Resource Access Management (RAM) is an Alibaba Cloud service that lets you manage user identities and resource access permissions. RAM supports multiple identity authentication methods, such as AccessKeys. You can also use access policies to control access and permissions for cloud resources to ensure security.
Identity authentication
Identity authentication verifies the identity of a user or application that attempts to access cloud resources. This process includes authentication when a user logs on to perform operations and when an application calls an API operation. Identity authentication is a key measure for preventing unauthorized access to your cloud resources. Alibaba Cloud services provide the following common access authentication methods:
Type | Authentication method | Description | References |
Application authentication | AccessKey authentication | An AccessKey (AK) does not expire. The credentials for an AK are an AccessKey ID and an AccessKey secret. You must keep the AccessKey secret confidential. Otherwise, an attacker can use the leaked credential to access your cloud resources with a legitimate identity and steal your data. | |
AccessKey authentication with a derived key (required for OSS) | |||
STS authentication | The credential for Security Token Service (STS) is an STS token. It has a limited time-to-live (TTL). This reduces the threat of a key leak that can occur when you directly use the AccessKey of a resource access identity. To get an STS token, create a RAM user with specific permissions. Then, use the RAM user's AccessKey to call an API operation and get an STS token for a RAM role. This method can be used to grant temporary authorization to untrusted devices. | ||
Instance RAM role | An instance RAM role is a role that grants specific permissions directly to an ECS instance. This gives the instance permission to access authorized cloud resources. An application within the ECS instance first accesses the global meta service to get a temporary STS token for the role. Then, it uses the STS token to access Alibaba Cloud service APIs. This method avoids storing credentials in the instance and prevents credential leaks. | ||
User Authentication | SSO authentication | Single sign-on (SSO) lets users log on to Alibaba Cloud from your corporate identity system. It associates user identities in your company with Alibaba Cloud RAM users and roles to grant access to cloud resources. | |
OAuth authentication | OAuth lets you grant web, mobile, desktop, and server applications access to Alibaba Cloud resources. |
Preventing credential leaks
Leaked credentials can lead to unauthorized access to your cloud resources and data breaches. The following are security recommendations:
Enable multi-factor authentication (MFA) for your Alibaba Cloud account and RAM users. We recommend that you attach an MFA device to your Alibaba Cloud account and enforce MFA for every logon. If a RAM user has permissions for risky operations, such as stopping an ECS instance or deleting an OSS bucket, attach an MFA device to that RAM user.
Do not create an AccessKey (AK) for your Alibaba Cloud account. Because an Alibaba Cloud account has full control over its resources, a leak of these credentials can have serious consequences.
Use RAM users based on the Principle of Least Privilege (PoLP). To minimize security risks, create separate RAM users for different sets of permissions. Grant RAM users only the permissions that they need to perform specific operations on specific objects.
Separate user accounts from accounts for API access.
When you use a RAM user's AccessKey, restrict client access to a whitelist of IP addresses. This prevents the AK from being exploited if it is leaked. For more information, see Use RAM to control user access based on IP addresses.
To prevent AK leaks, use instance RAM roles for ECS applications to access cloud resources. For more information, see Instance RAM roles.
For untrusted devices, such as mobile devices and personal computers, use Security Token Service (STS) tokens, Single Sign-On (SSO), or OAuth to access cloud resources. Avoid using AKs.
Do not embed AKs in code. Rotate AKs regularly and revoke unnecessary AKs.
Enable log auditing. Deliver the logs to OSS and SLS for storage and analysis.
Security Center can check for AKs in configurations, send alerts about AKs leaked to Git, and detect abnormal API calls. We recommend that you use these features. For more information, see Best practices for preventing leaks of AccessKeys and passwords.
Monitor ActionTrail operation logs for your cloud resources. These logs can help you identify abnormal operations or source IPs. For more information, see ActionTrail management events.
Access authorization
Access authorization limits the permissions of authenticated identities. It restricts the access environment, the scope of authorized resources, and the allowed operations. In Alibaba Cloud, you can implement access authorization by creating RAM users and roles and attaching access policies to them. RAM access policies support granular access control for specific operations and resources. These policies also support various conditions, such as restricting source IP addresses and access time. For more information, see Overview of access policies.
Unlike public cloud services, you cannot grant other Alibaba Cloud accounts access to CloudBox services. Only the Alibaba Cloud account that is associated with the CloudBox can access its services.
An Alibaba Cloud account administrator must grant permissions to a RAM user before the user can access resources that belong to the account. To ensure data security, follow the Principle of Least Privilege. Grant only the necessary permissions to identities that need to access cloud resources. For detailed authorization operations, see:
Integrating with corporate identity management systems
If your company has an existing identity management system, you can use role-based SSO or user-based SSO. This integration helps you avoid the cost and effort of creating and managing separate users in the cloud. For more information, see the following documents: