When you invite an external Alibaba Cloud account to join your Resource Directory, it becomes a member of the Alibaba Cloud account type. By default, the root user for an Alibaba Cloud account has full permissions. Compromised root user credentials can cause irreversible damage. To enhance security, convert the account to a resource account.
Prerequisites
Perform this operation as a RAM user in the management account with the
AliyunResourceDirectoryFullAccesspermission. This ensures that the system can trace all management operations to a specific user. For more information, see Create a RAM user.You can convert an Alibaba Cloud account to a resource account only if the following conditions are met:
The member's real-name verification information matches that of the management account.
The member account must have a Security phone number or Security email address configured.
The root user of the member account does not have any active AccessKeys.
If an active AccessKey exists, you must disable it on the AccessKey Management page.
Procedure
Log on to the Resource Management console.
In the left-side navigation pane, choose .
On the Resource Organization View or Member List View tab, find the target Alibaba Cloud account and click Convert in the Actions column.
In the Convert to Resource Account dialog box, read the risk notice, select the acknowledgment checkbox, and then click OK.
In the Security verification dialog box, obtain and enter the verification code, and then click OK.
Results
After a successful conversion, the member account changes as follows:
The member type changes from Alibaba Cloud Account to Resource Account.
The member's root user is disabled.
With the root user disabled, you can centrally manage access to the member. To do this, create RAM users in the management account and grant them only the necessary permissions.