Your Alibaba Cloud account has unrestricted access to all resources — a single compromised credential puts everything at risk. Instead of using your Alibaba Cloud account directly to access ApsaraDB RDS, use RAM identities to control who can access RDS and what they can do.
RAM provides three building blocks for access control: RAM users for individuals and applications, RAM user groups for managing permissions at scale, and RAM roles for cross-service and temporary access.
RAM users
A RAM user is an identity with a fixed set of permissions. RAM users can be created by the Alibaba Cloud account or by RAM users and RAM roles that have administrative rights.
Each RAM user has one or both access modes, set via the Access Mode parameter:
| Access mode | How it works | Who uses it |
|---|---|---|
| Console Access | Logs on to the Alibaba Cloud Management Console with a username and password | Human operators |
| Using permanent AccessKey to access | Makes API calls using an AccessKey pair | Applications and scripts |
Separate RAM users for human operators from RAM users for applications and scripts. When a single identity is shared across both purposes, an unintended operation is hard to trace and can affect both console sessions and production API traffic.
Best practices
Use the Alibaba Cloud account to create an admin RAM user, then use that RAM user to create and manage all other RAM users.
Grant each RAM user only the permissions required for their specific tasks (principle of least privilege). Least-privilege permissions reduce the risk of accidental or malicious changes.
Enable multi-factor authentication (MFA) for RAM users with console access. This significantly reduces the risk of unauthorized access even if a password is compromised.
Store credentials securely. Never embed an AccessKey ID or AccessKey secret directly in code. An exposed key compromises every resource in your account. Use Security Token Service (STS) tokens or environment variables to pass credentials at runtime.
If your organization has a central identity provider, enable single sign-on (SSO) so RAM users can access Alibaba Cloud resources through your existing enterprise directory. For human operators especially, SSO with temporary credentials is preferable to long-lived AccessKey pairs.
Related topics
RAM user groups
A RAM user group lets you assign permissions once and apply them to every member of the group. When your team grows, grant access by adding users to a group rather than configuring each user individually.
The recommended workflow is: create a group and attach the appropriate policies to it, then add RAM users to the group. When a user's responsibilities change, move them between groups rather than adjusting individual permissions.
Best practices
Apply the principle of least privilege to groups, not just individual users.
When someone's responsibilities change, remove them from groups that no longer match their role. Stale group membership is one of the most common sources of over-privileged access.
When a group no longer needs a permission, revoke it promptly. Unused permissions accumulate over time and widen your attack surface.
Related topics
RAM roles
A RAM role is a virtual identity with attached policies but no permanent credentials — no password, no AccessKey pair. To use a RAM role, a trusted entity (such as an Alibaba Cloud service or another RAM user) assumes the role and receives a temporary STS token. That token grants access for a limited period, then expires automatically.
Best practices
Define the trusted entity carefully when you create a RAM role, and avoid changing it later. Changing a trusted entity can cause permission loss that disrupts running workloads, or introduce privilege escalation if a less-restricted entity gains access.
Set the STS token validity period to the minimum duration your use case requires. Shorter tokens limit the window of exposure if a token is leaked. The maximum validity period is capped by the role's maximum session duration — set that value to an appropriate limit as well.
If your organization uses a central identity provider, enable SSO for RAM roles so federated identities can assume roles directly from your enterprise directory.
The maximum validity period of an STS token cannot exceed the maximum session duration configured for the RAM role.