1.2 Cloud Security Basics and RAM

Key Takeaways

  • Alibaba Cloud secures the underlying infrastructure; customers secure identities, data, guest operating systems, applications, network rules, and logs.
  • RAM (Resource Access Management) is the core identity service for CSA-C01 scenarios: users, groups, roles, policies, MFA, SSO, and temporary credentials.
  • RAM authorization starts from implicit deny; a matching Allow grants access, but any matching explicit Deny overrides every Allow.
  • Use RAM roles plus Security Token Service (STS) for application or cross-account access instead of embedding long-lived AccessKeys.
  • Cloud Security Basics is only 8% of the exam, but its shared-responsibility logic underpins many IAM, host, data, and network questions.
Last updated: June 2026

Security Basics Before Product Selection

CSA-C01 expects you to distinguish security "of" the cloud from security "in" the cloud. This is the shared responsibility model. Alibaba Cloud operates and secures the physical data centers, hardware, network fabric, the virtualization/hypervisor layer, and the managed-service control planes. The customer is responsible for everything they configure on top: identities, data classification and encryption, applications, the guest operating system, network access rules, and whether logs are collected and preserved.

The boundary shifts with the service model, and the exam tests exactly where it sits.

LayerECS (IaaS)RDS / ApsaraDB (PaaS)Function Compute (Serverless)
Physical and hypervisorAlibaba CloudAlibaba CloudAlibaba Cloud
Guest OS patchingCustomerAlibaba CloudAlibaba Cloud
Database engine patchingCustomer (self-managed DB)Alibaba Cloudn/a
Data, encryption keys, access policyCustomerCustomerCustomer
Network rules and exposureCustomerCustomerCustomer

Worked example: a tenant's Object Storage Service (OSS) bucket is found public and is scraped. Alibaba Cloud is not responsible — the customer set the bucket ACL and missed the misconfiguration. Conversely, a failed physical disk or a hypervisor CVE patch is squarely Alibaba Cloud's job. When a question asks "who must act," anchor on the layer being described.

RAM Decision Points

Resource Access Management (RAM) is the exam's central identity service. Learn to map a need to the correct construct.

NeedPreferWhy
Daily work by one personRAM userA named identity replaces use of the Alibaba Cloud account (root) login.
Many people with the same accessRAM groupAttach policies once; manage membership instead of per-user grants.
Application or cross-account accessRAM role + STSIssue temporary, scoped credentials with no embedded long-lived key.
Corporate single sign-onSAML 2.0 or OIDC federationAuthenticate against an external identity provider.
Multi-account governanceResource DirectoryOrganize accounts and apply control-policy guardrails.

How a RAM Policy Is Evaluated

Every RAM request begins at an implicit deny. RAM then collects all applicable policy statements and applies this order:

  1. Explicit Deny — if any matching statement has Effect: Deny, the request is denied. This always wins.
  2. Explicit Allow — if there is a matching Effect: Allow and no matching Deny, the request is allowed.
  3. Default Deny — if nothing matches, the request is denied.

A RAM policy statement has four parts. A useful memory hook is EARC:

  • EffectAllow or Deny.
  • Action — the API operation, e.g. oss:PutObject.
  • Resource — the ARN-style identifier, e.g. acs:oss:*:*:my-bucket/*.
  • Condition — optional tests such as source IP (acs:SourceIp) or whether MFA was used (acs:MFAPresent).

Credential and Trust-Boundary Traps

  • A shared AccessKey hard-coded in source or config is almost always the wrong answer — it is long-lived and cannot be scoped per session. Prefer a role with STS.
  • The account root credential should never be used for routine work; create RAM users, enable MFA, and apply least privilege.
  • A workload needing short-lived write access to one OSS bucket should assume a RAM role and receive temporary STS credentials scoped to that bucket and action.
  • When a Condition requires MFA but the session lacks it, the request is denied even if an Allow exists.

System Policies, Custom Policies, and Least Privilege

RAM offers two policy types. System policies are managed by Alibaba Cloud (for example AliyunOSSFullAccess or AliyunOSSReadOnlyAccess) and update automatically as services evolve; you cannot edit them. Custom policies are JSON documents you author to express exactly the permissions a role or user needs. For the exam, the least-privilege answer is almost always a custom policy scoped to specific actions and resources, not a broad *FullAccess system policy.

ScenarioWeak (avoid)Strong (least privilege)
App reads one bucketAliyunOSSFullAccessCustom policy: oss:GetObject on acs:oss:*:*:reports/*
CI pipeline deploys functionsAccount root keyRAM role assumed via STS with deploy-only actions
Auditor reviews configsAdministratorReadOnlyAccess plus Cloud Config view rights

Multi-Factor Authentication and the Root Account

The Alibaba Cloud account (root) owns the billing relationship and can do anything; it cannot be restricted by RAM policy. Best practice — and a frequent exam answer — is to enable MFA on the root account, lock its AccessKeys away or delete them, and perform all operational work through RAM users and roles. Enforce MFA on privileged RAM users as well, and you can require it at the policy layer with the acs:MFAPresent condition key so that sensitive actions fail unless the session was MFA-authenticated.

Why Basics Underpins the Whole Exam

Although Cloud Security Basics is only 8% by direct weight, its logic threads through the other 92%. A Host Security question about Security Center findings is really asking who must remediate (the customer). A Data Security question about OSS encryption is really asking who controls the keys. A Network question about an exposed security group is really a shared-responsibility question. Internalize the responsibility split and the implicit-deny evaluation order, and a large share of scenario questions across every module become straightforward.

Test Your Knowledge

An application running on Alibaba Cloud needs short-lived permission to write objects to exactly one OSS bucket. What is the best identity design?

A
B
C
D
Test Your Knowledge

A RAM user is in a group whose policy allows deleting objects from a bucket, but the user also has an attached policy with an explicit Deny for that same delete action. What is the result?

A
B
C
D
Test Your Knowledge

An OSS bucket is accidentally configured for public read and its contents are scraped. Under the Alibaba Cloud shared responsibility model, who is responsible?

A
B
C
D