Trusted services are Alibaba Cloud services that you can use with Resource Directory. Resource Directory allows trusted services to access information in your resource directory, such as members and folders. You can use a management account or a delegated administrator account of a trusted service to manage business operations based on your organization. This simplifies the unified management of your enterprise cloud services. For example, after you integrate Cloud Config with Resource Directory, the management account can view the resource lists, configuration history, and compliance status of all members in Cloud Config. The account can also monitor resource configuration compliance.
How to use a trusted service
You can use a trusted service in its console or by calling its API operations. The following steps describe how to use a trusted service in its console.
In the Resource Management console, use the management account to enable Resource Directory.
For more information, see Enable a resource directory.
In the Resource Management console, use the management account to set up your enterprise's organizational structure. You can create members or invite existing Alibaba Cloud accounts to join your organization.
For more information, see Create a folder, Create a member, and Invite an Alibaba Cloud account to join a resource directory.
(Optional) In the Resource Management console, use the management account to set a member as the delegated administrator account for a trusted service.
If you do not set a delegated administrator account for the trusted service, you must use the management account to manage business operations in the trusted service.
For more information about how to set a delegated administrator account, see Add a delegated administrator account.
NoteThis step applies only to trusted services that support delegated administrator accounts.
In the console of the trusted service, use the management account or the delegated administrator account to enable the multi-account management feature. Then, select the members that you want to manage based on the organizational structure of your resource directory, and manage the business operations for the selected members.
The operations vary based on the trusted service. For more information, see the References column in the Supported trusted services section.
Supported trusted services
Trusted service | Trusted service identifier | Function Introduction | Supports delegated administrator accounts | References |
Cloud Config | config.aliyuncs.com | After you integrate Cloud Config with Resource Directory, the management account can view the resource lists, configuration history, and compliance status of all members in Cloud Config. The account can also monitor resource configuration compliance. | Yes | |
ActionTrail | actiontrail.aliyuncs.com | After you integrate ActionTrail with Resource Directory, the management account can create multi-account trails in ActionTrail. A multi-account trail delivers the events of all members in a resource directory to an Object Storage Service (OSS) bucket or a Simple Log Service (SLS) Logstore. | Yes | |
Security Center | sas.aliyuncs.com | After you integrate Security Center with Resource Directory, Security Center provides a unified interface to display security risks detected for all members in your enterprise. | Yes | |
Cloud Firewall | cloudfw.aliyuncs.com | After you integrate Cloud Firewall with Resource Directory, you can centrally manage assets that are assigned public IP addresses across multiple accounts, configure defense policies, and view log analysis results. This implements centralized security control. | Yes | |
DCDN | multiaccount.dcdn.aliyuncs.com | After you integrate DCDN with Resource Directory, DCDN provides a multi-account management feature to unify the management of domain name resources that belong to different accounts and products. | No | None |
Hybrid Cloud Monitoring | cloudmonitor.aliyuncs.com | Integrate Hybrid Cloud Monitoring with Resource Directory to easily monitor resources across your enterprise's Alibaba Cloud accounts. | Yes | |
CloudSSO | cloudsso.aliyuncs.com | The management account can use CloudSSO to centrally manage users of Alibaba Cloud in your enterprise, configure single sign-on (SSO) between your enterprise identity management system and Alibaba Cloud, and configure user access permissions on members in your resource directory. | Yes | |
Log Audit Service | audit.log.aliyuncs.com | Log Audit Service supports automated and centralized collection of cloud product logs in a multi-account environment for log audit and analysis. | Yes | |
Resource Orchestration Service | ros.aliyuncs.com | The management account can deploy cloud resources that a system depends on for members of a resource directory with a single click. This meets the need for centralized resource management in a multi-account environment. | Yes | |
