Other data security measures in MaxCompute-MaxCompute(MaxCompute)-阿里云帮助中心

This topic describes other data security measures that MaxCompute supports.

Disable downloading SELECT results from DataWorks

Operation type	Description
Description	When developers analyze data in DataWorks, results are typically displayed in the IDE and can be downloaded. Even if you enable ProjectProtection for a project, users with read permissions on a table can still run a SELECT statement in DataWorks and download the results.
Required role	DataWorks administrator.
Check the current setting	On the DataWorks Workspace list page, find the target workspace and click Details in the Actions column. In the left-side navigation pane, click General Configurations. In the Security Settings section, check whether the Download SELECT Result option is enabled.
Disable the setting	On the DataWorks Workspace list page, find the target workspace and click Details in the Actions column. In the left-side navigation pane, click General Configurations. In the Security Settings section, turn off the Download SELECT Result switch.
Rollback	On the DataWorks Workspace list page, find the target workspace and click Details in the Actions column. In the left-side navigation pane, click General Configurations. In the Security Settings section, turn on the Download SELECT Result switch.

Enhance security with other cloud services

MaxCompute interacts with other cloud services that you can use to enhance security. For example, when you use MaxCompute through DataWorks, you must add project members as RAM users. This section explains how to improve security for these RAM users.

MaxCompute supports authentication through both Alibaba Cloud accounts and RAM users. When authenticating a RAM user, MaxCompute verifies the user's identity but does not enforce permissions defined in RAM. This allows you to add any RAM user under your Alibaba Cloud account to a MaxCompute project. To secure access, control the logon and authentication process for these RAM users.

Set a strong password policy for RAM users

If you allow RAM users to change their logon passwords, you should require them to create strong passwords and rotate them periodically.

You can configure a password policy in the RAM console, which includes settings such as minimum length, required character types, and password rotation frequency.

In the left-side navigation pane of the RAM console, click Settings. On the password policy tab, click Modify. In the dialog box that appears, configure parameters such as password length, required character types, Password cannot contain username, password expiration, Forbid logon after password expiration, Prevent password reuse, and Logon retry limit. Then, click OK.
Configure a logon address mask for RAM users

By setting a logon address mask, you can restrict RAM user logons to specific IP addresses.

In the left-side navigation pane of the RAM console, click Settings and select Network Access Control. In the Allowed IP Addresses for Logon (Logon Mask) section, click Modify. In the dialog box that appears, enter the allowed IPv4 addresses and then click OK.
Revoke unnecessary permissions promptly

When a RAM user's job responsibilities change and they no longer require certain permissions, revoke those permissions immediately.