Remove Root Account MFA using RAM User in Alibaba Cloud

Whenever the discussion of Cloud Computing started the most important point is always about Security regardless of Cloud vendor.

Cloud Providers are giving the flexibility to strengthen the security at different layer and one of the common issue with users management and its security.

The best practice is to follow the “Principal of Least Privilege’s” .

In this post I would like to share the my own experience with Alibaba Cloud Platform as I lost the access to my MFA application which was installed on phone due to my phone got broken and I forgot to take the backup codes.

First of all if you signup from Alibaba Cloud you will get the full access on the email id/username which is used to create the account. Normally we call this user as our ROOT User. The best practice is that we don’t need to use our root user for any Alibaba Cloud Services spinning activity as its most powerful user in the account. We need to always follow the idea of least privilege’s user because it may happen that in an organization there are 100’s of different user belonging to different department different project but all are going to use same Alibaba Cloud Account. Well that is the case when the organization has some policies and they don’t want to follow multi account or landing zone approach, in such case there is a feature on Alibaba Cloud name “RAM (Resource Access Manager)” which is an Identity store. Using RAM we can setup the account Alias/Groups/Users/Permission easily and Its FREE.. Woaaahhh!!!

DO Remember that ROOT account can be use especially in case of Billing Purposes in case if you don’t have any dedicated Billing User.

What I have done as I told to set the RAM user and set MFA on your Root Account to strengthen the security of your Alibaba Cloud Account. I followed the same and everything was working like charm. 

I highly recommend to create the RAM user and setting the MFA on Root Account will be your first step after you signup for Alibaba Cloud account. I have made a quick video on how we can create it and its below.

After we setup the MFA the next time you will try to login your with Root Account we see an extra layer of Authentication where we are supposed to enter the MFA 6 digit code. The mistake I did that MFA can be enable using SMS method but I setup it only with Google Authenticator. Do remember to select the both option while setting up the MFA.

Alibaba Login MFA

My phone motherboard got defected so its dead and I had Google Authenticator in it. I had to login to Root Account as I mentioned the same account is connected with my MVP console. (Yes, I don’t want to miss MVP Points :D)

Then I felt that yes No MFA codes is with me and I didn’t see any other option like “Try Different Verification Method” as in above image was there because I had not activate the SMS MFA way so I was stuck.

I was trying to find If there is any mechanism to have a quick call to the support team for getting the verification done and get myself Removed from MFA but alas!I was helpless.

Finally I could do that using my RAM user that helped me log in  as I hadn’t set up the MFA on Ram user which had the Admin Access (but no longer case so don’t try to brute force me haaa :p)

Below are the screenshots of support cases


Alibaba Support 1

What I really liked was the quick response of the Support team even when I didn’t have any paid support. Below is the information which Alibaba Cloud Support is asking for so do remember to keep these information handy because when such situation came our mind become hyper and we started forgetting things. The same happened with me I send the information but it was incorrect

Alibaba Support 2

After I shared the information they want 1-2 business day for unbinding and I was ok with it but what really like the follow up message may be its AI.

Alibaba Support 3
Alibaba Support 4

And finally the day came, after providing all the right information by diving deep in my memory I finally saw the message flashing as given below and Hoorah!! I was finally able to log in my Root Account and claim my MVP points

Alibaba Support 5

The learning which I have that “Don’t put all eggs in one Basket” with that I moved to Authy from Google Authenticator because Authy seems much better with Backup your MFA account so if you install Authy in another device it can sync your accounts. Another step is that I have enabled the SMS based MFA, so in near future even if I lose the access to my smartphone I can still access my Alibaba Console very easily

One thing which can be expected  from the Alibaba Cloud Team is addition of Directly Reach Out option on the MFA screen page if In case the user doesn’t have any access to raise Support Ticket still he can reach out to the Alibaba Cloud Team. This additional feature would be icing on the cake and would make the experience even more user friendly

I hope you would have got the idea on how these small steps can prove to be very significant when it comes to the Security of the Cloud Account. I would also like to mention the fact that it is really important to understand the security responsibilities from different layers

Do subscribe to my channel as well as blog for more Alibaba Cloud related content.

Feel free to connect with me and share your feedback.

Thank you!!

Leave a Reply