For those who have zero experience in cloud or are just beginning, here’s a question for you – How do you make sure that the data you have on cloud or the resources (say a virtual machine or a container) does not fall into the right hands? Public Cloud sure has a lot of advantages but it comes with a shared responsibility model. Under this model, while the Cloud provider is responsible for all managed services, it is the user’s responsibility to deploy the required security measures from the host of security services provided by the Cloud provider.
Coming back to the question that was asked, how do you prevent unauthorized people from accessing your stuff on cloud? It’s simple really – you use permissions. You check the person who is trying to access a certain resource and then validate whether that person indeed should be accessing the stuff. This is done in Alibaba Cloud using ‘Resources or Access Management’ or ‘RAM’ for short.
If you are coming from a different cloud provider background say AWS, Azure or GCP, RAM is the Alibaba counterpart of ‘Identity and Access Management’ on those platforms. Alibaba’s RAM provides an easy way to add users and make groups of those users or allot them specific permissions to resources. (Please note that at the time of writing, there is no exact abstraction to group your resources in Alibaba like you have in cloud platforms like AWS, Azure, GCP or Oracle.)
Now that a gist of the service has been made, we are going to follow the rest of article which is dedicated in showing how you can get the most of Alibaba using some best practices in the world of cloud resource management. We assume at this point that you have at least made an account on Alibaba cloud. What we are going to do is enable MFA authentication for your new account (root user) and then create a user which you should be using for your day-to-day activities on Ali cloud.
Enabling Multi-Factor Authentication on Alibaba Cloud.
Logon to your Alibaba Cloud Console. You should see something similar as given below. This is the standard Alibaba Console. The thing I like the most about this design is that its not that intimidating like AWS but at the same time offers a great overview of services and costs.
From here on out, we need to move to Resource and Access Management. To do this, click on the hamburger menu at the top left corner, then click on ‘Products’ (should be the first option). If you cannot spot Resource and Access Management, just type ‘RAM’ on the search bar and it should appear. Click on the option.
On clicking the option, you should be directed to the RAM console from here. This would show the current status of your Alibaba account. If yours is also brand new like mine, the view should be similar to the one given below.
As can be surmised from the view, as of writing, for every account, there can be 1000 Users made which may be grouped into 50 Groups. If you don’t understand what that means, it basically says that you can make ‘users’ – people including you who can access resources made from this specific Alibaba account. This might be the case where you need your friend to access an ECS on your account. Instead of supplying your credentials, you can make a new ‘user’ and supply the creds of that user to your friend. After the work is done, you can remove that user so that your friend does not unnecessarily access the ECS.
When thinking of Groups, just think of WhatsApp or DingTalk groups which contain a lot of users. Each group is made for a specific purpose on these platforms, right? Like you may have your family group where all your family members are present or say a group made for friends planning a trip.
What we are going to do now is set MFA or Multi-Factor Authentication for root account. To do this, click on ‘Enable MFA for Root Account’ and then click on ‘Set Now’. This should open in a new tab and the view should be similar to the one given below.
We need to edit the settings for ‘Account Protection’. Before going any further, please make sure to install ‘Google Authenticator’ on your smart phone as we will be needing it afterwards. Clicking on the ‘Edit’ link given in the same row will open another tab which should look similar to the one given below.
At this point, you need to select which activities you want to secure and how you want to secure your account. This is essentially your root account and you should not be using it for day-to-day activities. But before you create another user for that, this account needs to be secured. As for me, I want to enable MFA for every time I login to my root account and try to change the passwords. To do that, I want Alibaba to send me an OTP to my registered number as well as use a 6-digit MFA code (discussed below). After this, click on ‘Submit’. This should lead to another screen as shown below.
At this step, your mobile number is verified. An OTP is sent which you need to use/enter here. Once you do that, if the OTP entered is correct, then after clicking on ‘Submit’, you will be directed to the next screen as shown below.
This screen will prompt you to install ‘Google Authenticator’ on your mobile device. Google Authenticator maintains your keys in a secure fashion. This takes a load of work off your shoulders as the 6-digit code shown/required is changed every 30 seconds or so by the app itself. This corresponds to the change done at Alibaba’s Side. If you have already installed Google Authenticator, then proceed to the next screen.
At this step, you will be shown a QR Code. It is of utmost importance that you protect this QR Code. You do not need to take a snap of it. Just scan it using Google Authenticator. IF someone else also has this code, then its just one-step closer to doomsday for you. So, make sure no one copies this QR Code and only you have it. As for my part, I have covered my QR Code. Once scanned, you should see a 6-digit code appearing on Google Authenticator. Watch Closely. The code will change at regular intervals. Enter the correct and current code ASAP in the text box and click on Next.
Your MFA for Root account is now done. While you are one step close to a better practice, this is not complete. Now that your root account on Alibaba Cloud is secured, for best practices’ sake, you need to create a new RAM user. Allot this user only the minimum required permissions only. This user should be used in your daily activities.
We will cover this in the next part (Here is Part 2) of the tutorial so do check back for learning how to add a RAM user and then make MFA for that user as well on Alibaba Cloud. Till then, stay safe and as we like to say on DC on Cloud – ‘Keep Calm n’ Cloud’!