Resource Access Management (RAM) lets you use RAM users to separate permissions. You can grant different permissions to RAM users as needed. This practice helps you avoid the security risks that are caused by exposing your Alibaba Cloud account keys.
Scenarios
The following are typical scenarios for Resource Access Management (RAM).
Separate permissions using RAM users
Company A migrates a project to the cloud and purchases multiple Alibaba Cloud products, such as ECS instances, RDS instances, SLB instances, and OSS buckets. Multiple employees in the project need to operate these cloud resources. However, the employees have different job responsibilities and require different permissions. Company A wants to meet the following requirements:
- For security and trust reasons, Company A does not want to expose its Alibaba Cloud account keys to employees. Instead, it wants to create separate accounts for them.
- RAM user accounts can operate resources only if they are granted permission. Company A can revoke permissions from the RAM user accounts or delete the accounts at any time.
- The RAM user accounts do not require separate billing. Company A is responsible for all costs.
The authorization management feature of RAM can meet these requirements because it supports permission separation and centralized resource management.
Access resources across accounts using RAM roles
Alibaba Cloud account A and Alibaba Cloud account B belong to different companies. Account A purchases various cloud resources, such as ECS instances, RDS instances, SLB instances, and OSS buckets.
- Account A wants to focus on its business systems and authorize Account B to perform O&M, monitoring, and management tasks on its cloud resources.
- Account B can then assign the access permissions for Account A's resources to one or more of its employees. Account B can use fine-grained controls to manage the operation permissions of its employees on the resources.
- If the O&M contract between Account A and Account B is terminated, Account A can revoke the authorization at any time.
RAM roles can meet these requirements because they support cross-account authorization and resource access control.