Aliyun How to set access control RAM
If you purchased multiple instances of the cloud server ECS, there are multiple users in your organization who need to use these instances. If these users share the use of your cloud account key, the following issues exist:
Your key is shared by more than one person, the risk of leakage is high;
You cannot limit the access rights of users, which can cause security risks due to misoperation.
Access Control RAM (Resource access Management) is a resource access control service provided by Aliyun. With RAM, you can centrally manage your users, such as employees, systems, or applications, and control which resources users have access to in your name.
Access Control RAM will help you manage user access control over resources. For example, to enhance network security control, you can attach an authorization policy to a group that says that if the user's original IP address is not from the corporate network, the user is denied access to the ECS resource under your name.
You can set different permissions for different groups, such as:
SysAdmins: This group needs to create and manage ECS mirrors, instances, snapshots, security groups, and so on. You have attached an authorization policy to the SysAdmins group that grants group members permission to perform all ECS operations.
Developers: This group only needs to use the permissions of the instance. You can attach an authorization policy to the developers group that grants group members the power to invoke Describeinstances, Startinstance, Stopinstance, CreateInstance, and Deleteinstance The permissions.
If a developer's job responsibilities change and become a system administrator, you can easily move it from the Developpers group to the SysAdmins group.
For more information on access control RAM, refer to the product documentation for RAM.