{"id":58,"date":"2026-04-12T16:36:37","date_gmt":"2026-04-12T16:36:37","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-resource-access-management-ram-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security\/"},"modified":"2026-04-12T16:36:37","modified_gmt":"2026-04-12T16:36:37","slug":"alibaba-cloud-resource-access-management-ram-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-resource-access-management-ram-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security\/","title":{"rendered":"Alibaba Cloud Resource Access Management (RAM) Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Security"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Security<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p>Resource Access Management (RAM) is Alibaba Cloud\u2019s identity and access management service. It helps you securely control <strong>who<\/strong> (users, roles, applications) can access <strong>what<\/strong> (cloud resources) and <strong>how<\/strong> (allowed actions, conditions, authentication requirements).<\/p>\n\n\n\n<p>In simple terms: <strong>RAM lets you create identities (RAM users\/roles), group them, and attach permissions (policies) so people and systems can use Alibaba Cloud without sharing the root account credentials.<\/strong><\/p>\n\n\n\n<p>In technical terms: RAM provides centralized authorization via <strong>policies<\/strong> (system-managed or custom JSON policies) that are evaluated when a principal (RAM user\/role) calls an Alibaba Cloud API. RAM integrates tightly with Alibaba Cloud authentication (AccessKey pairs, MFA, SSO) and authorization across services (ECS, OSS, RDS, VPC, etc.). RAM roles commonly pair with <strong>Security Token Service (STS)<\/strong> to issue temporary credentials for least-privilege, short-lived access.<\/p>\n\n\n\n<p><strong>What problem it solves:<\/strong><br\/>\nWithout RAM, teams often share a single AccessKey or use the root account for daily work\u2014both are high-risk. RAM enables <strong>least privilege<\/strong>, <strong>separation of duties<\/strong>, <strong>auditable access<\/strong>, safer automation, and scalable operations for organizations of any size.<\/p>\n\n\n\n<blockquote>\n<p>Service status note: <strong>Resource Access Management (RAM)<\/strong> is the current, active Alibaba Cloud service name for IAM. (If you see older materials referencing similar concepts, treat them as historical and verify against current RAM documentation.)<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is Resource Access Management (RAM)?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Official purpose<\/h3>\n\n\n\n<p>RAM is Alibaba Cloud\u2019s service for <strong>identity management<\/strong> and <strong>access control<\/strong>. It allows you to:\n&#8211; Create and manage <strong>RAM users<\/strong>, <strong>user groups<\/strong>, and <strong>RAM roles<\/strong>\n&#8211; Grant or deny permissions through <strong>policies<\/strong>\n&#8211; Control how identities authenticate (password login, AccessKey, MFA, SSO)\n&#8211; Enable secure delegation and temporary access (commonly with STS)<\/p>\n\n\n\n<p>Official documentation entry point:<br\/>\nhttps:\/\/www.alibabacloud.com\/help\/en\/ram<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Core capabilities (what it does)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Identity management:<\/strong> Create RAM users for humans and service accounts for automation.<\/li>\n<li><strong>Authorization:<\/strong> Attach policies to users\/groups\/roles to control actions on resources.<\/li>\n<li><strong>Role-based access control (RBAC):<\/strong> Use groups and roles to simplify permission management.<\/li>\n<li><strong>Delegation:<\/strong> Use roles to delegate access within an account or across accounts (patterns vary by org structure; verify your scenario in docs).<\/li>\n<li><strong>Authentication options:<\/strong> Console password, AccessKey pairs for APIs, and multi-factor authentication (MFA). SSO integration is commonly used in enterprises.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Major components<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Alibaba Cloud account (root):<\/strong> The subscription owner identity. Highest privilege\u2014should not be used for day-to-day operations.<\/li>\n<li><strong>RAM user:<\/strong> An identity for a person or application under your Alibaba Cloud account.<\/li>\n<li><strong>User group:<\/strong> A container for RAM users so you can assign permissions at scale.<\/li>\n<li><strong>RAM role:<\/strong> An identity that can be assumed by trusted principals (often via STS) to obtain temporary credentials.<\/li>\n<li><strong>Policy:<\/strong><\/li>\n<li><strong>System policy:<\/strong> Alibaba Cloud managed, predefined permissions (broadly used for standard roles like read-only access).<\/li>\n<li><strong>Custom policy:<\/strong> JSON-defined permissions tailored to your least-privilege needs.<\/li>\n<li><strong>AccessKey pair:<\/strong> Programmatic credential for API\/CLI\/SDK access (prefer temporary credentials where possible).<\/li>\n<li><strong>MFA device:<\/strong> Adds a second factor for console sign-in and sensitive operations (depending on configuration).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Service type and scope<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Service type:<\/strong> Control-plane security service (identity and access management).<\/li>\n<li><strong>Scope:<\/strong> RAM is generally <strong>account-scoped<\/strong> and works across Alibaba Cloud services.<br\/>\n  Many IAM-style services are effectively global in nature because identities\/policies are not tied to a single region. <strong>Verify any region-specific behaviors<\/strong> (for example, resource ARNs and service endpoints) in official docs for the services you govern.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How RAM fits into the Alibaba Cloud ecosystem<\/h3>\n\n\n\n<p>RAM sits at the center of Alibaba Cloud Security governance:\n&#8211; <strong>Grants access to resources<\/strong> in services like ECS, OSS, RDS, VPC, ACK, etc.\n&#8211; Works with <strong>STS<\/strong> for temporary credentials (recommended for workloads and federated access).\n&#8211; Works alongside <strong>ActionTrail<\/strong> (audit logging of API calls) for traceability.\n&#8211; Commonly used with <strong>Resource Directory \/ multi-account governance<\/strong> in larger organizations (to avoid putting everything in one account).\n&#8211; Often used with <strong>SSO<\/strong> solutions (Alibaba Cloud CloudSSO or external IdPs via SAML\/OIDC patterns\u2014verify current supported integrations in docs).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use Resource Access Management (RAM)?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reduce breach risk:<\/strong> Stop sharing root credentials and long-lived keys.<\/li>\n<li><strong>Scale teams safely:<\/strong> Onboard\/offboard employees quickly without touching root access.<\/li>\n<li><strong>Improve accountability:<\/strong> Each action can be tied back to a unique identity (especially when combined with ActionTrail).<\/li>\n<li><strong>Support governance:<\/strong> Standardize how access is requested, approved, granted, and reviewed.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Least-privilege access:<\/strong> Grant only necessary permissions for each user\/app.<\/li>\n<li><strong>Role-based design:<\/strong> Use groups and roles to keep permissions maintainable.<\/li>\n<li><strong>Temporary credentials:<\/strong> Use roles + STS for time-limited access to reduce exposure.<\/li>\n<li><strong>Fine-grained authorization:<\/strong> Custom policies can restrict actions and, for many services, restrict specific resources (service-dependent).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Centralized administration:<\/strong> One place to manage identities and access.<\/li>\n<li><strong>Repeatable automation:<\/strong> Use RAM with IaC\/CI\/CD patterns (Terraform, ROS, SDKs) to manage permissions consistently.<\/li>\n<li><strong>Separation of duties:<\/strong> Split admin, developer, and auditor permissions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>MFA support:<\/strong> Strengthen console access.<\/li>\n<li><strong>Auditability:<\/strong> When paired with ActionTrail, RAM helps satisfy auditing and compliance requirements (e.g., ISO 27001-style controls, SOC-like evidence, internal security policies).<\/li>\n<li><strong>Controlled external access:<\/strong> Use roles for vendor, partner, or temporary access.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Scales with organization growth:<\/strong> Use groups, roles, and standard policies across many teams and projects.<\/li>\n<li><strong>Avoid permission sprawl:<\/strong> With good structure (naming, groups, boundaries), permissions remain understandable over time.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose RAM<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Any time more than one person or system accesses Alibaba Cloud.<\/li>\n<li>If you need to enforce least privilege, rotation, MFA, or audited access.<\/li>\n<li>When you want secure CI\/CD and automation that doesn\u2019t rely on root keys.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should not choose it (or should combine it)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If you need <strong>full identity lifecycle<\/strong> (HR-driven joiner\/mover\/leaver), device posture, conditional access, etc., you\u2019ll often combine RAM with an enterprise IdP\/SSO solution. RAM still remains the authorization layer for Alibaba Cloud resources.