managed Service for Prometheus | prometheus.aliyuncs.com | After Managed Service for Prometheus is integrated with Resource Directory, the Prometheus instances within multiple accounts of your enterprise can be monitored in a centralized manner. | Yes | |
Carbon Footprint | energy.aliyuncs.com | After Carbon Footprint is integrated with Resource Directory, you can use the management account of your resource directory to view greenhouse gas emission data of cloud resources within all Alibaba Cloud accounts of your enterprise in a centralized manner. | Yes | |
Web Application Firewall (WAF) 3.0 | waf.aliyuncs.com | After WAF 3.0 is integrated with Resource Directory, you can access cloud resources within members in a centralized manner and configure security policies for the resources in a unified manner. | Yes | |
Anti-DDoS Origin | ddosbgp.aliyuncs.com | You can share Anti-DDoS instances among multiple accounts. | Yes | |
Bastionhost | bastionhost.aliyuncs.com | You can use a single bastion host to manage assets within multiple accounts in a centralized manner. This helps implement unified asset O&M and management. | Yes | |
Data Security Center (DSC) | sddp.aliyuncs.com | You can manage data assets within multiple accounts and aggregate, view, and manage classification results, data asset risks, and threat events. This helps improve the efficiency of security operations. | Yes |
Enable or disable a trusted service
You can enable or disable a trusted service by using the console or API of the service. For more information, see the documentation of the service.
You can choose
in the left-side navigation pane of the Resource Management console to view the statuses of trusted services. You cannot enable or disable trusted services in the Resource Management console.When you use some trusted services to perform specific operations, Resource Directory automatically updates the states of the trusted services to Enabled. For example, if you create a multi-account trail in ActionTrail or use a trusted service to view the resources related to Resource Directory for the first time, Resource Directory automatically updates the state of ActionTrail or the trusted service to Enabled.
When you use some trusted services to perform specific operations, Resource Directory automatically updates the states of the trusted services to Disabled. For example, if you disable a feature provided by a trusted service, Resource Directory automatically updates the state of the trusted service to Disabled. If a trusted service is disabled, the service cannot access the members or resources in your resource directory. In addition, the resources that are related to integration with Resource Directory are deleted from the trusted service.
Service-linked roles for trusted services
Resource Directory creates its service-linked role AliyunServiceRoleForResourceDirectory for each member. This role enables Resource Directory to create the roles required by trusted services. Only Resource Directory can assume this role. For more information, see RAM roles in a resource directory.
Trusted services create their own service-linked roles, such as the AliyunServiceRoleForConfig role of Cloud Config, only for the members that are used to perform administrative operations. These roles define the permissions required by trusted services to perform specific tasks. Only trusted services can assume their own service-linked roles.
The policy that is attached to a service-linked role is defined and used by the linked service. You are not allowed to modify or delete the policy. In addition, you are not allowed to attach policies to or detach policies from a service-linked role. For more information, see Service-linked roles.