Alibaba Cloud RAM — Part 3: Usage Scenarios
By Shantanu Kaushik
Cloud computing has made way for multi-tier processing and access systems. Different environments allow for different models of SDLC, and the information delivery mechanism has also evolved to support wider system implementation. Deployments want to keep a close eye on Security, compliance, and access authorization.
Alibaba Cloud Resource and Access Management (RAM) allows a system administrator to create and manage RAM users for employees, systems, applications, customers, and any other required identities. These identities can be easily managed with Alibaba Cloud RAM to assign permissions to different users to access Alibaba Cloud resources.
In a scenario where multiple users collaborate and manage cloud resources within an organization, Alibaba Cloud RAM allows the administrator to keep the Alibaba Cloud account and password confidential. Alibaba Cloud RAM also allows the administrator to grant users the minimum required permissions to ensure high security.
In this article, we will list all of the usage scenarios and product scope associated with Alibaba Cloud RAM.
Usage Scenarios | Alibaba Cloud RAM
Scenario 1: Enterprise User Account Management | Permission Control
An enterprise may decide to migrate from on-premises to a cloud computing system while deploying using Alibaba Cloud products and services, such as the Elastic Compute Service (ECS), Object Storage Service (OSS) with Server Load Balancer (SLB), and a choice of a database system. The administrator needs to assign different tasks to different teams (user groups) or individual users.
These users will be assigned different tasks and will need various permissions to complete the tasks. Alibaba Cloud RAM will facilitate every need related to authorization and permission management in this scenario. Let’s take a look at the information flow architecture for this scenario on the chart below:
You can see how multiple users/teams are assigned for a particular project. Alibaba Cloud RAM is a gateway for them to access any cloud resource that the enterprise has deployed. This controlled access offers a lot of features and benefits, including resource management and moderated access depending on the requirement. The exact task requirements and resource usage reports can be compared to analyze employee or team performance. This could lead to a better-managed system with optimal usage and team collaboration exercises.
In this scenario, you can:
- Create custom policies
- Grant permissions by binding one or more policies to a user or user groups.
- Create access keys and credentials
- Provide access to one or multiple cloud resources
- Provide time-based or location-based access rules
- Bind the primary account to an MFA device
- Configure the MFA independently
Scenario 2: Inter-Enterprise Resource and Access Management
In many situations, an enterprise outsources tasks to other enterprises. These tasks could be operations and maintenance (O&M), monitoring, or many other things. The parent enterprise has to grant certain permissions to the enterprise they are outsourcing to for that enterprise to access its resources.
Let’s start by looking at the information flow architecture for this scenario on the chart below:
Here, the resource access has been provided by the parent or master enterprise to the other enterprise for O&M and monitoring. The Account I is used for granting or revoking access. The second enterprise can allow one or more of its employees/users to perform operations and maintenance on allocated resources and generate reports to be sent to the master organization.
When a role is created and the necessary permissions are granted, these are for cross-account access management. Alibaba Cloud RAM allows these cross-account resources to be accessed through the console by creating sub-users and providing them with the necessary authorization for their roles.
Scenario 3: Mobile Apps and Temporary Access Management
There are scenarios where an enterprise requires limited or temporary access to certain applications. These mobile applications may be running on multiple mobile devices would need to be controlled to facilitate proper resource access management.
Alibaba Cloud RAM’s solution is STS-tokens. The enterprise will be able to minimize security issues by providing each mobile application with an access token that will contain assigned permission and time allotted for access. STS-tokens are security credentials that have a limited validity period. Authorizing a mobile app to access Alibaba Cloud resources is a perfect example of the Security Token Service (STS) with Resource Access Management (RAM).
Let’s take a look at the architecture for this scenario on the chart below:
Here, the enterprise creates a RAM user to access the AppServer and grants authorization to this user for the assigned role. This assigned role was pre-defined by the enterprise using the Alibaba Cloud RAM console in a centralized manner. To grant different level permissions, a policy was created, and this policy was bound to the defined role. All of the steps are listed below:
- To access a resource, the mobile application will request an STS-token from the app server.
- The Alibaba Cloud RAM role is defined, and the necessary permissions have been granted.
- A user is associated with this RAM role for the application server access.
- The app server calls the STS API to obtain the token.
- The mobile application uses the token to upload or download data from Alibaba Cloud OSS
Let’s take a look at the chart below:
Scenario 4: Authorizing Applications | Alibaba Cloud RAM
An enterprise is set up to deploy applications on the Alibaba Cloud Elastic Compute Service (ECS) instances. They need to implement proper authentication and access control. Let’s see what the system administrator needs to follow to utilize this usage scenario.
This scenario indicates the use of the Alibaba Cloud API Gateway to call other Alibaba Cloud services. Alibaba Cloud RAM can provide an STS-token to your application and enable the API operation. At the same time, an administrator can define resource access for a user or a group to allow seamless access.
The AccessKey pairs can be included in the application code or saved in a different configuration file for the application. However, it is not advisable to save the AccessKey as a plain text document within an ECS instance. This could lead to AccessKey disclosure due to image sharing.
Alibaba Cloud RAM provides a unified interface and a centralized management approach for a seamless user experience. It is available free of charge with most Alibaba Cloud products. It is deeply integrated throughout products and solutions offered by Alibaba Cloud, including elastic compute resources, such as Elastic Compute Service (ECS), databases, storage products, security products, such as Anti-DDoS, and middleware products, such as EDAS, IoT, machine learning. This form of default integration creates an unbeatable promise for an enterprise to confidently deploy their services using Alibaba Cloud.
- Alibaba Cloud RAM — How to Do What?
- Alibaba Cloud Firewall — An Overview