<\/li>\n<li>If you need <strong>organization-wide<\/strong> multi-account policy enforcement, you\u2019ll typically combine RAM with <strong>Resource Directory<\/strong> and governance tooling (service coverage varies; verify).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is Resource Access Management (RAM) used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SaaS and internet companies running production workloads on Alibaba Cloud<\/li>\n<li>Finance, healthcare, and retail needing auditable access controls<\/li>\n<li>Gaming and media with high automation needs<\/li>\n<li>Manufacturing and IoT platforms using API-driven provisioning<\/li>\n<li>Education and research environments with multiple labs and short-term users<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Platform engineering and cloud enablement teams<\/li>\n<li>DevOps\/SRE teams managing CI\/CD and infrastructure automation<\/li>\n<li>Security engineering and GRC teams designing access controls and audits<\/li>\n<li>Application teams requiring controlled access to specific services (OSS, RDS, etc.)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Production apps on ECS\/ACK\/Function Compute with role-based access<\/li>\n<li>Data pipelines accessing OSS, MaxCompute, AnalyticDB (permissions vary by service)<\/li>\n<li>CI\/CD pipelines deploying to ECS\/ACK and reading secrets\/config (often integrated with KMS\/Secrets patterns)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Single-account environments using RAM users\/groups\/roles for internal access<\/li>\n<li>Multi-account organizations using Resource Directory for account separation plus RAM for per-account IAM<\/li>\n<li>Hybrid identity environments where users authenticate via an enterprise IdP and are authorized in RAM<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Real-world deployment contexts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Production:<\/strong> strict least-privilege, MFA, roles, STS, audit trails, periodic access reviews<\/li>\n<li><strong>Dev\/test:<\/strong> faster iteration but still avoid root key sharing; use groups and managed policies carefully<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic RAM use cases you will encounter in Alibaba Cloud Security design.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Replace root account usage with named administrators<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Engineers use the root account for daily work; actions are not attributable.<\/li>\n<li><strong>Why RAM fits:<\/strong> Create named RAM admin users and enforce MFA.<\/li>\n<li><strong>Scenario:<\/strong> Two cloud admins get <code>AdministratorAccess<\/code>-style permissions while the root account is locked down.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Onboard developers with least-privilege access to OSS<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Developers need to read build artifacts from OSS but must not delete or overwrite.<\/li>\n<li><strong>Why RAM fits:<\/strong> Use a group with read-only policy for OSS.<\/li>\n<li><strong>Scenario:<\/strong> <code>dev-oss-readonly<\/code> group is attached to <code>AliyunOSSReadOnlyAccess<\/code> (or a custom least-privilege policy).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) CI\/CD pipeline deploy permissions without sharing personal keys<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A CI job needs to deploy to ECS\/ACK using stable credentials.<\/li>\n<li><strong>Why RAM fits:<\/strong> Use a dedicated RAM user or (preferably) a role with STS and scoped policies.<\/li>\n<li><strong>Scenario:<\/strong> GitLab runner assumes a role to push images and deploy resources.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Temporary vendor access to a specific project<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A contractor needs access for two weeks.<\/li>\n<li><strong>Why RAM fits:<\/strong> Create a RAM user with scoped permissions; disable or delete after.<\/li>\n<li><strong>Scenario:<\/strong> Contractor can only view logs and read OSS objects in a specific bucket.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Break-glass access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Need emergency admin access with strict controls and auditing.<\/li>\n<li><strong>Why RAM fits:<\/strong> Create a dedicated RAM user\/role requiring MFA and tightly controlled distribution.<\/li>\n<li><strong>Scenario:<\/strong> Break-glass credential stored in a vault, access logged, used only during incidents.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Enforce separation of duties (SoD)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Same person shouldn\u2019t deploy and approve production changes.<\/li>\n<li><strong>Why RAM fits:<\/strong> Separate roles\/groups: deployers vs auditors vs network admins.<\/li>\n<li><strong>Scenario:<\/strong> Network team can change VPC\/Security Groups; app team can deploy to ECS but not change VPC.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Read-only auditor access for compliance<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Auditors need visibility but must not modify resources.<\/li>\n<li><strong>Why RAM fits:<\/strong> Read-only policies across services + ActionTrail review.<\/li>\n<li><strong>Scenario:<\/strong> Auditor group can list configurations and view billing reports but cannot create\/modify resources.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Service-to-service access using RAM roles<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Workloads running on compute need to access OSS\/RDS APIs securely.<\/li>\n<li><strong>Why RAM fits:<\/strong> Attach scoped permissions to a RAM role and use temporary credentials (STS).<\/li>\n<li><strong>Scenario:<\/strong> An app reads configuration from OSS without embedding long-lived AccessKeys in code.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Centralized permission management via groups<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Managing permissions per-user becomes unmaintainable as headcount grows.<\/li>\n<li><strong>Why RAM fits:<\/strong> Use groups (RBAC) so users inherit permissions.<\/li>\n<li><strong>Scenario:<\/strong> New developer is added to <code>project-a-dev<\/code> group and immediately receives the correct access set.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Multi-environment boundaries (dev\/stage\/prod)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Developers accidentally modify production.<\/li>\n<li><strong>Why RAM fits:<\/strong> Separate accounts\/projects and enforce environment-specific roles.<\/li>\n<li><strong>Scenario:<\/strong> <code>prod-operators<\/code> group has limited production access; developers only have dev\/stage access.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">11) API access for automation with periodic rotation<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Long-lived AccessKeys are leaked or never rotated.<\/li>\n<li><strong>Why RAM fits:<\/strong> Use dedicated RAM users for automation, rotate keys, minimize permissions.<\/li>\n<li><strong>Scenario:<\/strong> Rotation runbook updates CI secrets monthly and deactivates old keys.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">12) Standardize naming and tagging access<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Only platform team should set tagging standards and cost allocation tags.<\/li>\n<li><strong>Why RAM fits:<\/strong> Restrict tag write operations to a specific group\/role (service support varies).<\/li>\n<li><strong>Scenario:<\/strong> FinOps group can manage tags; dev groups can only read tags.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<blockquote>\n<p>Feature availability and policy granularity can differ by Alibaba Cloud service. Always verify resource-level permission support and condition keys in the relevant service\u2019s authorization documentation.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">6.1 RAM users (human and service identities)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Lets you create identities under your Alibaba Cloud account with their own login credentials and\/or AccessKeys.<\/li>\n<li><strong>Why it matters:<\/strong> Avoid using the root account and improve accountability.<\/li>\n<li><strong>Practical benefit:<\/strong> Clean offboarding\u2014disable the RAM user without rotating shared keys.<\/li>\n<li><strong>Caveats:<\/strong> RAM users do not \u201cown\u201d resources; resources belong to the Alibaba Cloud account. Overusing AccessKeys for humans is risky\u2014prefer SSO and MFA.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.2 User groups (RBAC at scale)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Groups multiple RAM users to assign permissions once.<\/li>\n<li><strong>Why it matters:<\/strong> Reduces permission sprawl and admin overhead.<\/li>\n<li><strong>Practical benefit:<\/strong> Add\/remove users from groups without editing policies repeatedly.<\/li>\n<li><strong>Caveats:<\/strong> Don\u2019t mix unrelated permissions in one group; use role-based group design.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.3 RAM roles (delegation and temporary access)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Defines an assumable identity with a permission policy; trusted entities can assume it to obtain temporary credentials (often via STS).<\/li>\n<li><strong>Why it matters:<\/strong> Minimizes long-lived credentials and supports delegation.<\/li>\n<li><strong>Practical benefit:<\/strong> Safer automation and cross-account patterns.<\/li>\n<li><strong>Caveats:<\/strong> Trust policy configuration is sensitive\u2014incorrect trust broadens access. Token\/session duration and assume-role constraints apply (verify STS limits in docs).