Do not use your Alibaba Cloud account to access EventBridge unless absolutely necessary. Instead, create Resource Access Management (RAM) users or roles with only the permissions each person or application needs. This reduces the impact of compromised credentials and provides a clear audit trail.
RAM users
A RAM user is an identity within your Alibaba Cloud account that has its own credentials and permissions. An Alibaba Cloud account, or a RAM user or RAM role with administrative rights, can create RAM users. After you grant the required permissions to a RAM user, the RAM user can sign in to the Alibaba Cloud Management Console or call API operations to access resources within the account.
As a best practice, use your Alibaba Cloud account only to create an initial RAM user with administrative rights, then use that RAM user to create and manage all other RAM users.
Access modes
When creating a RAM user, select one or both access modes for the Access Mode parameter:
| Access mode | Credentials | Use case |
|---|---|---|
| Console Access | Username and password | Interactive operations in the console |
| Using permanent AccessKey to access | AccessKey pair | Programmatic API calls |
Separate human users from application identities. Create dedicated RAM users for people who sign in to the console, and separate RAM users for programs that make API calls. This prevents unintended operations and simplifies credential rotation.
Security best practices
Enable multi-factor authentication (MFA) for every RAM user that has console access.
Apply least-privilege permissions. Grant only the minimum permissions required for each task. Broad permissions increase the risk of accidental changes and security breaches.
Never embed AccessKey credentials in code. A leaked AccessKey pair exposes all resources in your account. Use Security Token Service (STS) tokens or environment variables instead.
Enable single sign-on (SSO) if your organization uses an enterprise identity provider. SSO lets RAM users authenticate through your existing identity system rather than managing separate passwords.
Related topics
RAM user groups
When you create multiple RAM users that need the same access, use RAM user groups to simplify permission management. Attach policies to a group, then add users to that group instead of granting permissions to each user individually.
Managing group permissions
Apply least-privilege permissions at the group level, just as for individual users.
Remove users whose responsibilities change. When a team member moves to a different role, remove them from the group so they no longer inherit its permissions.
Revoke unused permissions. Periodically review group policies and remove any that no longer serve an active use case.
Related topics
RAM roles
A RAM role is a virtual identity that carries a set of policies but has no permanent credentials: no password and no AccessKey pair. To use a RAM role, a trusted entity assumes the role and receives a temporary Security Token Service (STS) token. This token grants the permissions attached to the role for a limited time.
How role assumption works
A trusted entity calls the AssumeRole API operation.
STS returns a temporary token with the role's permissions.
The trusted entity uses this token to access EventBridge and other Alibaba Cloud resources.
Because STS tokens are temporary, compromised tokens expire automatically, which reduces the window of exposure compared to permanent AccessKey pairs.
Security best practices
Keep trusted entities stable. Avoid frequent changes to a role's trusted entity after creation. Removing a trusted entity can cause permission loss that disrupts workloads. Adding a trusted entity may lead to privilege escalation. Test all changes thoroughly before applying them in production.
Set an appropriate session duration. STS tokens are valid only for the duration you specify, up to the maximum session duration configured on the role. A shorter duration limits exposure if a token is leaked, but a duration that is too short may cause unnecessary re-authentication. Balance security with operational convenience.
NoteThe maximum validity period of an STS token equals the maximum session duration set on the RAM role. Adjust this value based on your security requirements.
Enable SSO for RAM roles if your organization uses an enterprise identity provider. Role-based SSO lets external identities assume RAM roles without creating individual RAM users.