A trusted service is an Alibaba Cloud service that integrates with Resource Directory to access organizational information such as members and folders. Using a management account or delegated administrator account, you can centrally manage the trusted service across all accounts in your organization. For example, after integrating Cloud Config with Resource Directory, the management account can view resource lists, configuration histories, and compliance status for all members.
How to use a trusted service
To use a trusted service:
-
On the Resource Management console, use your management account to enable Resource Directory.
-
In the Resource Management console, use your management account to set up your organizational structure by creating members or inviting existing Alibaba Cloud accounts.
Create a folder, Create a member, and Invite an Alibaba Cloud account to join a resource directory.
-
(Optional) In the Resource Management console, use the management account to assign a member as the delegated administrator account for the trusted service.
If no delegated administrator is set, the management account must perform all administrative tasks for the service.
Add a delegated administrator account.
NoteThis step applies only to trusted services that support delegated administrator accounts.
-
In the trusted service console, use the management account or delegated administrator account to enable multi-account management and select members to manage.
Operations vary by service. Check the References column in Supported trusted services.
Supported trusted services
|
Trusted service |
Trusted service identifier |
Description |
Delegated administrator support |
References |
|
Cloud Config |
config.aliyuncs.com |
After integration with Resource Directory, the management account can view resource lists, configuration histories, and compliance status for all members, enabling organization-wide compliance monitoring. |
Yes |
|
|
ActionTrail |
actiontrail.aliyuncs.com |
After integration with Resource Directory, the management account can create multi-account trails that deliver events from all members to an OSS bucket or Log Service Logstore. |
Yes |
|
|
Security Center |
sas.aliyuncs.com |
Security Center provides a unified view of security risks detected across all members in your organization. |
Yes |
|
|
Cloud Firewall |
cloudfw.aliyuncs.com |
Cloud Firewall provides centralized security control, allowing you to manage public IP assets, configure defense policies, and view log analysis across multiple accounts. |
Yes |
|
|
Dynamic Content Delivery Network (DCDN) |
multiaccount.dcdn.aliyuncs.com |
DCDN provides a multi-account management feature to centrally manage domain name resources across different accounts and services. |
No |
|
|
Hybrid Cloud Monitoring |
cloudmonitor.aliyuncs.com |
Hybrid Cloud Monitoring allows you to centrally monitor resources across multiple Alibaba Cloud accounts within your organization. |
Yes |
|
|
CloudSSO |
cloudsso.aliyuncs.com |
The management account can centrally manage users, configure SSO between your enterprise IdP and Alibaba Cloud, and manage access permissions for members in your Resource Directory. |
Yes |
|
|
Log Audit Service |
audit.log.aliyuncs.com |
Log Audit Service supports automated and centralized collection of cloud service logs from multiple accounts for audit and analysis. |
Yes |
|
|
Resource Orchestration Service (ROS) |
ros.aliyuncs.com |
The management account can deploy cloud resources to members with one click, enabling centralized resource management across accounts. |
Yes |
|
|
Resource Sharing |
resourcesharing.aliyuncs.com |
After enabling sharing, the management account can share resources with specific members, a specific folder, or the entire Resource Directory. New members added to the folder or Resource Directory automatically gain access; removed members automatically lose access. |
No |
|
|
Cloud Governance Center |
governance.aliyuncs.com |
The management account can centrally view resource distribution and trends, configure compliance audit rules, and deliver audit logs for all members. |
No |
|
|
tag |
tag.aliyuncs.com |
The management account can enable the multi-account mode for tag policies to standardize tag operations for all members in the Resource Directory. |
Yes |
|
|
Service Catalog |
servicecatalog.aliyuncs.com |
Share product portfolios with multiple members in your Resource Directory. Configuration changes sync in real time to all shared members. |
Yes |
|
|
Quota Center |
quotas.aliyuncs.com |
Create a quota template to automatically submit quota increase requests for new members added to your Resource Directory. |
No |
|
|
Cloud Security Access Service (CSAS) |
csas.aliyuncs.com |