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.4 System policies (Alibaba Cloud managed)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Predefined permission sets maintained by Alibaba Cloud (for common access patterns like read-only access).<\/li>\n<li><strong>Why it matters:<\/strong> Fast and reliable for standard job functions.<\/li>\n<li><strong>Practical benefit:<\/strong> Less JSON to maintain; kept updated for new API actions (generally).<\/li>\n<li><strong>Caveats:<\/strong> Often broader than strict least privilege. Use with care in production.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.5 Custom policies (fine-grained control)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Lets you write JSON policies specifying allowed\/denied actions and resources.<\/li>\n<li><strong>Why it matters:<\/strong> Enables least privilege for sensitive environments.<\/li>\n<li><strong>Practical benefit:<\/strong> Limit access to a single OSS bucket, specific APIs, or specific operational tasks.<\/li>\n<li><strong>Caveats:<\/strong> Policy language and resource formats are service-specific. Misconfigured policies cause <code>AccessDenied<\/code>. Always test.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.6 Console login management (password, login URL\/alias)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Allows RAM users to sign in to Alibaba Cloud console using a dedicated RAM login URL (often with an account alias).<\/li>\n<li><strong>Why it matters:<\/strong> Clean separation between root sign-in and user sign-in.<\/li>\n<li><strong>Practical benefit:<\/strong> Users can access console with their own credentials and MFA.<\/li>\n<li><strong>Caveats:<\/strong> Users may try to sign in via the root login page. Train users to use the RAM user login URL shown in the RAM console.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.7 Multi-factor authentication (MFA)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Adds a second factor (typically TOTP) for console login and\/or sensitive actions depending on configuration.<\/li>\n<li><strong>Why it matters:<\/strong> Protects against credential theft.<\/li>\n<li><strong>Practical benefit:<\/strong> Dramatically lowers the risk from password compromise.<\/li>\n<li><strong>Caveats:<\/strong> Plan recovery procedures (lost device) and enforce MFA for privileged users.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.8 AccessKey management for API\/CLI\/SDK<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Creates programmatic credentials for RAM users.<\/li>\n<li><strong>Why it matters:<\/strong> Enables automation and integration with tools.<\/li>\n<li><strong>Practical benefit:<\/strong> Each system can have its own identity and key lifecycle.<\/li>\n<li><strong>Caveats:<\/strong> AccessKeys are high-value secrets. Prefer STS temporary credentials for workloads; rotate keys; avoid embedding keys in code.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.9 Policy attachment and inheritance model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Permissions can be attached to users, groups, and roles; users inherit group permissions.<\/li>\n<li><strong>Why it matters:<\/strong> Enables layered permission assignment.<\/li>\n<li><strong>Practical benefit:<\/strong> Combine baseline permissions (group) with exceptions (user policy) if needed.<\/li>\n<li><strong>Caveats:<\/strong> Keep it simple\u2014too many attachments complicate audits.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.10 Integration with auditing and governance (ActionTrail)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> RAM identities appear in API call logs recorded by ActionTrail (where enabled).<\/li>\n<li><strong>Why it matters:<\/strong> Post-incident investigations and compliance reporting depend on identity attribution.<\/li>\n<li><strong>Practical benefit:<\/strong> Know which user\/role performed which action and when.<\/li>\n<li><strong>Caveats:<\/strong> Audit logging is not automatic for all needs; ensure ActionTrail is configured and retained per your policies (verify ActionTrail configuration options and pricing).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level architecture<\/h3>\n\n\n\n<p>RAM is part of Alibaba Cloud\u2019s control plane:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>A principal (RAM user, assumed role session) makes an API call to an Alibaba Cloud service.<\/li>\n<li>The request is authenticated (password session, AccessKey signature, or temporary STS credentials).<\/li>\n<li>The authorization engine evaluates RAM policies attached to the principal (and groups) against the request action\/resource\/conditions.<\/li>\n<li>The target service either allows the action or returns an access denied error.<\/li>\n<li>The action can be logged by services such as ActionTrail for auditing.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Request \/ data \/ control flow<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Control plane:<\/strong> RAM policies, users, groups, roles, and authentication settings.<\/li>\n<li><strong>Data plane:<\/strong> The actual resource data (OSS objects, ECS instances, RDS databases) lives in the target services.<\/li>\n<li><strong>Authorization decisions:<\/strong> Happen before the target service performs operations.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related services<\/h3>\n\n\n\n<p>Commonly integrated services include:\n&#8211; <strong>Security Token Service (STS):<\/strong> Temporary credentials for assumed roles (verify current STS docs).\n&#8211; <strong>ActionTrail:<\/strong> Audit trail of API calls and console actions.\n&#8211; <strong>Resource Directory:<\/strong> Multi-account governance and account structure (enterprise usage).\n&#8211; <strong>KMS \/ Secrets patterns:<\/strong> For secrets storage (RAM controls who can access keys\/secrets; verify product names and integration patterns).\n&#8211; <strong>OSS:<\/strong> Frequently used in labs for access verification because it\u2019s straightforward to test permissions.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Dependency services<\/h3>\n\n\n\n<p>RAM itself is foundational and not dependent on a single region\u2019s infrastructure in the same way compute is. However:\n&#8211; You depend on <strong>target cloud services<\/strong> supporting RAM authorization for their APIs.\n&#8211; You often depend on <strong>STS<\/strong> for secure temporary access patterns.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Console access:<\/strong> RAM user + password (+ MFA).<\/li>\n<li><strong>Programmatic access:<\/strong> AccessKey pair or STS temporary credentials from assumed roles.<\/li>\n<li><strong>Best practice:<\/strong> Use <strong>MFA<\/strong> for privileged accounts and <strong>STS<\/strong> for workloads whenever feasible.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>RAM is a control-plane service accessed through Alibaba Cloud APIs over HTTPS.<\/li>\n<li>Network restrictions are typically enforced at the service level (VPC endpoints\/private links differ per service\u2014verify for your region and service). RAM focuses on identity\/policy, not network path control.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>ActionTrail<\/strong> for audit logs and export to a SIEM if required.<\/li>\n<li>Maintain an <strong>access review<\/strong> process: list who has admin permissions, rotate keys, validate MFA adoption.<\/li>\n<li>Tagging\/naming conventions help with policy clarity and audits.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  U[RAM User] --&gt;|Console Login \/ API call| API[Alibaba Cloud API Gateway\/Endpoints]\n  API --&gt; AUTH[RAM Authentication &amp; Policy Evaluation]\n  AUTH --&gt;|Allow| SVC[Target Service: OSS\/ECS\/RDS...]\n  AUTH --&gt;|Deny| DENY[AccessDenied Response]\n  SVC --&gt; LOG[ActionTrail (Audit Logs)]\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  subgraph Identity\n    IdP[Enterprise IdP (SAML\/SSO)\\n(verify supported methods)]\n    RAM[Resource Access Management (RAM)]\n    MFA[MFA (TOTP)]\n  end\n\n  subgraph AccessPatterns\n    Admins[Admins\\nLeast privilege + MFA]\n    Devs[Developers\\nGroup-based RBAC]\n    CICD[CI\/CD System\\nService identity]\n    Role[RAM Role]\n    STS[Security Token Service (STS)]\n  end\n\n  subgraph CloudServices\n    OSS[OSS Buckets]\n    ECS[ECS \/ ACK Workloads]\n    RDS[RDS Instances]\n    VPC[VPC Resources]\n  end\n\n  subgraph Governance\n    AT[ActionTrail]\n    SIEM[Log\/SIEM Destination\\n(optional)]\n  end\n\n  IdP --&gt; RAM\n  Admins --&gt; MFA --&gt; RAM\n  Devs --&gt; RAM\n  CICD --&gt;|AssumeRole| STS --&gt; Role --&gt; RAM\n\n  RAM --&gt;|Authorize| OSS\n  RAM --&gt;|Authorize| ECS\n  RAM --&gt;|Authorize| RDS\n  RAM --&gt;|Authorize| VPC\n\n  OSS --&gt; AT\n  ECS --&gt; AT\n  RDS --&gt; AT\n  VPC --&gt; AT\n  AT --&gt; SIEM\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<p>Before you start the lab and production usage, ensure you have:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Account requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An active <strong>Alibaba Cloud account<\/strong> (root account).<\/li>\n<li>Access to the <strong>RAM console<\/strong> in the Alibaba Cloud console.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions needed<\/h3>\n\n\n\n<p>To perform the tutorial as an administrator, you need permissions to:\n&#8211; Manage RAM users, groups, and policies (RAM administrative privileges)\n&#8211; Create and manage OSS resources (for verification)<\/p>\n\n\n\n<p>If you\u2019re not the root account owner, ask for a RAM admin role or equivalent privileges.