: In the enterprise cloud multi-account architecture, how to manage from top to bottom, and at the same time deal with the problem of the authority boundary of employees?
Speaking of multi-account cloud mode
The emergence of multi-account cloud mode
Our enterprise customers generally start with the deployment of a small number of businesses, and then gradually adopt more businesses on the cloud. With the further deepening of enterprise cloud access, more and more enterprise businesses are placed in the cloud, which makes the cloud resources purchased by enterprises increase rapidly, and the management of resources, projects, personnel, and permissions has become extremely complicated. Only one account is used. , Making the problem magnified and difficult to effectively solve. A single account is too heavy to support, and many companies have begun to create more accounts to disperse business pressure. As a result, many companies choose to use more accounts to correspond to their different businesses. Therefore, from the perspective of account usage, the number of accounts used by enterprises is gradually increasing, and the multi-account cloud model has gradually become an important option for multi-service cloud access.
Advantages of multi-account mode
Many companies choose to use the multi-account model to go to the cloud, because multi-accounts have irreplaceable advantages over single-accounts.
- uses strong logical isolation of multiple accounts to achieve mutual independence between different business applications of the enterprise
The accounts are isolated by default. This will avoid dependency conflicts or resource contention between different businesses, and can even support the setting of clear resource limits for each business.
- Use multiple accounts to diversify risks, maximize resource security boundaries, and minimize harm as much as possible
Eliminate the safety "nuclear button". When an illegal user steals a high authority, the "explosion radius" is limited to a single account without affecting all businesses of the enterprise.
- Easily respond to the multi-branch relationship of large enterprises, and support the coexistence of multiple legal entities and multiple settlement modes
Each account can correspond to a unique legal entity, and the multi-account environment naturally supports the multi-branch entities of group companies and different settlement modes for different businesses.
- Multiple accounts are easy to structure and manage, and business splitting and integration becomes simple
Too much business leads to "bloated" which is not conducive to management. Businesses are not flat, and there are business-related "organizational" requirements. It is difficult to solve a single account, but it is easy to implement multiple accounts. At the same time, with the independence of accounts, they can Easily split or integrate into different control domains, and link with enterprise business adaptation.
Challenges of multi-account architecture
The adoption of multiple accounts will cause a lot of trouble if you don't manage it in an orderly manner.
For example, if the scattered accounts are not centralized and structured, then organizational management cannot be achieved. For another example, how upper-level managers can see the overall situation at a glance and how to centrally control are all issues that affect the efficiency of the enterprise's business and need to be resolved.
sand, orderly management is the first priority for the multi-account model of an enterprise to promote production efficiency.
From the perspective of multi-account organization, the Cloud resource catalog product can solve the problem of orderly management of multiple accounts. This is one of the basic capabilities of resource catalogs.
The resource catalog is a multi-account-based management and governance service provided by Alibaba Cloud for enterprise customers. Learn more about the resource catalog
As you can see, in the above figure, using the organizational capabilities of the resource catalog, companies can quickly build their own business structure, aggregate multiple corporate accounts according to business relationships, form a structured and easy-to-manage form, and provide a closed-loop enterprise Cloud resource management services to adapt to business management needs.
Permission control issues in multi-account mode
Many major customers of Alibaba Cloud are paying more and more attention to the management and control of enterprise TopDown.
With a large number of customer businesses going to the cloud, employees (users) are intensively and complicatedly granted various resources and service permissions to operate these businesses. It is difficult for the enterprise management side to carefully consider the specific authorizations of each business, but hope to be able to To make the overall management and control of the enterprise from the top level, that is, to formulate enterprise "big norms" to limit the boundaries of user rights, so as not to exceed the company's compliance scope.
How can this problem be solved simply and efficiently? The following is the original intention of the resource catalog control strategy product design.
Management and control strategy product definition and implementation
Control Policy (hereinafter referred to as CP) is an access control policy based on the resource structure (organizational unit or member account in the resource directory), which can uniformly manage the resource access authority boundaries in each level of the resource directory, and establish overall corporate access Control principle or local exclusive principle. The control strategy only defines the authority boundary, and does not really grant authority. You also need to use access control (RAM) to set the authority in a member account before the corresponding identity has the access authority to the resource.
From the perspective of enterprise cloud access, the implementation object of the management and control strategy is the operation behavior of enterprise users on the required cloud resources. From enterprise users ordering cloud resources, configuring and using cloud resources, and finally to destroying cloud resources, the management and control strategy can make preset pre-checks for the entire life cycle behavior of enterprise users operating cloud resources, and prevent operations that do not comply with preset rules. Eventually, the goal of standardizing the use of cloud resources by enterprise users is achieved.
Implementation mechanism of control strategy
Add control strategy verification in the authentication engine
How does the control strategy (CP) achieve the effect of authority control?
The figure above shows the authentication process of a user's request to access resources. The control strategy adds pre-check logic to the authentication engine to determine the boundary of the operation before the formal authentication: for Explicit Deny or Implicit Deny, it will directly make " Reject" result, only when the decision result of the control strategy is Allow (allow), the authentication engine will proceed to the next decision. You can more about the permission determination process at
Realize top-down management and control based on resource catalog
After an enterprise has created a resource directory and created member accounts for each department, if the behavior of each member account is not controlled, it will break the operation and maintenance rules and bring security risks and cost waste. Using the resource directory-control strategy function, companies can centrally formulate management rules through corporate management accounts, and apply these management rules to all levels of organizational structure (resource folders, member accounts) in the resource directory to control access to resources in each member account Rules to ensure safety compliance and controllable costs. For example, member accounts are prohibited from applying for domain names, member accounts are prohibited from deleting log records, etc.