Cloud Security Access Service (CSAS) allows you to centrally manage cloud assets across multiple accounts and implement unified access control. |
Yes |
|
|
Threat Analysis and Response |
cloudsiem.sas.aliyuncs.com |
Threat Analysis and Response provides unified management of alerts from multiple accounts and services. It supports one-click risk handling and automated response orchestration. |
Yes |
What is Agentic SOC (formerly Threat Analysis and Response)? |
|
Network Intelligence Service (NIS) |
nis.aliyuncs.com |
Network Intelligence Service (NIS) allows you to centrally view and analyze network services across multiple accounts in your organization. |
Yes |
|
|
Resource Center |
resourcecenter.aliyuncs.com |
Resource Center provides a unified view and search capabilities for resources across accounts, services, and regions. |
Yes |
|
|
Message Center |
messagecenter.aliyuncs.com |
Message Center enables centralized management of notification contacts for multiple accounts in your organization. |
No |
|
|
Carbon Footprint |
energy.aliyuncs.com |
The management account can view the greenhouse gas emission data generated by cloud resources across all Alibaba Cloud accounts in your organization. |
Yes |
|
|
Cloud Advisor |
advisor.aliyuncs.com |
Supports cloud architecture inspection, optimization, and governance across multiple accounts in an organization. |
Yes |
|
|
Web Application Firewall (WAF) 3.0 |
waf.aliyuncs.com |
Web Application Firewall (WAF) 3.0 allows you to centrally access cloud resources in member accounts, add them to WAF, and configure unified security policies. |
Yes |
|
|
Anti-DDoS Origin |
ddosbgp.aliyuncs.com |
Supports sharing of DDoS protection instances among multiple accounts. |
Yes |
|
|
Bastionhost |
bastionhost.aliyuncs.com |
Bastionhost supports centralized management of assets across multiple cloud accounts from a single host for unified operations and maintenance. |
Yes |
|
|
Data Security Center (DSC) |
sddp.aliyuncs.com |
Data Security Center (DSC) enables cross-account management of data assets. Aggregate, view, and manage data classification results, data asset risks, and threat events. |
Yes |
|
|
Managed Service for Prometheus |
prometheus.aliyuncs.com |
Managed Service for Prometheus enables unified monitoring of Prometheus instances across multiple accounts. |
Yes |
Use a global aggregation instance for multi-account monitoring in Prometheus |
|
BP Studio |
bpstudio.aliyuncs.com |
BP Studio allows you to share templates with multiple accounts in your Resource Directory. |
Yes |
|
|
IP Address Manager (IPAM) |
vpcipam.aliyuncs.com |
IP Address Manager (IPAM) provides centralized visibility into IP address usage across multiple accounts. |
Yes |
|
|
Hybrid Backup Recovery (HBR) |
hbr.aliyuncs.com |
The cross-account backup feature lets a backup administrator account centrally back up and restore data from cloud resources in other accounts. |
Yes |
|
|
Data Disaster Recovery Center (BDRC) |
bdrc.aliyuncs.com |
The cross-account management feature enables centralized control over the data protection status of resources across multiple accounts in your organization. |
Yes |
Enable or disable a trusted service
Enable or disable a trusted service from its console or through its API. Each service's documentation provides the specific steps.
On the left-side navigation pane of the Resource Management console, choose to view the status of trusted services. You cannot enable or disable trusted services on the Resource Management console.
Some trusted services enable automatically when you perform certain actions. For example, creating a multi-account trail in ActionTrail or viewing Resource Directory-related resources in a trusted service for the first time automatically enables trusted access for that service.
Similarly, some trusted services disable automatically when you perform certain actions, such as turning off a feature. A disabled trusted service can no longer access accounts or resources in your Resource Directory, and deletes all its Resource Directory-related resources.
Trusted services and service-linked roles
Resource Directory creates a service-linked role named 'AliyunServiceRoleForResourceDirectory' in each member, granting permission to create roles required by trusted services. Only Resource Directory can assume this role. RAM roles in Resource Directory.
A trusted service creates its own service-linked role (such as 'AliyunServiceRoleForConfig' for Cloud Config) only in members where it performs administrative tasks. Only the corresponding trusted service can assume this role.
The permission policy of a service-linked role is defined by the corresponding service. You cannot modify or delete the policy, nor add or remove its permissions. Service-linked roles.