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Billing requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>RAM is typically not billed as a metered resource by itself (see pricing section).<\/li>\n<li>Creating OSS buckets\/objects may incur storage and request costs (usually small for a lab, but not zero).<\/li>\n<li>Ensure a valid billing method is on file to avoid provisioning failures.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Tools (optional but recommended)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Alibaba Cloud CLI (<code>aliyun<\/code>)<\/strong> for API-driven steps:<br\/>\n  https:\/\/www.alibabacloud.com\/help\/en\/alibaba-cloud-cli\/latest\/what-is-alibaba-cloud-cli<\/li>\n<li><strong>ossutil<\/strong> for OSS command-line verification (optional):<br\/>\n  Verify in OSS docs for your platform\u2019s download link.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>RAM is used across regions; your target service resources (like OSS buckets) are region-specific. Pick a region where OSS is available for your account.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas\/limits<\/h3>\n\n\n\n<p>RAM has quotas such as:\n&#8211; Maximum RAM users\/groups\/roles\/policies\n&#8211; Policy size limits\n&#8211; AccessKey limits per user<\/p>\n\n\n\n<p>Quotas can change\u2014<strong>check the Quotas page in your console and official documentation<\/strong> for current limits.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services<\/h3>\n\n\n\n<p>For this tutorial:\n&#8211; <strong>Object Storage Service (OSS)<\/strong> (for permission testing)<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Current pricing model (how RAM is billed)<\/h3>\n\n\n\n<p>As of current general positioning, <strong>RAM is generally provided at no additional charge<\/strong>; you pay for the Alibaba Cloud resources you create and use (ECS, OSS, RDS, etc.). However, pricing and included features can change.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Official product page (verify current pricing statement):<br\/>\n  https:\/\/www.alibabacloud.com\/product\/ram<\/li>\n<li>Official documentation:<br\/>\n  https:\/\/www.alibabacloud.com\/help\/en\/ram<\/li>\n<\/ul>\n\n\n\n<p>If you require an official pricing page line item:\n&#8211; <strong>Verify in official docs\/pricing pages<\/strong> for your account type and region.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing dimensions (what can still cost money)<\/h3>\n\n\n\n<p>Even if RAM itself is free, you may incur costs from:\n&#8211; <strong>OSS storage and requests<\/strong> used to validate permissions\n&#8211; <strong>ActionTrail<\/strong> retention, delivery, or event ingestion (depending on configuration)\n&#8211; <strong>Log service \/ SIEM<\/strong> ingestion and storage if exporting audit logs\n&#8211; <strong>Network egress<\/strong> for downloading objects from OSS to the public internet\n&#8211; <strong>Compute<\/strong> if you test instance profiles\/roles using ECS\/ACK<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Free tier considerations<\/h3>\n\n\n\n<p>RAM itself is commonly \u201cfree,\u201d but there may not be a separate \u201cfree tier\u201d concept required. Your overall account may have free trials for OSS or other services\u2014<strong>verify availability in your console<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Cost drivers<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Number and type of governed resources (indirect: more services = more audit\/log data)<\/li>\n<li>Audit log retention duration and export destination<\/li>\n<li>Automation usage patterns that increase API calls (usually negligible cost for RAM itself, but can increase logs and related service usage)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Hidden or indirect costs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Security operations time:<\/strong> Poorly structured permissions increase admin time.<\/li>\n<li><strong>Incident response:<\/strong> Long-lived AccessKeys in CI can lead to costly security incidents.<\/li>\n<li><strong>Audit and compliance:<\/strong> Not enabling ActionTrail or not retaining logs can create compliance gaps that are expensive to remediate later.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network\/data transfer implications<\/h3>\n\n\n\n<p>RAM does not transfer your data plane traffic; it authorizes requests. But:\n&#8211; Downloading from OSS to clients on the public internet can incur <strong>internet egress<\/strong> charges.\n&#8211; Exporting ActionTrail logs to external systems can incur traffic and ingestion charges.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How to optimize cost<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prefer <strong>roles + STS<\/strong> for workloads to reduce long-lived key sprawl.<\/li>\n<li>Keep OSS lab resources minimal: one small bucket, a few tiny objects.<\/li>\n<li>Configure audit logs intentionally: retain what you need, archive efficiently.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate (no fabricated numbers)<\/h3>\n\n\n\n<p>A minimal lab can be extremely low cost if you:\n&#8211; Create one OSS bucket\n&#8211; Upload a few small text files\n&#8211; Keep the lab short and delete resources afterward<\/p>\n\n\n\n<p>Actual cost depends on <strong>region<\/strong>, <strong>OSS storage class<\/strong>, <strong>request volume<\/strong>, and <strong>egress<\/strong>. Use official pricing:\n&#8211; OSS pricing: https:\/\/www.alibabacloud.com\/product\/oss (navigate to pricing from here)<br\/>\n&#8211; Alibaba Cloud Pricing Calculator (if available in your locale): https:\/\/www.alibabacloud.com\/pricing (verify)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations<\/h3>\n\n\n\n<p>In production, the \u201ccost\u201d of RAM is typically not line-item billing; instead focus on:\n&#8211; <strong>Audit logging costs<\/strong> (ActionTrail + storage\/log service)\n&#8211; <strong>Operational overhead<\/strong> of managing access reviews and rotations\n&#8211; <strong>Security risk cost<\/strong> avoided by not using shared long-lived keys<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<p>Create a secure, least-privilege access setup using <strong>Resource Access Management (RAM)<\/strong>:\n&#8211; Create a RAM user for a developer\n&#8211; Grant the user <strong>read-only access to OSS<\/strong> using a managed policy\n&#8211; Verify access in the console (and optionally via CLI)\n&#8211; Enable MFA for the RAM user\n&#8211; Clean up all resources<\/p>\n\n\n\n<p>This lab is designed to be safe and low-cost.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will:\n1. Create an OSS bucket with a test object (for permission verification).\n2. Create a RAM user and a RAM user group.\n3. Attach an OSS read-only policy to the group.\n4. Add the user to the group.\n5. Sign in as the RAM user and verify read-only access.\n6. Enable MFA for the RAM user.\n7. Clean up: delete user\/group\/bucket and revoke keys.<\/p>\n\n\n\n<blockquote>\n<p>Notes:\n&#8211; UI labels can change. Follow the intent of each step.\n&#8211; If any screen or parameter differs, <strong>verify in official RAM docs<\/strong>: https:\/\/www.alibabacloud.com\/help\/en\/ram<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Create a small OSS bucket for testing (console)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Sign in to the <strong>Alibaba Cloud console<\/strong> with an administrator account.<\/li>\n<li>Go to <strong>Object Storage Service (OSS)<\/strong>.<\/li>\n<li>Create a bucket:\n   &#8211; Choose a region close to you.\n   &#8211; Use a globally unique bucket name, for example: <code>ram-lab-&lt;random-suffix&gt;<\/code>.\n   &#8211; Keep defaults unless your org requires specific settings.<\/li>\n<li>Upload a small file (for example <code>hello.txt<\/code>) into the bucket.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong><br\/>\nYou have one OSS bucket with at least one object that you can use to test read permissions.<\/p>\n\n\n\n<p><strong>Verification:<\/strong>\n&#8211; In OSS console, open the bucket and confirm <code>hello.txt<\/code> exists.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Create a RAM user group (console or CLI)<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Option A: Console<\/h4>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open <strong>RAM<\/strong> in the Alibaba Cloud console.<\/li>\n<li>Go to <strong>Identities<\/strong> (or similar) \u2192 <strong>Groups<\/strong>.<\/li>\n<li>Click <strong>Create Group<\/strong>.<\/li>\n<li>Name it: <code>oss-readonly-lab-group<\/code>.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong><br\/>\nA RAM group exists to carry OSS read-only permissions.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Option B: Alibaba Cloud CLI<\/h4>\n\n\n\n<p>If you prefer CLI automation, configure the CLI first (see official CLI docs) and then run:<\/p>\n\n\n\n<pre><code class=\"language-bash\">aliyun ram CreateGroup --GroupName oss-readonly-lab-group\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong><br\/>\nCLI returns group metadata (or success response).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Attach an OSS read-only system policy to the group<\/h3>\n\n\n\n<p>To keep the lab reliable and executable, use an Alibaba Cloud <strong>system policy<\/strong> for OSS read-only access.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Console steps<\/h4>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In RAM console, open the group <code>oss-readonly-lab-group<\/code>.<\/li>\n<li>Choose <strong>Permissions<\/strong> (or <strong>Authorization<\/strong>) \u2192 <strong>Add Permissions<\/strong>.<\/li>\n<li>Select <strong>System Policy<\/strong>.