# eb-security Part of **EB** # EventBridge Security Console Guide ## Operations Overview | Operation | Console Navigation Path | Prerequisites | Description | |----------|------------------------|---------------|-------------| | Grant API Permissions | Console > RAM > Permissions > Policies > Create Policy | A root account with administrative privileges, A RAM user created in the account | Create a custom authorization policy using ARNs to grant API-level access to EventBridge resources. | | Identity Management | Console > RAM > Users > Create User / Console > RAM > Roles > Create Role | An Alibaba Cloud account with administrative rights, A VPC or network configuration if required for resource access, Enterprise identity provider setup for SSO integration | Create and configure RAM users or roles with appropriate access modes and session durations for EventBridge interaction. | | Cross-account Authorization | Console > RAM > Roles > Create Role | Enterprise A must have an Alibaba Cloud account with EventBridge resources, Enterprise B must have an Alibaba Cloud account, Enterprise A must create a RAM role for Enterprise B, Enterprise B must create a RAM user | Set up a RAM role in one account that can be assumed by users from another Alibaba Cloud account to enable cross-account EventBridge access. | | Grant Permissions to RAM Users | Console > RAM > Users > [User Name] > Permissions | An Alibaba Cloud account with sufficient privileges to manage RAM users, A RAM user created and ready for permission assignment | Assign specific EventBridge permissions to an existing RAM user and log in as that user to access authorized services. | | Identity-based Policies | Console > EventBridge > Identity-based Policies | An Alibaba Cloud account with IAM permissions, A user or role that needs to be assigned policies | Create and manage custom identity-based access policies directly in the EventBridge console using JSON policy documents. | | Use RAM for Access Control | Console > RAM > Users > Permissions > Create Permission Policy | An Alibaba Cloud account with sufficient privileges to manage RAM resources, Basic understanding of IAM concepts such as users, roles, and policies | Define fine-grained RAM permission policies for EventBridge resources using the RAM console. | ## Step-by-Step Instructions ### Grant API Permissions **Navigation**: Console > RAM > Permissions > Policies > Create Policy **Prerequisites**: - A root account with administrative privileges - A RAM user created in the account 1. Navigate to the Policies page in the RAM console - Element: **Permissions** (menu) — left navigation panel 2. Click **Create Policy** - Element: **Create Policy** (button) — top-right corner 3. Select the **JSON** tab and paste the policy document - Element: **JSON** (tab) — main content area - Notes: The policy must include the ARN of the target resource, such as an EventBridge event bus. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Policy Name | text_input | Yes | — | A unique name for the authorization policy. | | Description | text_input | No | — | Optional description of the policy's purpose. | | Policy Document | text_input | Yes | — | The JSON-formatted policy document that defines the permissions. Must include ARNs to specify resources. | ### Identity Management **Navigation**: Console > RAM > Users > Create User / Console > RAM > Roles > Create Role **Prerequisites**: - An Alibaba Cloud account with administrative rights - A VPC or network configuration if required for resource access - Enterprise identity provider setup for SSO integration 1. Click **Create User** - Element: **Create User** (button) — top-right corner of the Users page 2. Select **Access Mode** - Element: **Access Mode** (dropdown) — main content area - Notes: Choose either Console Access or Using permanent AccessKey to access, or both 3. Enter user name and set password - Element: **User Name** (text_input) — form fields section - Notes: For console access, a username and password are required 4. Grant permissions via policies - Element: **Add Permissions** (button) — permissions section - Notes: Attach policies to the user or add them to a user group 5. Click **Create Role** - Element: **Create Role** (button) — top-right corner of the Roles page 6. Specify trusted entity - Element: **Trusted Entity** (dropdown) — main content area - Notes: Select the service or account that can assume this role 7. Set session duration - Element: **Maximum Session Duration** (dropdown) — role settings - Notes: Adjust based on security requirements; default is 3600 seconds | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | User Name | text | Yes | — | Unique identifier for the RAM user | | Access Mode | checkbox | No | Console Access, Using permanent AccessKey to access | Specifies how the user will authenticate | | Password | text | Yes | — | Password for console login (if Console Access is selected) | | Maximum Session Duration | dropdown | Yes | 1 hour, 2 hours, 4 hours, 8 hours, 12 hours, 24 hours | How long the STS token remains valid after role assumption | ### Cross-account Authorization **Navigation**: Console > RAM > Roles > Create Role **Prerequisites**: - Enterprise A must have an Alibaba Cloud account with EventBridge resources - Enterprise B must have an Alibaba Cloud account - Enterprise A must create a RAM role for Enterprise B - Enterprise B must create a RAM user 1. Log on to the RAM console using Enterprise A's Alibaba Cloud account and create a RAM role for Enterprise B. - Element: **Create Role** (button) — top-right corner 2. Optional: Create a custom policy for the RAM role. - Element: **Create Policy** (button) — left navigation panel 3. Grant permissions to the RAM role by attaching a system policy or a custom policy. - Element: **Attach Policy** (button) — main content area 4. Log on to the RAM console using Enterprise B's Alibaba Cloud account and create a RAM user. - Element: **Create User** (button) — top-right corner 5. Grant the AliyunSTSAssumeRoleAccess permission to the RAM user. - Element: **Add Permissions** (button) — main content area 6. The RAM user of Enterprise B can now access Enterprise A's resources through the console or by making API calls. - Element: **Switch Role** (link) — upper-right corner - Notes: Enter the Enterprise Alias or Account ID of Enterprise A and the Role Name, then click Switch. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Role Name | text_input | Yes | — | The name of the RAM role to be created for Enterprise B. | | Trusted Entity Type | dropdown | Yes | Alibaba Cloud Account | Specifies the type of entity that is allowed to assume this role. | | Trusted Alibaba Cloud Account | text_input | Yes | — | The Alibaba Cloud account ID of Enterprise B that is allowed to assume the role. | | Session Name | text_input | Yes | — | A name for the session when assuming the role. | | Policy | text_input | No | — | An optional JSON policy document to limit the permissions granted during role assumption. | ### Grant Permissions to RAM Users **Navigation**: Console > RAM > Users > [User Name] > Permissions **Prerequisites**: - An Alibaba Cloud account with sufficient privileges to manage RAM users - A RAM user created and ready for permission assignment 1. Open the RAM user logon portal - Element: **RAM User Logon** (link) — top navigation bar - Notes: Use the China region link (https://signin.aliyun.com/login.htm) or international region link (https://signin.alibabacloud.com/login.htm) 2. Enter the RAM user name and click **Next** - Element: **Next** (button) — bottom of the login form - Notes: The RAM user name must be in the format @ or @.onaliyun.com 3. Enter the RAM user password and click **Login** - Element: **Login** (button) — bottom of the password form 4. Navigate to the authorized service console - Element: **Open the console of an authorized service** (link) — main content area after login - Notes: After logging in, users can access services they have been granted permissions for, such as EventBridge | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | RAM user name | text_input | Yes | — | The username of the RAM user, formatted as @ or @.onaliyun.com | | Password | text_input | Yes | — | The password assigned to the RAM user | ### Identity-based Policies **Navigation**: Console > EventBridge > Identity-based Policies **Prerequisites**: - An Alibaba Cloud account with IAM permissions - A user or role that needs to be assigned policies 1. Navigate to the Identity-based Policies page - Element: **Identity-based Policies** (link) — left navigation panel 2. Click **Create Policy** to define a new policy - Element: **Create Policy** (button) — top-right corner 3. Select the policy type (e.g., Custom Policy) - Element: **Policy Type** (dropdown) — main content area - Notes: Choose 'Custom Policy' for full control over permissions. 4. Enter a name and description for the policy - Element: **Policy Name** (text_input) — form fields section - Notes: Policy names must be unique within the account. 5. Define the policy document using JSON format - Element: **Policy Document** (text_input) — form fields section - Notes: Use the JSON editor to write the policy statement. Example: {"Version": "1", "Statement": [{"Effect": "Allow", "Action": "eventbridge:PutEvent", "Resource": "*"}]} 6. Click **Preview** to validate the policy syntax - Element: **Preview** (button) — bottom of form - Notes: The preview checks for valid JSON and correct syntax. 