Migration to the cloud comes with challenges. A good cloud implementation strategy can help in utilizing the cloud effectively with the least monitoring and management.
Alibaba Cloud RAM is an identity and access control service that allows management of the users and resources from a central portal. There are three ways to manage RAM.
- From the Alibaba Cloud Console
- With Alibaba Cloud API
- With Alibaba Cloud SDK
This blog post focuses on the Alibaba Cloud Console method.
To access Alibaba Cloud RAM, navigate to Products and search for RAM. To pin RAM to the quick launch, click the star next to RAM.
For the first time, users are required to accept the terms and conditions to activate the RAM service.
Alibaba Cloud RAM dashboard provides a high level overview along with the security recommendation for the account.
- A root account / primary account should be created with a complex password.
- All the account must also have Multi-Factor Authentication activated for the added security.
- No resources and access keys should be created with a root account.
- Create a RAM user with account administrator rights. RAM account with admin rights / least privileges should be used to achieve daily account administration tasks.
To simplify the management of users and role assignment, creating groups and assign users to specific groups to perform the tasks.
Groups can be created based on the name of the department or working group. For an IT company, the group names can be DevOps, QA, Developer and Finance.
To create groups navigate to the Groups under the identity section of the RAM dashboard.
Alibaba Cloud RAM supports two types of users
- Users with Console Access (Web Access)
- Users with Programmatic Access
Before creating any users, decide the user type. If a user needs to login to logon to the Alibaba Cloud Web Console to perform tasks, then provide the console access. If the user needs to access the system using API / SDK, then select a user creation option with programmatic access.
On creation of the user with programmatic access, the portal provides AccessKeyId and AccessKeySecret. Note that these details are available only once. Programmatic access users can be added to the groups.
Console access users creation requires to set up some extra parameters, including password generation, reset password on the next login and activation of the MFA.
It is recommended to force users to activate the MFA on the first login. This improves the overall security of the cloud account.
Users can be added to any groups by clicking “Add to Group” in the users section or “Add Group Members” in the groups section. Note that adding users in the group receives all the permissions assigned to the group.
According to the company policy enhanced RAM settings can be applied. Some of the settings include
- Don’t allow Password to Contain Username
- Password Length
- Allow / Deny User Logon Action After Password Expires
To change the existing Password rules click on Edit Password Rules / Update RAM User Security Settings.
With advanced security settings, the default named identifier of the Alibaba RAM user can be updated to the name of your choice.
Alibaba Cloud RAM can be integrated with SAML2.0 based authentication to provide seamless SSO functionality. There are two types of SSO available.
- User-based SSO
- Role-based SSO
User-based SSO provides enterprise users to access the cloud portal as a RAM user. Here the users need to be synced with Alibaba Cloud.
Role-based SSO does not require the user sync with Alibaba-cloud and enterprise users can access the Alibaba cloud services based on the Role.
Alibaba Cloud RAM grants help in validating assigned policy to a group or user. Grant module can help in revoking existing policy or assigning the new policy to a user or group. To revoke all permissions click Revoke Permission under section.
Alibaba Cloud RAM permissions represent to rule set for RAM users, groups and roles. There are several predefined permissions, and that can be assigned to the users, groups or roles in the section.
Alibaba Cloud RAM permission also allows users to create custom rules. These rules can be created with easy to follow steps or programmatic way (JSON syntax).
As an example, if a user policy needs to be created where a user/group should not be able to delete a VM, then the following option can be chosen to create a rule definition.
To create same policy with script,
To assign permission/permissions to a user or group, navigate to grants section and assign required policies. Following is an example assigning Read Only Finance access to the Finance group.
Roles are similar to the RAM Users. Users are created for long term access while as the Roles mainly used for temporary access to the another Alibaba account, resources. Roles delegate access to users, applications, or services without giving access to your Alibaba cloud resources.
This blog post covered an introduction to Alibaba Cloud RAM. Next blog post will cover custom policy creation and selecting proper policies.
Have you tried Alibaba Cloud RAM? How was your experience configuring policies? Have you tried creating custom policies? What are your pain points in using RAM, creating Users, Groups, Policies and Roles? What do you want us to cover in the upcoming blog posts? Do let us know your comments in the discussion box below.