<\/li>\n<li>Find and attach: <strong>AliyunOSSReadOnlyAccess<\/strong> (name may vary slightly; select the official OSS read-only managed policy).<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong><br\/>\nThe group now has read-only OSS permissions.<\/p>\n\n\n\n<p><strong>Verification:<\/strong>\n&#8211; Group permissions list shows the attached OSS read-only policy.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">CLI equivalent (if needed)<\/h4>\n\n\n\n<pre><code class=\"language-bash\">aliyun ram AttachPolicyToGroup \\\n  --PolicyType System \\\n  --PolicyName AliyunOSSReadOnlyAccess \\\n  --GroupName oss-readonly-lab-group\n<\/code><\/pre>\n\n\n\n<p>If the policy name differs in your environment, <strong>list system policies<\/strong> and pick the OSS read-only one (verify in docs).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Create a RAM user and enable console login<\/h3>\n\n\n\n<p>You will create a user <code>dev-oss-readonly<\/code> who will inherit permissions from the group.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Option A: Console<\/h4>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In RAM console, go to <strong>Users<\/strong> \u2192 <strong>Create User<\/strong>.<\/li>\n<li>Set <strong>User Name<\/strong>: <code>dev-oss-readonly<\/code>.<\/li>\n<li>Enable <strong>Console Access<\/strong> (login password).<\/li>\n<li>Set an initial password and require password reset at first login (recommended).<\/li>\n<li>Optionally enable <strong>Programmatic Access<\/strong> (AccessKey). For this lab, you can skip it unless you want CLI verification.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong><br\/>\nA RAM user exists, and you have a RAM user login URL (often based on your account alias).<\/p>\n\n\n\n<p><strong>Important:<\/strong> Copy the <strong>RAM User Login URL<\/strong> shown in the console. Do not guess it.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Option B: CLI<\/h4>\n\n\n\n<pre><code class=\"language-bash\">aliyun ram CreateUser --UserName dev-oss-readonly\n<\/code><\/pre>\n\n\n\n<p>Create a login profile (password-based console access):<\/p>\n\n\n\n<pre><code class=\"language-bash\">aliyun ram CreateLoginProfile \\\n  --UserName dev-oss-readonly \\\n  --Password 'ReplaceWithAStrongTemporaryPassword!' \\\n  --PasswordResetRequired true\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong><br\/>\nThe RAM user can sign in to the console using the RAM login URL and password.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Add the RAM user to the group<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Console<\/h4>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open the group <code>oss-readonly-lab-group<\/code>.<\/li>\n<li>Add member: <code>dev-oss-readonly<\/code>.<\/li>\n<\/ol>\n\n\n\n<h4 class=\"wp-block-heading\">CLI<\/h4>\n\n\n\n<pre><code class=\"language-bash\">aliyun ram AddUserToGroup --UserName dev-oss-readonly --GroupName oss-readonly-lab-group\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong><br\/>\nThe user inherits the group\u2019s OSS read-only permissions.<\/p>\n\n\n\n<p><strong>Verification:<\/strong>\n&#8211; The group membership list shows the user.\n&#8211; The user\u2019s effective permissions include the OSS read-only policy via group membership.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Sign in as the RAM user and verify read-only access<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open an incognito\/private browser window (so you don\u2019t reuse the admin session).<\/li>\n<li>Use the <strong>RAM User Login URL<\/strong> copied earlier.<\/li>\n<li>Sign in as:\n   &#8211; Username: <code>dev-oss-readonly<\/code>\n   &#8211; Password: the one you set (you may be forced to reset it on first login)<\/li>\n<\/ol>\n\n\n\n<p>Now verify OSS access:\n1. Go to OSS in the console.\n2. Confirm you can <strong>list buckets<\/strong> and open your test bucket.\n3. Confirm you can <strong>download\/view<\/strong> <code>hello.txt<\/code>.\n4. Attempt a write action (for example, try to upload a new object or delete <code>hello.txt<\/code>).<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong>\n&#8211; Read operations succeed.\n&#8211; Write\/delete operations fail with an authorization error (AccessDenied \/ forbidden).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 7 (Recommended): Enable MFA for the RAM user<\/h3>\n\n\n\n<p>MFA is one of the most effective hardening steps for console users.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>While signed in as the RAM user, go to <strong>Security Settings<\/strong> (or user profile\/security center).<\/li>\n<li>Find <strong>MFA<\/strong> or <strong>Virtual MFA device<\/strong>.<\/li>\n<li>Bind a TOTP authenticator app (scan QR, enter verification code).<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong><br\/>\nNext sign-in requires username\/password + MFA code.<\/p>\n\n\n\n<p><strong>Verification:<\/strong>\n&#8211; Sign out and sign in again to confirm MFA is enforced.<\/p>\n\n\n\n<blockquote>\n<p>If you are implementing this at scale, consider enforcing MFA for privileged groups and administrators. Exact enforcement options can vary\u2014verify in official RAM docs.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>Use this checklist:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>[ ] OSS bucket exists with one object (<code>hello.txt<\/code>)<\/li>\n<li>[ ] RAM group exists: <code>oss-readonly-lab-group<\/code><\/li>\n<li>[ ] Group has system policy attached: OSS read-only policy<\/li>\n<li>[ ] RAM user exists: <code>dev-oss-readonly<\/code><\/li>\n<li>[ ] User is a member of the group<\/li>\n<li>[ ] User can read OSS objects but cannot upload\/delete<\/li>\n<li>[ ] MFA is enabled for the RAM user (recommended)<\/li>\n<\/ul>\n\n\n\n<p>Optional CLI validation (admin context):<\/p>\n\n\n\n<pre><code class=\"language-bash\">aliyun ram GetUser --UserName dev-oss-readonly\naliyun ram ListGroupsForUser --UserName dev-oss-readonly\naliyun ram ListPoliciesForGroup --GroupName oss-readonly-lab-group\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<p>Common issues and fixes:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>RAM user cannot sign in<\/strong>\n   &#8211; <strong>Cause:<\/strong> Using the root account sign-in page instead of the RAM user login URL.\n   &#8211; <strong>Fix:<\/strong> Copy the RAM user login URL from the RAM console and use that.<\/p>\n<\/li>\n<li>\n<p><strong>User can\u2019t see OSS at all<\/strong>\n   &#8211; <strong>Cause:<\/strong> Group policy not attached or user not added to group.\n   &#8211; <strong>Fix:<\/strong> Re-check group membership and attached policies.<\/p>\n<\/li>\n<li>\n<p><strong>User can still upload\/delete objects<\/strong>\n   &#8211; <strong>Cause:<\/strong> User has additional permissions (another group, user-attached policy) granting write access.\n   &#8211; <strong>Fix:<\/strong> Review all group memberships and user-attached policies. Remove overly broad policies.<\/p>\n<\/li>\n<li>\n<p><strong>AccessDenied when trying to list buckets<\/strong>\n   &#8211; <strong>Cause:<\/strong> The attached policy doesn\u2019t include list permissions or the wrong policy was selected.\n   &#8211; <strong>Fix:<\/strong> Attach the official OSS read-only system policy. If using a custom policy, verify OSS action\/resource syntax in official OSS authorization docs.<\/p>\n<\/li>\n<li>\n<p><strong>MFA binding fails<\/strong>\n   &#8211; <strong>Cause:<\/strong> Time drift on the device or incorrect authenticator setup.\n   &#8211; <strong>Fix:<\/strong> Enable time sync on your phone; re-bind MFA device; try again.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>To avoid ongoing costs and reduce clutter, delete lab resources.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Delete the OSS objects<\/strong>, then delete the bucket:\n   &#8211; In OSS console, delete <code>hello.txt<\/code> (as admin).\n   &#8211; Delete the OSS bucket.<\/p>\n<\/li>\n<li>\n<p><strong>Remove RAM user from group<\/strong>, then delete user:\n   &#8211; Remove user <code>dev-oss-readonly<\/code> from <code>oss-readonly-lab-group<\/code>.\n   &#8211; Delete login profile (if required by console flow).\n   &#8211; Delete the RAM user.<\/p>\n<\/li>\n<li>\n<p><strong>Detach policy from group<\/strong>, then delete group:\n   &#8211; Detach <code>AliyunOSSReadOnlyAccess<\/code> from <code>oss-readonly-lab-group<\/code>.\n   &#8211; Delete the group.<\/p>\n<\/li>\n<li>\n<p><strong>If you created AccessKeys<\/strong>, disable and delete them.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong><br\/>\nNo lab identities or OSS resources remain.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Prefer roles over long-lived keys<\/strong> for workloads (apps, CI\/CD) whenever feasible.<\/li>\n<li>Use <strong>account separation<\/strong> (for example dev\/stage\/prod) for strong blast-radius control; use RAM within each account.<\/li>\n<li>Design permissions around <strong>job functions<\/strong> and <strong>resource boundaries<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Do not use the root account<\/strong> for daily operations. Protect it with MFA and minimal key usage.<\/li>\n<li>Use <strong>groups for humans<\/strong> and <strong>roles for workloads<\/strong>.<\/li>\n<li>Apply <strong>least privilege<\/strong>:<\/li>\n<li>Start with read-only<\/li>\n<li>Add narrow write permissions as needed<\/li>\n<li>Use custom policies for sensitive resources<\/li>\n<li>Enforce <strong>MFA<\/strong> for:<\/li>\n<li>All administrators<\/li>\n<li>Any user with write permissions to production resources<\/li>\n<li>Use <strong>STS temporary credentials<\/strong> for automation where possible.