Categories
Alibaba Cloud

Alibaba Cloud – Resource Access Management

Migration to the cloud comes with challenges. A good cloud implementation strategy can help in utilizing the cloud effectively with the least monitoring and management.

Cloud basics start with proper access management. This blog post provides guidelines to implement Resource Access Management (RAM) on Alibaba Cloud.

Alibaba Cloud RAM is an identity and access control service that allows management of the users and resources from a central portal. There are three ways to manage RAM.

  1. From the Alibaba Cloud Console
  2. With Alibaba Cloud API
  3. With Alibaba Cloud SDK

This blog post focuses on the Alibaba Cloud Console method.

Accessing Alibaba Cloud RAM

To access Alibaba Cloud RAM, navigate to Products and search for RAM. To pin RAM to the quick launch, click the star next to RAM.

For the first time, users are required to accept the terms and conditions to activate the RAM service.

Accessing Alibaba Cloud RAM
Accessing Alibaba Cloud RAM

Alibaba Cloud RAM Dashboard

Alibaba Cloud RAM dashboard provides a high level overview along with the security recommendation for the account.

Alibaba Cloud RAM Dashboard
Alibaba Cloud RAM Dashboard

Best Practices:

  • A root account / primary account should be created with a complex password.
  • All the account must also have Multi-Factor Authentication activated for the added security.
  • No resources and access keys should be created with a root account.
  • Create a RAM user with account administrator rights. RAM account with admin rights / least privileges should be used to achieve daily account administration tasks.

Alibaba Cloud Groups

To simplify the management of users and role assignment, creating groups and assign users to specific groups to perform the tasks.

Groups can be created based on the name of the department or working group. For an IT company, the group names can be DevOps, QA, Developer and Finance.

To create groups navigate to the Groups under the identity section of the RAM dashboard.

Alibaba Cloud Groups
Alibaba Cloud Groups

Alibaba Cloud RAM Users

Alibaba Cloud RAM supports two types of users

  1. Users with Console Access (Web Access)
  2. Users with Programmatic Access

Before creating any users, decide the user type. If a user needs to login to logon to the Alibaba Cloud Web Console to perform tasks, then provide the console access. If the user needs to access the system using API / SDK, then select a user creation option with programmatic access.

Alibaba Cloud RAM Users
Alibaba Cloud RAM Users

On creation of the user with programmatic access, the portal provides AccessKeyId and AccessKeySecret. Note that these details are available only once. Programmatic access users can be added to the groups.

Alibaba Cloud RAM Users
Alibaba Cloud RAM Users

Console access users creation requires to set up some extra parameters, including password generation, reset password on the next login and activation of the MFA.

It is recommended to force users to activate the MFA on the first login. This improves the overall security of the cloud account.

Alibaba Cloud RAM Users
Alibaba Cloud RAM Users

Alibaba Cloud RAM User to Group Assignment

Users can be added to any groups by clicking “Add to Group” in the users section or “Add Group Members” in the groups section. Note that adding users in the group receives all the permissions assigned to the group.

Alibaba Cloud RAM User to Group Assignment
Alibaba Cloud RAM User to Group Assignment

Alibaba Cloud RAM User Settings

According to the company policy enhanced RAM settings can be applied. Some of the settings include

  • Don’t allow Password to Contain Username
  • Password Length
  • Allow / Deny User Logon Action After Password Expires
Alibaba Cloud RAM User Settings
Alibaba Cloud RAM User Settings

To change the existing Password rules click on Edit Password Rules / Update RAM User Security Settings.

With advanced security settings, the default named identifier of the Alibaba RAM user can be updated to the name of your choice.

Alibaba Cloud RAM User Settings
Alibaba Cloud RAM User Settings

Alibaba Cloud RAM SSO

Alibaba Cloud RAM can be integrated with SAML2.0 based authentication to provide seamless SSO functionality. There are two types of SSO available.

  1. User-based SSO
  2. Role-based SSO

User-based SSO provides enterprise users to access the cloud portal as a RAM user. Here the users need to be synced with Alibaba Cloud.

Role-based SSO does not require the user sync with Alibaba-cloud and enterprise users can access the Alibaba cloud services based on the Role.

Alibaba Cloud RAM Grants

Alibaba Cloud RAM grants help in validating assigned policy to a group or user. Grant module can help in revoking existing policy or assigning the new policy to a user or group. To revoke all permissions click Revoke Permission under section.

Alibaba Cloud RAM Grants
Alibaba Cloud RAM Grants

Alibaba Cloud RAM Permissions

Alibaba Cloud RAM permissions represent to rule set for RAM users, groups and roles. There are several predefined permissions, and that can be assigned to the users, groups or roles in the section.

Alibaba Cloud RAM Permissions
Alibaba Cloud RAM Permissions

Alibaba Cloud RAM permission also allows users to create custom rules. These rules can be created with easy to follow steps or programmatic way (JSON syntax).

As an example, if a user policy needs to be created where a user/group should not be able to delete a VM, then the following option can be chosen to create a rule definition.

Alibaba Cloud RAM Permissions
Alibaba Cloud RAM Permissions

To create same policy with script,

Alibaba Cloud RAM Permissions
Alibaba Cloud RAM Permissions

Alibaba Cloud RAM Policy Assignment

To assign permission/permissions to a user or group, navigate to grants section and assign required policies. Following is an example assigning Read Only Finance access to the Finance group.

Alibaba Cloud RAM Policy Assignment
Alibaba Cloud RAM Policy Assignment

Alibaba Cloud RAM Roles

Roles are similar to the RAM Users. Users are created for long term access while as the Roles mainly used for temporary access to the another Alibaba account, resources. Roles delegate access to users, applications, or services without giving access to your Alibaba cloud resources.

Alibaba Cloud RAM Roles
Alibaba Cloud RAM Roles

This blog post covered an introduction to Alibaba Cloud RAM. Next blog post will cover custom policy creation and selecting proper policies.

Have you tried Alibaba Cloud RAM? How was your experience configuring policies? Have you tried creating custom policies? What are your pain points in using RAM, creating Users, Groups, Policies and Roles? What do you want us to cover in the upcoming blog posts? Do let us know your comments in the discussion box below.