Control: 1.16 Ensure RAM policies are attached only to groups or roles

Description

By default, RAM users, groups, and roles have no access to Alibaba Cloud resources. RAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that RAM policies be applied directly to groups and roles but not users.

Remediation

Perform the following to create a RAM user group and assign a policy to it:

From Console

1. Log on to RAM console.
2. Choose Identities > Users.
3. Click Create Group, and enter the group name, display name, and description.
4. Click OK.
5. In the Group Name/Display Name column, find the target RAM user group and click Add Permissions.
6. In the Select Policy section, select the target policy or policies and click OK.

From Command Line

1. Run the following command to create a RAM user group:

aliyun ram CreateGroup –GroupName <ram_user_group>

2. Run the following command to attach a policy to the group:

aliyun ram AttachPolicyToGroup --GroupName <ram_user_group> --PolicyName <policy_name> --PolicyType <System|Custom>

Perform the following to add a user to a given group:

From Console

1. Log on to RAM console.
2. Choose Identities > Groups.
3. In the Group Name/Display Name column, find the target RAM user group and click Add Group Members.
4. In the User section, select the target RAM user and click OK.

From Command Line

Run the following command to add a RAM user to a user group:

aliyun ram AddUserToGroup --GroupName <ram_user_group> --UserName <ram_user>

Perform the following to remove a direct association between a user and policy:

From Console

1. Logon to RAM console.
2. Choose Permissions > Grants.
3. In the Principal column, find the target RAM user and click Revoke Permission.
4. Click OK.

From Command Line

Run the following command to remove a policy from a RAM user:

aliyun ram DetachPolicyFromUser --PolicyName <policy_name> --PolicyType <System|Custom> --UserName <ram_user>