<\/li>\n<li>Rotate credentials:<\/li>\n<li>Regularly rotate AccessKeys used by automation<\/li>\n<li>Immediately rotate after suspected exposure<\/li>\n<li>Keep permissions <strong>auditable<\/strong>:<\/li>\n<li>Avoid attaching too many policies directly to users<\/li>\n<li>Prefer group-based assignment<\/li>\n<li>Name policies clearly and document intent<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Treat RAM as \u201cfree but not free to operate\u201d:<\/li>\n<li>Keep policy design simple to reduce admin time<\/li>\n<li>Limit audit log volume to what you need, but don\u2019t under-log<\/li>\n<li>Remove unused users\/keys and stale permissions to reduce operational overhead.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>RAM policy evaluation is not usually a performance bottleneck for typical workloads; however:<\/li>\n<li>Avoid overly complex policies and excessive condition logic unless necessary.<\/li>\n<li>Use stable role assumptions patterns; avoid re-authenticating excessively (cache tokens appropriately in apps\u2014verify SDK guidance).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ensure you have at least two admin identities (named admins) with MFA to avoid lockout.<\/li>\n<li>Document a break-glass procedure that is tested periodically.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Centralize audit: configure ActionTrail and retain logs per policy.<\/li>\n<li>Implement access review routines:<\/li>\n<li>Monthly review of admin group membership<\/li>\n<li>Quarterly review of sensitive policies<\/li>\n<li>Regular key rotation checks<\/li>\n<li>Automate IAM with IaC where possible; treat policies as code and review changes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance\/tagging\/naming best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Standardize naming:<\/li>\n<li>Users: <code>firstname.lastname<\/code> or <code>team.service<\/code> for automation<\/li>\n<li>Groups: <code>project-env-role<\/code> (e.g., <code>payments-prod-readonly<\/code>)<\/li>\n<li>Roles: <code>svc-&lt;app&gt;-&lt;env&gt;-role<\/code><\/li>\n<li>Policies: <code>pol-&lt;service&gt;-&lt;scope&gt;-&lt;level&gt;<\/code><\/li>\n<li>Document each policy\u2019s purpose and owner.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>RAM is your primary authorization layer for Alibaba Cloud APIs.<\/li>\n<li>Always design with:<\/li>\n<li><strong>Least privilege<\/strong><\/li>\n<li><strong>Separation of duties<\/strong><\/li>\n<li><strong>Traceability<\/strong> (unique identities per person\/system)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>RAM manages identities and permissions, not your data encryption.<\/li>\n<li>For data services (OSS\/RDS), enable encryption features as appropriate and use RAM to restrict who can disable or alter encryption settings.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>RAM is accessed via HTTPS APIs and console.<\/li>\n<li>Network access controls (VPC-level restrictions, service endpoints) are service-specific\u2014use them alongside RAM for defense in depth.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Treat AccessKeys as secrets:<\/li>\n<li>Never commit to source control<\/li>\n<li>Store in a secrets manager\/vault<\/li>\n<li>Rotate and audit usage<\/li>\n<li>Prefer <strong>temporary credentials (STS)<\/strong> for workloads.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable <strong>ActionTrail<\/strong> and retain logs.<\/li>\n<li>Ensure logs include:<\/li>\n<li>Identity (RAM user\/role session)<\/li>\n<li>Source IP and user agent (where available)<\/li>\n<li>Target action and resource<\/li>\n<li>Export logs to centralized logging for correlation if required.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<p>RAM supports common compliance controls:\n&#8211; Unique user identities\n&#8211; MFA for privileged access\n&#8211; Access review support through reporting and logs\n&#8211; Policy-driven least privilege<\/p>\n\n\n\n<p>Your compliance success depends on configuration and process:\n&#8211; Evidence collection (ActionTrail retention, access review records)\n&#8211; Enforced MFA and rotation\n&#8211; Documented SoD<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Using root account AccessKeys in CI\/CD<\/li>\n<li>Granting broad system policies (admin-level) to many users<\/li>\n<li>Skipping MFA for admins<\/li>\n<li>Leaving contractor accounts active after engagement<\/li>\n<li>Not reviewing which policies are attached where<\/li>\n<li>Building custom policies without testing and peer review<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Start with a small set of standard groups:<\/li>\n<li><code>admins<\/code> (MFA enforced)<\/li>\n<li><code>security-auditors<\/code> (read-only)<\/li>\n<li><code>developers-&lt;env&gt;<\/code><\/li>\n<li><code>ops-&lt;env&gt;<\/code><\/li>\n<li>Use roles + STS for all compute workloads.<\/li>\n<li>Keep a clear \u201cpermission boundary\u201d between prod and non-prod (often via separate accounts).<\/li>\n<li>Turn on ActionTrail early and treat audit logs as critical security data.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<blockquote>\n<p>Specific numeric quotas and some feature behaviors can change. Always verify in official documentation and the Quotas console.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Known limitations \/ caveats<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Service authorization varies by product:<\/strong> Not all Alibaba Cloud services support the same level of resource-level granularity or condition keys.<\/li>\n<li><strong>Policy complexity:<\/strong> Custom policies can be error-prone; start from known-good examples.<\/li>\n<li><strong>User sign-in confusion:<\/strong> RAM users must use the RAM user login URL (not the root account login).<\/li>\n<li><strong>Long-lived AccessKeys risk:<\/strong> Easy to create, hard to secure at scale\u2014prefer STS where possible.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Maximum number of RAM users, groups, roles, and policies per account.<\/li>\n<li>Limits on:<\/li>\n<li>Policy document size<\/li>\n<li>Number of policies attached to identities<\/li>\n<li>Number of AccessKeys per RAM user<\/li>\n<\/ul>\n\n\n\n<p><strong>Verify current quotas<\/strong> in Alibaba Cloud console and official docs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Regional constraints<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>RAM identities and policies are generally account-level, but the resources they govern are often regional.<\/li>\n<li>Resource identifiers used in policies can be region- and service-specific.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing surprises<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>RAM may not be billed directly, but enabling audit trails, log export, and storing large audit logs can incur meaningful cost.<\/li>\n<li>OSS egress (internet downloads) can cost more than expected.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compatibility issues<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Some older SDKs or tools may not support newer authentication flows cleanly\u2014verify CLI\/SDK versions.<\/li>\n<li>Some services use specialized authorization models; RAM still participates, but policy syntax may differ per service.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational gotchas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Removing a user from a group does not invalidate already-issued tokens immediately in all scenarios (token behavior is service\/STS-dependent\u2014verify).<\/li>\n<li>Multiple policies attached across users\/groups can create unexpected effective permissions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Migration challenges<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Migrating from shared root keys to RAM:<\/li>\n<li>Requires inventory of where keys are used<\/li>\n<li>Requires staged rotation and rollback planning<\/li>\n<li>Requires updating CI\/CD secrets and workloads<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<p>RAM is Alibaba Cloud\u2019s native IAM for cloud resource authorization. You may still use other services alongside it.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Comparison table<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Alibaba Cloud Resource Access Management (RAM)<\/strong><\/td>\n<td>Controlling access to Alibaba Cloud resources<\/td>\n<td>Native integration, policies, roles, groups, MFA; foundational Security control<\/td>\n<td>Policy complexity; service-by-service granularity differences<\/td>\n<td>Always for Alibaba Cloud access control<\/td>\n<\/tr>\n<tr>\n<td><strong>Alibaba Cloud Resource Directory<\/strong><\/td>\n<td>Multi-account organization and account governance<\/td>\n<td>Strong account separation; org structure; centralized governance patterns<\/td>\n<td>Not a replacement for per-account IAM; added complexity<\/td>\n<td>When you need multiple accounts (dev\/prod\/business units)<\/td>\n<\/tr>\n<tr>\n<td><strong>Alibaba Cloud ActionTrail<\/strong><\/td>\n<td>Auditing who did what<\/td>\n<td>Audit logging, investigation, compliance evidence<\/td>\n<td>Doesn\u2019t grant access\u2014only records it<\/td>\n<td>Always alongside RAM for audit\/compliance<\/td>\n<\/tr>\n<tr>\n<td><strong>Alibaba Cloud CloudSSO \/ Federated SSO (verify current product)<\/strong><\/td>\n<td>Centralized workforce authentication<\/td>\n<td>Central login, lifecycle, integration with enterprise IdP<\/td>\n<td>Still needs RAM for authorization; integration work<\/td>\n<td>Enterprises with existing IdP and many users<\/td>\n<\/tr>\n<tr>\n<td><strong>AWS IAM<\/strong><\/td>\n<td>IAM within AWS<\/td>\n<td>Mature IAM ecosystem<\/td>\n<td>Not applicable to Alibaba Cloud resources<\/td>\n<td>Use if your workloads are on