You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Controlling who can access your Alibaba Cloud resources — and what they can do — is fundamental to security. This lesson covers Resource Access Management (RAM), resource groups, and identity best practices.
When you sign up for Alibaba Cloud, you receive a root account (also called the primary account). This account has full access to all resources and billing.
RAM is Alibaba Cloud's identity and access management service — the equivalent of AWS IAM or Azure AD. It allows you to:
A RAM user is an identity within your Alibaba Cloud account. Each user has:
Groups let you manage permissions for multiple users at once:
Group: Developers
├── User: alice
├── User: bob
└── User: charlie
→ Attached policy: AliyunECSFullAccess
When you add a policy to a group, all members inherit those permissions.
Policies are JSON documents that define what actions are allowed or denied:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:*",
"Resource": "*"
}
]
}
Alibaba Cloud provides system policies (pre-built, managed by Alibaba) and supports custom policies (written by you).
| Field | Description |
|---|---|
| Effect | Allow or Deny |
| Action | The API operations permitted (e.g., ecs:RunInstances) |
| Resource | The resources the policy applies to (ARN format) |
| Condition | Optional conditions (e.g., IP range, time of day) |
Roles provide temporary security credentials and are used for:
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.