Resource Sharing | resourcesharing.aliyuncs.com | After the management account enables resource sharing for an organization, it can share cloud resources with specified members, specified folders, or the entire resource directory. New members added to a folder or resource directory automatically get access to the shared resources. Members removed from a folder or resource directory automatically lose access to the shared resources. | No | |
Cloud Governance Center | governance.aliyuncs.com | The management account can use Cloud Governance Center to view the resource distribution and trends of all members in an enterprise, configure compliance audit protection rules, and deliver audit logs. | No | |
Tag | tag.aliyuncs.com | The management account can enable the multi-account mode for tag policies to standardize tag operations for members in the resource directory. | Yes | |
Service Catalog | servicecatalog.aliyuncs.com | Share product portfolios in Service Catalog with multiple members in your resource directory. If the configurations of the product portfolios are changed, the changes are synchronized to the shared members in real time. This greatly improves management efficiency. | Yes | |
Quota Center | quotas.aliyuncs.com | Create a quota template to automatically submit quota applications for new members when they are added to your resource directory. | No | |
Network Intelligence Service (NIS) | nis.aliyuncs.com | Lets you centrally view and analyze network products across your enterprise's multiple accounts. | Yes | |
Resource Center | resourcecenter.aliyuncs.com | Resource Center provides a unified view and search capability for resources across accounts, products, and regions. | Yes | |
Message Center | messagecenter.aliyuncs.com | Lets you manage message contacts for multiple accounts in your enterprise. | No | |
Carbon Footprint | energy.aliyuncs.com | Lets the management account view the greenhouse gas emission data from cloud resources across all of your enterprise's Alibaba Cloud accounts in a unified interface. | Yes | |
Web Application Firewall 3.0 | waf.aliyuncs.com | Lets you centrally access cloud product resources in member accounts. This lets you add the resources to WAF and configure unified security policies. | Yes | |
Anti-DDoS Origin | ddosbgp.aliyuncs.com | Lets you share Anti-DDoS instances among multiple accounts. | Yes | |
Bastionhost | bastionhost.aliyuncs.com | Lets you use a single bastion host to centrally manage assets across multiple Alibaba Cloud accounts. This helps implement unified O&M and control. | Yes | |
Data Security Center | sddp.aliyuncs.com | Manage data assets across multiple Alibaba Cloud accounts. Aggregate, view, and manage classification results, data asset risks, and threat events to improve security operation efficiency. | Yes | |
Prometheus Service | prometheus.aliyuncs.com | Supports unified monitoring of Prometheus instances across multiple accounts in your enterprise. | Yes | Use a global aggregation instance of Prometheus for unified multi-account monitoring |
Enable or disable a trusted service
You can enable or disable a trusted service in the service's console or by calling its API operations. For more information, see the documentation for the specific service.
In the navigation pane on the left of the Resource Management console, choose to view the status of trusted services. However, you cannot enable or disable trusted services in the Resource Management console.
Some trusted services are automatically enabled when you perform specific operations. For example, a service is enabled when you create a multi-account trail in ActionTrail or view resources related to Resource Directory in the service for the first time.
Some trusted services are automatically disabled when you perform specific operations, such as turning off a feature. When a trusted service is disabled, it can no longer access the accounts and resources in your resource directory. In addition, all resources related to the integration with Resource Directory are deleted from the service.
Trusted services and service-linked roles
Resource Directory creates its service-linked role, AliyunServiceRoleForResourceDirectory, for each member. This role grants Resource Directory the permissions to create the roles that are required by trusted services. Only Resource Directory can assume this role. For more information, see RAM roles in a resource directory.
A trusted service creates its service-linked role, such as AliyunServiceRoleForConfig for Cloud Config, only for the members that are used to perform administrative operations. This role defines the permissions that the trusted service requires to perform specific tasks. Only the corresponding trusted service can assume this role.
The access policy of a service-linked role is defined and used by the corresponding Alibaba Cloud service. You cannot modify or delete the access policy. You also cannot attach policies to or detach policies from a service-linked role. For more information, see Service-linked roles.