AWS<\/td>\n<\/tr>\n<tr>\n<td><strong>Azure Entra ID + Azure RBAC<\/strong><\/td>\n<td>IAM in Microsoft cloud<\/td>\n<td>Strong enterprise identity features<\/td>\n<td>Not for Alibaba Cloud resource authorization<\/td>\n<td>Use if your workloads are on Azure<\/td>\n<\/tr>\n<tr>\n<td><strong>Google Cloud IAM<\/strong><\/td>\n<td>IAM in GCP<\/td>\n<td>Fine-grained IAM model<\/td>\n<td>Not for Alibaba Cloud<\/td>\n<td>Use if your workloads are on GCP<\/td>\n<\/tr>\n<tr>\n<td><strong>Keycloak (self-managed)<\/strong><\/td>\n<td>Central identity brokering\/SSO<\/td>\n<td>Flexible, open source<\/td>\n<td>You still need RAM for Alibaba Cloud authorization; ops burden<\/td>\n<td>When you need self-managed identity plus federation<\/td>\n<\/tr>\n<tr>\n<td><strong>Open Policy Agent (OPA)<\/strong><\/td>\n<td>App-level authorization<\/td>\n<td>Powerful policy-as-code for apps<\/td>\n<td>Not a cloud IAM replacement<\/td>\n<td>When you need authorization inside applications\/microservices<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example: Financial services company with strict separation of duties<\/h3>\n\n\n\n<p><strong>Problem:<\/strong><br\/>\nA regulated enterprise runs payment processing on Alibaba Cloud. Auditors require:\n&#8211; Unique identities (no shared admin accounts)\n&#8211; MFA enforcement for privileged actions\n&#8211; Clear separation between network admins, DBAs, and application deployers\n&#8211; Immutable audit logs<\/p>\n\n\n\n<p><strong>Proposed architecture:<\/strong>\n&#8211; Use <strong>Resource Directory<\/strong> for separate accounts: <code>prod<\/code>, <code>stage<\/code>, <code>dev<\/code>, <code>security<\/code>, <code>shared-services<\/code> (structure varies).\n&#8211; In each account, use <strong>RAM<\/strong>:\n  &#8211; Groups: <code>prod-ops<\/code>, <code>prod-db-admin<\/code>, <code>prod-network-admin<\/code>, <code>security-audit<\/code>\n  &#8211; Roles for workloads: <code>svc-payments-prod-role<\/code> with STS\n&#8211; Enable <strong>ActionTrail<\/strong> across accounts and centralize logs into a security account (implementation depends on ActionTrail capabilities\u2014verify).<\/p>\n\n\n\n<p><strong>Why RAM was chosen:<\/strong>\n&#8211; Native authorization for Alibaba Cloud resources\n&#8211; Mature RBAC model via groups and policies\n&#8211; Supports MFA and audit attribution<\/p>\n\n\n\n<p><strong>Expected outcomes:<\/strong>\n&#8211; Reduced unauthorized changes and accidental production modifications\n&#8211; Faster audits with clear identity attribution and access review evidence\n&#8211; Lower credential leakage risk by using roles\/STS for workloads<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example: SaaS startup securing CI\/CD and OSS artifacts<\/h3>\n\n\n\n<p><strong>Problem:<\/strong><br\/>\nA startup stores build artifacts in OSS and deploys to ECS. They currently share one AccessKey in CI, and developers sometimes use it locally.<\/p>\n\n\n\n<p><strong>Proposed architecture:<\/strong>\n&#8211; Create RAM users for each engineer (console access + MFA).\n&#8211; Create a <code>dev-readonly-oss<\/code> group for artifact access.\n&#8211; Create a dedicated CI identity:\n  &#8211; Prefer a <strong>RAM role<\/strong> assumed via STS (if CI supports it), or a RAM user with a tightly scoped policy and aggressive key rotation.\n&#8211; Enable ActionTrail for audit visibility.<\/p>\n\n\n\n<p><strong>Why RAM was chosen:<\/strong>\n&#8211; Fast to implement, no need for external IdP on day one\n&#8211; Enforces least privilege and separates human vs machine access<\/p>\n\n\n\n<p><strong>Expected outcomes:<\/strong>\n&#8211; No more shared keys across developers\n&#8211; Reduced blast radius if CI credentials leak\n&#8211; Clear record of who accessed\/deployed what<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>What is Resource Access Management (RAM) in Alibaba Cloud?<\/strong><br\/>\n   RAM is Alibaba Cloud\u2019s IAM service for creating users\/roles and managing permissions (policies) to access Alibaba Cloud resources.<\/p>\n<\/li>\n<li>\n<p><strong>Is RAM the same as AWS IAM?<\/strong><br\/>\n   Conceptually similar (users, roles, policies), but policy syntax, integrations, and service behaviors are Alibaba Cloud-specific.<\/p>\n<\/li>\n<li>\n<p><strong>Should I use the root account for daily operations?<\/strong><br\/>\n   No. Create RAM admin users with MFA and reserve root for billing and rare account-level tasks.<\/p>\n<\/li>\n<li>\n<p><strong>What\u2019s the difference between a RAM user and a RAM role?<\/strong><br\/>\n   A RAM user is a persistent identity (often a person or service account). A RAM role is assumed by trusted identities to obtain temporary credentials (commonly via STS).<\/p>\n<\/li>\n<li>\n<p><strong>Do RAM users own resources?<\/strong><br\/>\n   No. Resources are owned by the Alibaba Cloud account. RAM controls who can operate on them.<\/p>\n<\/li>\n<li>\n<p><strong>What are system policies vs custom policies?<\/strong><br\/>\n   System policies are managed by Alibaba Cloud; custom policies are JSON policies you write for fine-grained least privilege.<\/p>\n<\/li>\n<li>\n<p><strong>Can I restrict access to a specific OSS bucket only?<\/strong><br\/>\n   Often yes using a custom policy, but the exact resource format and actions are OSS-specific. Verify in OSS authorization documentation.<\/p>\n<\/li>\n<li>\n<p><strong>How do I enforce MFA for administrators?<\/strong><br\/>\n   RAM supports MFA binding; enforcement mechanisms can vary by configuration and product evolution. Verify current enforcement options in RAM docs and implement org policy.<\/p>\n<\/li>\n<li>\n<p><strong>Is RAM regional?<\/strong><br\/>\n   RAM identities\/policies are generally account-level, while resources are often regional. Always check how each service defines resources in policy statements.<\/p>\n<\/li>\n<li>\n<p><strong>What\u2019s the best practice for CI\/CD authentication?<\/strong><br\/>\n   Prefer RAM roles with STS temporary credentials. If not possible, use a dedicated RAM user with minimal permissions and frequent key rotation.<\/p>\n<\/li>\n<li>\n<p><strong>How do I audit what a RAM user did?<\/strong><br\/>\n   Enable ActionTrail and review logs for the RAM user\/role session. Ensure logs are retained and protected.<\/p>\n<\/li>\n<li>\n<p><strong>What happens if I delete a RAM user?<\/strong><br\/>\n   The identity is removed. Ensure you also remove\/rotate any keys used by automation and update systems accordingly.<\/p>\n<\/li>\n<li>\n<p><strong>Can I integrate RAM with my corporate identity provider?<\/strong><br\/>\n   Many organizations use SSO\/federation patterns. Verify current Alibaba Cloud supported SSO products and protocols (SAML\/OIDC) in official docs.<\/p>\n<\/li>\n<li>\n<p><strong>Why am I getting <code>AccessDenied<\/code> even though I attached a policy?<\/strong><br\/>\n   Common causes: user not in the correct group, wrong policy attached, service requires different actions\/resources, or an explicit deny. Review effective permissions and test.<\/p>\n<\/li>\n<li>\n<p><strong>How many AccessKeys should a RAM user have?<\/strong><br\/>\n   Keep it minimal. Prefer zero for human users. For automation, use one active key (or STS) and rotate regularly; follow Alibaba Cloud limits and security guidance.<\/p>\n<\/li>\n<li>\n<p><strong>Can I use RAM to control billing access?<\/strong><br\/>\n   Yes, typically via policies that allow read-only billing access for finance users and deny resource operations. Exact permissions vary\u2014verify in billing authorization docs.<\/p>\n<\/li>\n<li>\n<p><strong>What\u2019s the safest way to grant a vendor temporary access?<\/strong><br\/>\n   Use a dedicated RAM user or role with strict, time-bounded access and monitor via audit logs; remove access immediately after the engagement.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn Resource Access Management (RAM)<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official documentation<\/td>\n<td>RAM documentation (Alibaba Cloud Help Center) \u2014 https:\/\/www.alibabacloud.com\/help\/en\/ram<\/td>\n<td>Primary source for current features, UI, and API references<\/td>\n<\/tr>\n<tr>\n<td>Official product page<\/td>\n<td>Resource Access Management product page \u2014 https:\/\/www.alibabacloud.com\/product\/ram<\/td>\n<td>High-level overview and (often) pricing statement; good for stakeholders<\/td>\n<\/tr>\n<tr>\n<td>Official getting started<\/td>\n<td>RAM \u201cWhat is \/ Getting started\u201d (navigate within Help Center) \u2014 https:\/\/www.alibabacloud.com\/help\/en\/ram<\/td>\n<td>Step-by-step onboarding patterns for users, groups, roles<\/td>\n<\/tr>\n<tr>\n<td>API reference<\/td>\n<td>RAM API Reference (Help Center; verify exact URL path) \u2014 https:\/\/www.alibabacloud.com\/help\/en\/ram<\/td>\n<td>Authoritative API parameters for automation<\/td>\n<\/tr>\n<tr>\n<td>Official CLI docs<\/td>\n<td>Alibaba Cloud CLI overview \u2014 https:\/\/www.alibabacloud.com\/help\/en\/alibaba-cloud-cli\/latest\/what-is-alibaba-cloud-cli<\/td>\n<td>Installing and using <code>aliyun<\/code> CLI securely<\/td>\n<\/tr>\n<tr>\n<td>Related service docs<\/td>\n<td>Security Token Service (STS) docs (verify) \u2014 https:\/\/www.alibabacloud.com\/help<\/td>\n<td>Temporary credentials and assume-role patterns<\/td>\n<\/tr>\n<tr>\n<td>Related service docs<\/td>\n<td>ActionTrail docs (verify) \u2014 https:\/\/www.alibabacloud.com\/help<\/td>\n<td>Auditing and compliance evidence for RAM identities<\/td>\n<\/tr>\n<tr>\n<td>Related service docs<\/td>\n<td>OSS docs \u2014 https:\/\/www.alibabacloud.com\/help\/en\/oss<\/td>\n<td>OSS authorization examples to test RAM policies<\/td>\n<\/tr>\n<tr>\n<td>Architecture resources<\/td>\n<td>Alibaba Cloud Architecture Center (verify current) \u2014 https:\/\/www.alibabacloud.com\/solutions\/architecture<\/td>\n<td>Reference architectures for secure cloud foundations<\/td>\n<\/tr>\n<tr>\n<td>Community learning<\/td>\n<td>Alibaba Cloud community portal (verify) \u2014 https:\/\/www.alibabacloud.com\/blog<\/td>\n<td>Practical posts and updates; validate against official docs<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<blockquote>\n<p>If a link redirects or the page structure changes, use the Help Center search for \u201cRAM\u201d, \u201cSTS\u201d, and \u201cActionTrail\u201d.