To keep your Alibaba Cloud account and cloud resources secure, avoid using your Alibaba Cloud account (root account) to access <Product Name>. Instead, use Resource Access Management (RAM) identities, such as RAM users and RAM roles, to access <Product Name>.
RAM users
RAM users are created by an Alibaba Cloud account (root account), or by a RAM user or RAM role that has administrative permissions. After creation, a RAM user must be granted permissions to log on to the console or call APIs to access resources.
Follow these best practices for RAM users:
Use your Alibaba Cloud account to create a RAM user. Grant administrative permissions to this RAM user. Then, use this RAM user to create and manage other RAM users.
Separate human users from programmatic users.
When you create a RAM user, two access modes are available: console access and OpenAPI call access. Console users use a logon password to access the console. API users use an AccessKey pair to call APIs and access cloud resources. Separate these two scenarios to prevent operational errors from affecting your services. For users who access the console, enable multi-factor authentication (MFA).
Assign the least privilege to RAM users.
The principle of least privilege means granting a user only the permissions required to perform a task, and no more. This practice improves data security and reduces the security risk of permission abuse.
Do not store the AccessKey ID and AccessKey secret of a RAM user in your project code. If the AccessKey pair is leaked, all resources in your account are at risk. Instead, use methods such as Security Token Service (STS) or environment variables to obtain access authorization.
If applicable, configure user-based single sign-on (SSO) for RAM users. This allows them to use their corporate identities to log on and access Alibaba Cloud resources.
Related operations for RAM users
RAM user groups
If you have many RAM users, create user groups to manage users with the same responsibilities. You can grant permissions to a group in a batch operation. This helps you efficiently manage RAM users and their permissions. Follow these best practices for RAM user groups:
Follow the principle of least privilege when you grant permissions to a RAM user group.
If a RAM user's responsibilities change, remove the user from groups that are no longer applicable. This prevents permission abuse.
If a user group no longer needs certain permissions, remove those permissions from the group.
Related operations for RAM user groups
RAM roles
A RAM role is a virtual identity to which policies can be attached. Unlike a RAM user, a RAM role does not have permanent identity credentials, such as a logon password or an AccessKey pair. A RAM role can be used only after the role is assumed by a trusted entity. After a RAM role is assumed by a trusted entity, the trusted entity can obtain a Security Token Service (STS) token and use the STS token to access Alibaba Cloud resources as the RAM role.
Follow these security recommendations for RAM roles:
After you create a RAM role, do not change its trusted entity. If you modify the trusted entity in the role's trust policy, the original entity might lose access. This can affect your business operations. Adding new trusted entities can also create a risk of excessive authorization. If you must make a change, thoroughly test it in a test account. After you confirm that everything works as expected, apply the change to your tenant account.
After a RAM user in a trusted account is granted the required permissions, the user can call the AssumeRole - Obtain temporary identity credentials to assume a role operation to obtain an STS token for the RAM role. An STS token is valid only for a limited period. We recommend that you set the validity period to an appropriate value to prevent security risks.
NoteThe maximum validity period for an STS token is the maximum session duration of the role. For security reasons, set the role's maximum session duration to a reasonable value.
If applicable, configure role-based single sign-on (SSO) for RAM roles. This allows users from your corporate identity provider to log on and access Alibaba Cloud resources.