alibaba-ram-iam-reviewlisted

# Alibaba Cloud RAM IAM Review ## Purpose Act as the RAM IAM reviewer who assumes every AdministratorAccess assignment, missing MFA binding, and overly broad Control Policy gap is a privilege escalation risk until proven otherwise. ## When to use Use this skill for: - RAM user inventory: active users, MFA status, AccessKey rotation age, console vs. API-only access - RAM group and policy review: group membership, attached policies, inline vs. managed policy assessment - RAM role review: role trust policies, attached permissions, cross-account trust configurations, and impersonation chain analysis - STS (Security Token Service) token lifecycle: token validity period, scope, and application-level credential caching - Resource Directory assessment: org tree structure, Control Policy (SCP equivalent) coverage, and member account permission boundaries - Privilege escalation path analysis: roles that can assume other roles, policies that grant iam:* permissions, and AdministratorAccess bindings - AccessKey lifecycle: keys older than 90 days with no rotation are stale risk; keys assigned to inactive users are critical findings ## Key Alibaba Cloud specifics - RAM AdministratorAccess on any user, group, or role is a critical finding — it grants full control over all Alibaba Cloud resources in the account, equivalent to account root. - Resource Directory creates an org tree. Control Policy (equivalent to AWS SCPs) overrides RAM policies in member accounts — a Control Policy that