Alibaba CloudOverview
Description
By default, RAM users, groups, and roles have no access to Alibaba Cloud resources. RAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that RAM policies be applied directly to groups and roles but not users.
Rationale
Assigning privileges at the group or role level reduces the complexity of access management as the number of users grows. Reducing access management complexity may in turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.
Impact
There may be cases that a user needs to have permissions that cannot be covered by the groups it joins or roles it can assume. It may still be needed to attach specific policies to RAM users for certain operation that cannot be grouped with other permission under role or group.
References
Remediation guidance
Perform the following to create a RAM user group and assign a policy to it:
Via the management console
- Login to the
RAM Console - Under
Identities, selectUsers - Click
Create Group, and enter the group name, display name, and description - Click
OK - In the
Group Name/Display Namecolumn, find the target RAM user group and clickAdd Permissions. - In the
Select Policysection, select the target policy or policies and clickOK
Via CLI
- Run the following command to create a RAM user group:
aliyun ram CreateGroup –GroupName
- Run the following command to attach a policy to the group:
aliyun ram AttachPolicyToGroup --GroupName --PolicyName <policyName> --PolicyType
Perform the following to add a user to a given group:
Via the management console
- Login to the
RAM Console - Under
Identities, selectUsers - In the
Group Name/Display Namecolumn, find the target RAM user group and clickAdd Group Members. - In the User section, select the target RAM user and click
OK.
Via CLI
Run the following command to add a RAM user to a user group:
aliyun ram AddUserToGroup --GroupName --UserName
Perform the following to remove a direct association between a user and policy:
Via the management console
- Login to the
RAM Console - Under
Permissions, selectGrants - In the
Principalcolumn, find the target RAM user and clickRevoke Permission. - Click
OK.
Via CLI
Run the following command to remove a policy from a RAM user:
aliyun ram DetachPolicyFromUser --PolicyName <policyName> --PolicyType --UserName
Multiple Remediation Paths
SERVICE-WIDE (RECOMMENDED when many resources are affected): Apply organization/tenant-level guardrails and baseline policies for the entire platform.
ASSET-LEVEL: Fix only the affected resources identified by this control.
PREVENTIVE: Add preventive policy checks to CI/CD and periodic posture scans.
References for Service-Wide Patterns
- Platform policy/governance and preventive control patterns should be applied tenant-wide where supported.
Query logic
These are the stored checks tied to this control.
RAM policies are attached only to groups or roles
Connectors
Covered asset types
Expected check: eq []
iamUsers(where: { iamPolicies_SOME: { idFromProvider_NOT: null } }) {...AssetFragment}
