Resource Access Management (RAM)

Alibaba Cloud Resource Access Management (RAM) is an identity and access control service which enables you to centrally manage your users (including employees, systems or applications) and securely control their access to your resources through permission levels. RAM thereby allows you to securely grant access permissions for Alibaba Cloud resources to only your selected high-privileged users, enterprise personnel and partners. This helps to ensure secure and appropriate usage of your cloud resources and protects from any unsolicited access to your account.

Activation methods of RAM

Activate Alibaba Cloud Resource Access Management (RAM). The RAM service is free of charge. You can use the RAM service after activating it.

To activate the RAM service, go to the RAM activation page.

1. Choose Identities > Settings.
2. On the Security Settings tab, click Update RAM user security settings and set the relevant parameters.
   • Save MFA Logon Status for 7 Days: Specifies whether to save the multi-factor authentication (MFA) logon status for your RAM users. The default value is Not Allowed. If you select Allow, the MFA logon status is saved for seven days.
   • Manage Passwords: Specifies whether RAM users are allowed to change their own passwords.
   • Manage AccessKey: Specifies whether RAM users are allowed to manage their access keys.
   • Manage MFA Devices: Specifies whether RAM users are allowed to enable or disable an MFA device.
   • Logon Session Valid For: The validity period of the logon sessions. The unit is hours.
   • Logon Address Mask: Specifies which IP addresses cannot be used for logon. This parameter is left unspecified by default. That is, all IP addresses can be used for logon. If you specify this parameter, you cannot log on to the console by using a password or through Single Sign On (SSO). However, you can call API actions by using an access key. For information about how to set a logon mask, see Set a logon mask for an Alibaba Cloud account.
3. Click OK.

Update Custome Domain

1. Choose Identities > Settings.
2. Click Advanced, and click the Update display name into custome domain.
3. Click Ok

Create a RAM user

1. Choose Identities > Users.
2. Click Create User, and enter the logon name and display name.
3. Select an access mode. The available access modes are Console Password Logon and Programmatic Access.
   • Console Password Logon: If you select this check box, you must also complete the basic security settings for logon, including deciding whether to automatically generate a password or customize the logon password, setting whether the user must reset the password upon the next logon, and setting whether to enable multi-factor authentication (MFA).
   • Programmatic Access: If you select this check box, an access key is automatically created for the RAM user. The user can access Alibaba Cloud resources by calling an API action or by using a development tool.
4. Click OK.

Grant permission to a RAM user

1. Log on to the RAM console.
2. Choose Identities > Users.
3. Select User and  Click Add Permission.
4. In the Principal field, enter the username or the user ID, and click the target RAM user.
5. In the Policy Name column, select the target policy and click OK.