Bastionhost integrates with Alibaba Cloud accounts. By default, an Alibaba Cloud account has the super administrator role. You can assign different access policies to Resource Access Management (RAM) users, such as administrator, auditor, read-only, and operations and maintenance (O&M) permissions. This lets you meet the requirements of different roles within your organization and implement the principle of least privilege to secure the Bastionhost system.
RAM users
RAM users can be created by using Alibaba Cloud accounts or using RAM users and RAM roles who have administrative rights. After a RAM user is granted the required permissions, the RAM user can use the Alibaba Cloud Management Console or call API operations to access Alibaba Cloud resources within the Alibaba Cloud account to which the RAM user belongs.
We recommend that you take note of the following items:
Use your Alibaba Cloud account to create a RAM user and grant the RAM user the administrative rights. Then, you can use the RAM user to create and manage other RAM users.
Separate RAM users for individuals from RAM users for programs.
When you create a RAM user, you can select Console Access, Using permanent AccessKey to access, or both for the Access Mode parameter.
To access resources, a RAM user designated for console access logs on to the Alibaba Cloud Management Console by using its username and password, whereas a RAM user designated for AccessKey pair-based access makes API calls. We recommend that you separate RAM users for individuals from RAM users for programs to prevent impacts of unintended operations. We recommend that you enable multi-factor authentication (MFA) for a RAM user designated for console access.
Grant permissions to RAM users based on the principle of least privilege.
Least-privilege permissions refer to the minimum permissions that are required to perform an operation. Least-privilege permissions improve data security and prevent permission abuse.
Do not embed your AccessKey ID or AccessKey secret in code to prevent an AccessKey pair leak. An AccessKey pair leak causes security risks for all resources within your account. We recommend that you use Security Token Service (STS) tokens or configure environment variables to obtain access permissions.
If applicable, enable single sign-on (SSO) for RAM users to allow the RAM users to log on to and access Alibaba Cloud resources from the identity management systems of their enterprises.
Related operations
RAM user groups
If you use your Alibaba Cloud account to create multiple RAM users, you can group the RAM users to facilitate permission management. For example, you can grant the same permissions to RAM users in the same RAM user group. We recommend that you take note of the following items:
Grant permissions to RAM user groups based on the principle of least privilege.
Remove a RAM user from the RAM user group if the work duties of the RAM user change.
Revoke permissions from RAM user groups if the RAM user groups no longer need the permissions.