7. Click **Create** to save the policy - Element: **Create** (button) — bottom of form | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Policy Name | text | Yes | — | A unique name for the policy within the account. | | Description | text | No | — | Optional description to explain the purpose of the policy. | | Policy Type | dropdown | Yes | Custom Policy, System Policy | Choose whether to create a custom policy or use a predefined system policy. | | Policy Document | text | Yes | — | JSON-formatted policy document defining permissions. Must follow IAM policy syntax. | ### Use RAM for Access Control **Navigation**: Console > RAM > Users > Permissions > Create Permission Policy **Prerequisites**: - An Alibaba Cloud account with sufficient privileges to manage RAM resources - Basic understanding of IAM concepts such as users, roles, and policies 1. Navigate to the RAM console - Element: **RAM** (link) — left navigation panel 2. Go to the Permissions section - Element: **Permissions** (menu) — left navigation panel 3. Click on **Create Permission Policy** - Element: **Create Permission Policy** (button) — top-right corner - Notes: Ensure you are in the correct region if multi-region support is available. 4. Define the policy name and description - Element: **Policy Name** (text_input) — main content area - Notes: Use a descriptive name like 'EventBridge-ReadOnly' or 'EventBridge-WriteAccess'. 5. Select the policy type as JSON - Element: **Policy Type** (dropdown) — main content area - Notes: Choose JSON to define custom permissions using a policy document. 6. Paste the JSON policy document into the editor - Element: **Policy Document** (text_input) — main content area - Notes: The policy should include actions like 'eventbridge:PutEvents', 'eventbridge:DescribeEventBus', etc., and specify the target EventBridge resource ARN. 7. Click **Confirm** to create the policy - Element: **Confirm** (button) — bottom of the form | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Policy Name | text | Yes | — | A unique name for the permission policy. Must be globally unique across your Alibaba Cloud account. | | Description | text | No | — | Optional description to help identify the purpose of the policy. | | Policy Type | dropdown | Yes | System Policy, Custom Policy | Select whether the policy is predefined by Alibaba Cloud or custom-defined by the user. | | Policy Document | text | Yes | — | The JSON-formatted policy document that defines the allowed actions and resources. Must follow RAM policy syntax. | ## FAQ Q: Where do I find the Identity-based Policies page for EventBridge? A: Navigate to the EventBridge console (https://eventbridge.console.aliyun.com), then click **Identity-based Policies** in the left navigation panel. Q: What happens if I leave the Policy Document field empty when creating a RAM policy? A: The policy creation will fail. The Policy Document is required and must contain a valid JSON-formatted policy that defines at least one permission statement. Q: Can I modify a RAM user’s permissions after creation? A: Yes. Go to Console > RAM > Users, select the user, and use the **Add Permissions** or **Remove Permissions** buttons in the Permissions tab to update their access. Q: What permissions does a RAM user need to assume a cross-account role? A: The RAM user must be granted the **AliyunSTSAssumeRoleAccess** system policy (or equivalent custom policy) to call the STS AssumeRole API. Q: Do I need to create separate policies for EventBridge event buses in different regions? A: Yes. Resource ARNs in policies include the region identifier, so a policy granting access to an event bus in `cn-hangzhou` will not apply to one in `cn-shanghai`. Create region-specific policies as needed. ## Pricing & Billing ### Billing Model All RAM-related operations—including creating users, roles, groups, and policies—are free of charge. ### Free Tier - No cost for creating or managing RAM policies, users, roles, or groups. - Free tier includes up to 1000 RAM API calls per month. - Up to 1000 RAM users, 100 RAM roles, and 50 user groups per Alibaba Cloud account. - Up to 200 custom policies per account (applies to both RAM and EventBridge identity-based policies). ### Billing Notes - RAM itself incurs no direct charges. - Costs arise only when authorized users or roles perform actions on billable resources (e.g., publishing events to EventBridge). - All usage charges are billed to the primary Alibaba Cloud account—not to individual RAM users.