When a RAM user or role in a member account accesses Alibaba Cloud services, Alibaba Cloud will first check the management and control policy, and then check the RAM permissions in the account. details as follows:
- The management and control policy authentication starts from the account of the accessed resource and proceeds level by level along the resource directory hierarchy.
- When performing management and control policy authentication at any level, when the Deny policy is hit, the result can be directly determined as Explicit Deny, ending the entire management and control policy authentication process, and no more authentication based on the RAM permission policy in the account. Reject the request directly.
- When performing management and control policy authentication at any level, if neither the Deny policy nor the Allow policy is hit, the result is also directly determined as Explicit Deny, and the next level of authentication is not entered, and the entire Control the policy authentication process, and no longer perform the authentication based on the RAM permission policy in the account, and directly reject the request.
- In a certain level of authentication, if the Deny policy is missed and the Allow policy is hit, the authentication at this level is passed, and the management and control policy authentication is continued on the parent node until the Root resource folder. If the root resource folder authentication result is also passed, the entire control policy authentication is passed, and then enter the authentication based on the RAM permission policy in the account. For details, please refer to the permission policy determination process .
Instructions for the control strategy
The language of control strategies
CP uses basically the same grammatical structure as RAM. You can understand the permission policy syntax and structure in
The CP syntax structure contains a version number and a list of authorization statements. Each authorization statement includes authorization effect (Effect), operation (Action), resource (Resource) and restriction (Condition, optional). Among them, CP has an additional condition Key: acs:PrincipalARN in the condition support of RAM, which realizes the condition check of the executor's identity (currently supports Role). The main application scenario is "Avoid specified cloud service access being Control". You can learn more CP to use the language of
The impact of the control strategy
You can bind a custom CP to any node in the resource directory, including any resource folder or member account. CP has the characteristics of inheriting from top to bottom based on the resource directory tree structure. For example: set control strategy A for the parent resource folder and set control strategy B for the child resource folder, then the control strategy A and control strategy B will be in the child resource folder and It takes effect in the member accounts under it.
- CP only affects _ under the member account of It will not affect the resource access under the resource directory enterprise management account (MA), because MA does not belong to RD;
- CP only affects the _ RAM user and role access _ in the member account, and cannot control the account's root user (Root user) access. We recommend that you use resource account type members in the resource directory. This member type disables the root user; about resource directory member type , please refer to the documentation
- CP takes effect based on resource-based access. Regardless of whether it is a user in the resource directory or an external user, when accessing resources in the resource directory, they will be controlled by the CP; for example, if you bind a CP to the A account in the resource directory, the same applies to those outside the resource directory. Control when users in account B access resources in account A
- CP also affects resource-based authorization strategies. For example, if the OSS bucket in the A account in the resource directory is granted access to users in the B account outside the resource directory, this access behavior is also affected by the CP bound to the A account
- CP does not take effect on the Service Linked Role. For details about service-related roles, see Service-related roles
Avoid access to designated cloud services being controlled
The control policy will limit the boundary of the resource access permissions in the account of the controlled member, and the permissions outside the boundary will not be allowed to take effect. This limitation also affects the effectiveness of Alibaba Cloud service's access to the member account.
Alibaba Cloud services may use Service Roles to access resources in your account to implement certain functions of cloud services. When the authority of a service role exceeds the boundary of the control policy, this authority will be restricted by the control policy, which may cause some functions of the cloud service to not be used normally. If this is what you expect from your configuration control strategy, no additional operations are required. However, if you do not want these cloud services to be controlled, you can use the following methods to deal with it:
- Confirm the service role name used by the cloud service you do not want to be controlled. You can log in to the RAM console to view all service roles under the account.
- Add the condition of Condition key: "acs:PrincipalArn" to the control policy that causes the control effect, and write the service role name used by the affected cloud service into the PrincipalArn field to prevent the service role from being controlled by mistake. Examples are as follows:
{
"Statement": [
{
"Action": [
"ram:UpdateUser"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN":"acs:ram:*:*:role/<服务角色名称>"
}
}
}
],
"Version": "1"
}Restrictions and References for the Use of Control Strategies
Alibaba Cloud Resource Catalog-Management and control strategy currently supports 152 cloud products, you can view cloud services that support management and control strategy
The restrictions on the use of the control strategy are as follows:
- The maximum number of custom control strategies that can be created in the resource catalog is 1500;
- Each node (resource folder, member account) allows up to 10 custom control policies to be bound;
- The maximum length of each custom strategy is 2048 characters.
We recommend that you first perform a partial small-scale test to ensure that the effectiveness of the strategy is consistent with expectations, and then bind to all target nodes (resource folders, member accounts).
When you write a custom control strategy, you can refer to custom control strategy example
Copyright Notice: content of this article is contributed spontaneously by Alibaba Cloud real-name registered users, and the copyright belongs to the original author. The Alibaba Cloud Developer Community does not own its copyright and does not assume corresponding legal responsibilities. For specific rules, please refer to the "Alibaba Cloud Developer Community User Service Agreement" and the "Alibaba Cloud Developer Community Intellectual Property Protection Guidelines". If you find suspected plagiarism in this community, fill in the infringement complaint form to report it. Once verified, the community will immediately delete the suspected infringing content.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。