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Institute<\/th>\n<th>Suitable Audience<\/th>\n<th>Likely Learning Focus<\/th>\n<th>Mode<\/th>\n<th>Website<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps engineers, SREs, platform teams<\/td>\n<td>Cloud security basics, IAM\/RAM concepts, automation practices<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>ScmGalaxy.com<\/td>\n<td>Beginners to intermediate engineers<\/td>\n<td>DevOps foundations, processes, tooling that complements cloud IAM<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n<tr>\n<td>CLoudOpsNow.in<\/td>\n<td>Cloud engineers and operations teams<\/td>\n<td>Cloud operations practices; may include access governance<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.cloudopsnow.in\/<\/td>\n<\/tr>\n<tr>\n<td>SreSchool.com<\/td>\n<td>SREs and reliability-focused engineers<\/td>\n<td>SRE practices, operational controls, security and access hygiene<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.sreschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>AiOpsSchool.com<\/td>\n<td>Ops and monitoring teams<\/td>\n<td>Operations automation and governance; adjacent to access control<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Platform\/Site<\/th>\n<th>Likely Specialization<\/th>\n<th>Suitable Audience<\/th>\n<th>Website<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>RajeshKumar.xyz<\/td>\n<td>DevOps\/cloud training content (verify offerings)<\/td>\n<td>Beginners to intermediate cloud\/DevOps learners<\/td>\n<td>https:\/\/rajeshkumar.xyz\/<\/td>\n<\/tr>\n<tr>\n<td>devopstrainer.in<\/td>\n<td>DevOps training and guidance (verify scope)<\/td>\n<td>DevOps practitioners seeking structured learning<\/td>\n<td>https:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n<tr>\n<td>devopsfreelancer.com<\/td>\n<td>Freelance DevOps services\/training platform (verify scope)<\/td>\n<td>Teams needing hands-on help or mentoring<\/td>\n<td>https:\/\/www.devopsfreelancer.com\/<\/td>\n<\/tr>\n<tr>\n<td>devopssupport.in<\/td>\n<td>DevOps support and training resources (verify scope)<\/td>\n<td>Ops teams needing practical support<\/td>\n<td>https:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Company<\/th>\n<th>Likely Service Area<\/th>\n<th>Where They May Help<\/th>\n<th>Consulting Use Case Examples<\/th>\n<th>Website<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cotocus.com<\/td>\n<td>Cloud\/DevOps consulting (verify offerings)<\/td>\n<td>Cloud foundation, access governance, delivery automation<\/td>\n<td>IAM\/RAM design, CI\/CD hardening, audit readiness planning<\/td>\n<td>https:\/\/cotocus.com\/<\/td>\n<\/tr>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps and cloud consulting\/training (verify offerings)<\/td>\n<td>Platform enablement, DevSecOps practices, governance<\/td>\n<td>RAM best-practice rollout, least-privilege policy standardization, operational runbooks<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>DEVOPSCONSULTING.IN<\/td>\n<td>DevOps consulting (verify offerings)<\/td>\n<td>DevOps transformation and operations<\/td>\n<td>Secure automation patterns, access reviews, pipeline credential hardening<\/td>\n<td>https:\/\/www.devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before RAM<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud fundamentals: regions, networking (VPC), compute (ECS), storage (OSS)<\/li>\n<li>Security fundamentals: least privilege, MFA, secrets management, audit logging<\/li>\n<li>Basic JSON (for custom policies)<\/li>\n<li>CLI basics (optional but valuable): <code>aliyun<\/code> CLI usage and credential configuration<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after RAM<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>STS and role assumption<\/strong> patterns for temporary credentials<\/li>\n<li><strong>ActionTrail<\/strong> and log retention strategy<\/li>\n<li>Secure workload identity patterns (roles for ECS\/ACK\/Function Compute\u2014verify service support)<\/li>\n<li>Multi-account governance using <strong>Resource Directory<\/strong><\/li>\n<li>Infrastructure as Code:<\/li>\n<li>Terraform \/ ROS templates to manage RAM users\/groups\/policies as code (verify provider\/resource support)<\/li>\n<li>Security monitoring and incident response integration (SIEM, alerting)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use RAM<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud engineer \/ cloud administrator<\/li>\n<li>DevOps engineer \/ platform engineer<\/li>\n<li>Site Reliability Engineer (SRE)<\/li>\n<li>Security engineer \/ cloud security architect<\/li>\n<li>FinOps analyst (read-only billing and tagging governance)<\/li>\n<li>Compliance\/GRC analyst (audit review)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (if available)<\/h3>\n\n\n\n<p>Alibaba Cloud certifications evolve. For a current path:\n&#8211; Start with Alibaba Cloud associate-level cloud certification (verify current names).\n&#8211; Add security-focused certification or specialty if offered.\n&#8211; Use RAM, STS, ActionTrail, and networking security as core study areas.<\/p>\n\n\n\n<p><strong>Verify the latest Alibaba Cloud certification catalog in official training\/certification pages.<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Build a \u201csecure baseline\u201d repo:<\/li>\n<li>RAM groups: admin, auditor, developer<\/li>\n<li>Policies: read-only, deploy-only, break-glass<\/li>\n<li>ActionTrail enabled + retention strategy<\/li>\n<li>Implement CI\/CD credentials:<\/li>\n<li>Replace long-lived keys with assumed roles (STS) where possible<\/li>\n<li>Run quarterly access review automation:<\/li>\n<li>Export users\/groups\/policies and generate a report for security review<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Alibaba Cloud account (root):<\/strong> Primary account owning billing and resources; highest privileges.<\/li>\n<li><strong>RAM (Resource Access Management):<\/strong> Alibaba Cloud service for identity and access control.<\/li>\n<li><strong>RAM user:<\/strong> Identity under an Alibaba Cloud account for a person or application.<\/li>\n<li><strong>User group:<\/strong> Collection of RAM users used to assign permissions together.<\/li>\n<li><strong>RAM role:<\/strong> Assumable identity granting permissions via temporary credentials.<\/li>\n<li><strong>Policy:<\/strong> JSON document defining allowed\/denied actions on resources.<\/li>\n<li><strong>System policy:<\/strong> Alibaba Cloud-managed policy.<\/li>\n<li><strong>Custom policy:<\/strong> User-defined policy written in JSON.<\/li>\n<li><strong>Least privilege:<\/strong> Grant only the minimum permissions required.<\/li>\n<li><strong>MFA:<\/strong> Multi-factor authentication; typically TOTP-based in cloud consoles.<\/li>\n<li><strong>AccessKey:<\/strong> Long-lived programmatic credential (AccessKey ID + Secret).<\/li>\n<li><strong>STS (Security Token Service):<\/strong> Issues temporary security credentials for assumed roles.<\/li>\n<li><strong>ActionTrail:<\/strong> Alibaba Cloud audit logging service for API and console actions.<\/li>\n<li><strong>RBAC:<\/strong> Role-based access control; manage permissions via roles\/groups rather than per-user.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>Resource Access Management (RAM) is Alibaba Cloud\u2019s core <strong>Security<\/strong> service for controlling access to cloud resources. It provides <strong>users, groups, roles, and policies<\/strong> so you can implement least privilege, separate duties, and avoid risky shared root credentials.<\/p>\n\n\n\n<p>Architecturally, RAM sits in the control plane: every API request is authenticated and then authorized against RAM policies before the target service acts. Operationally, RAM becomes far more valuable when paired with <strong>STS<\/strong> (temporary credentials) and <strong>ActionTrail<\/strong> (auditing).<\/p>\n\n\n\n<p>Cost-wise, RAM is typically not a direct cost driver, but the ecosystems around it\u2014<strong>audit logging, storage, and operational processes<\/strong>\u2014do affect your bill and your security posture.<\/p>\n\n\n\n<p>Use RAM any time multiple people or systems access Alibaba Cloud. Start with groups and managed policies for speed, then move toward custom least-privilege policies, MFA enforcement, and role-based temporary access as you mature.<\/p>\n\n\n\n<p><strong>Next learning step:<\/strong> implement <strong>RAM roles + STS<\/strong> for workload authentication and enable <strong>ActionTrail<\/strong> with a retention\/export strategy aligned to your compliance requirements.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,10],"tags":[],"class_list":["post-58","post","type-post","status-publish","format-standard","hentry","category-alibaba-cloud","category-security"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/58","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=58"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/58\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=58"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=58"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=58"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}