diff --git a/docs/AGENTS.md b/docs/AGENTS.md
index 47e24d419d..2f9efd405d 100644
--- a/docs/AGENTS.md
+++ b/docs/AGENTS.md
@@ -479,6 +479,66 @@ Effective headers and section titles enhance document readability and structure,
---
+## Version Badge for Feature Documentation
+
+The Version Badge component indicates when a specific feature or functionality was introduced in Prowler. This component is located at `docs/snippets/version-badge.mdx` and should be used consistently across the documentation.
+
+### When to Use the Version Badge
+
+Use the Version Badge when documenting:
+
+* New features added in a specific version.
+* New CLI options or flags.
+* New API endpoints or SDK methods.
+* New compliance frameworks or security checks.
+* Breaking changes or deprecated features (with appropriate context).
+
+### How to Use the Version Badge
+
+1. **Import the Component**
+
+ At the top of the MDX file, import the snippet:
+
+ ```mdx
+ import { VersionBadge } from "/snippets/version-badge.mdx"
+ ```
+
+2. **Place the Badge**
+
+ Insert the badge immediately after the section header or feature title:
+
+ ```mdx
+ ## New Feature Name
+
+
+
+ Description of the feature...
+ ```
+
+3. **Version Format**
+
+ Use semantic versioning format (e.g., `4.5.0`, `5.0.0`). Do not include the "v" prefix.
+
+### Placement Guidelines
+
+* Place the Version Badge on its own line, directly below the header.
+* Leave a blank line after the badge before continuing with the content.
+* For subsections, place the badge only if the subsection introduces something new independently from the parent section.
+
+**Example:**
+
+```mdx
+## Tag-Based Scanning
+
+import { VersionBadge } from "/snippets/version-badge.mdx"
+
+
+
+Tag-Based Scanning allows filtering resources by AWS tags during security assessments...
+```
+
+---
+
## Avoid Assumptions Regarding Audience’s Expertise
### Understand Your Audience’s Expertise
diff --git a/docs/developer-guide/alibabacloud-details.mdx b/docs/developer-guide/alibabacloud-details.mdx
new file mode 100644
index 0000000000..4c21e17b29
--- /dev/null
+++ b/docs/developer-guide/alibabacloud-details.mdx
@@ -0,0 +1,212 @@
+---
+title: 'Alibaba Cloud Provider'
+---
+
+This page details the [Alibaba Cloud](https://www.alibabacloud.com/) provider implementation in Prowler.
+
+By default, Prowler will audit all the Alibaba Cloud regions that are available. To configure it, follow the [Alibaba Cloud getting started guide](/user-guide/providers/alibabacloud/getting-started-alibabacloud).
+
+## Alibaba Cloud Provider Classes Architecture
+
+The Alibaba Cloud provider implementation follows the general [Provider structure](/developer-guide/provider). This section focuses on the Alibaba Cloud-specific implementation, highlighting how the generic provider concepts are realized for Alibaba Cloud in Prowler. For a full overview of the provider pattern, base classes, and extension guidelines, see [Provider documentation](/developer-guide/provider).
+
+### Main Class
+
+- **Location:** [`prowler/providers/alibabacloud/alibabacloud_provider.py`](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/alibabacloud/alibabacloud_provider.py)
+- **Base Class:** Inherits from `Provider` (see [base class details](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/common/provider.py)).
+- **Purpose:** Central orchestrator for Alibaba Cloud-specific logic, session management, credential validation, and configuration.
+- **Key Alibaba Cloud Responsibilities:**
+ - Initializes and manages Alibaba Cloud sessions (supports Access Keys, STS Temporary Credentials, RAM Role Assumption, ECS RAM Role, OIDC Authentication, and Credentials URI).
+ - Validates credentials using STS GetCallerIdentity.
+ - Loads and manages configuration, mutelist, and fixer settings.
+ - Discovers and manages Alibaba Cloud regions.
+ - Provides properties and methods for downstream Alibaba Cloud service classes to access session, identity, and configuration data.
+
+### Data Models
+
+- **Location:** [`prowler/providers/alibabacloud/models.py`](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/alibabacloud/models.py)
+- **Purpose:** Define structured data for Alibaba Cloud identity, session, credentials, and region info.
+- **Key Alibaba Cloud Models:**
+ - `AlibabaCloudCallerIdentity`: Stores caller identity information from STS GetCallerIdentity (account_id, principal_id, arn, identity_type).
+ - `AlibabaCloudIdentityInfo`: Holds Alibaba Cloud identity metadata including account ID, user info, profile, and audited regions.
+ - `AlibabaCloudCredentials`: Stores credentials (access_key_id, access_key_secret, security_token).
+ - `AlibabaCloudRegion`: Represents an Alibaba Cloud region with region_id and region_name.
+ - `AlibabaCloudSession`: Manages the session and provides methods to create service clients.
+
+### `AlibabaCloudService` (Service Base Class)
+
+- **Location:** [`prowler/providers/alibabacloud/lib/service/service.py`](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/alibabacloud/lib/service/service.py)
+- **Purpose:** Abstract base class that all Alibaba Cloud service-specific classes inherit from. This implements the generic service pattern (described in [service page](/developer-guide/services#service-base-class)) specifically for Alibaba Cloud.
+- **Key Alibaba Cloud Responsibilities:**
+ - Receives an `AlibabacloudProvider` instance to access session, identity, and configuration.
+ - Manages regional clients for services that are region-specific.
+ - Provides `__threading_call__` method to make API calls in parallel by region or resource.
+ - Exposes common audit context (`audited_account`, `audited_account_name`, `audit_resources`, `audit_config`) to subclasses.
+
+### Exception Handling
+
+- **Location:** [`prowler/providers/alibabacloud/exceptions/exceptions.py`](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/alibabacloud/exceptions/exceptions.py)
+- **Purpose:** Custom exception classes for Alibaba Cloud-specific error handling.
+- **Key Alibaba Cloud Exceptions:**
+ - `AlibabaCloudClientError`: General client errors
+ - `AlibabaCloudNoCredentialsError`: No credentials found
+ - `AlibabaCloudInvalidCredentialsError`: Invalid credentials provided
+ - `AlibabaCloudSetUpSessionError`: Session setup failures
+ - `AlibabaCloudAssumeRoleError`: RAM role assumption failures
+ - `AlibabaCloudInvalidRegionError`: Invalid region specified
+ - `AlibabaCloudHTTPError`: HTTP/API errors
+
+### Session and Utility Helpers
+
+- **Location:** [`prowler/providers/alibabacloud/lib/`](https://github.com/prowler-cloud/prowler/tree/master/prowler/providers/alibabacloud/lib/)
+- **Purpose:** Helpers for argument parsing, mutelist management, and other cross-cutting concerns.
+
+## Specific Patterns in Alibaba Cloud Services
+
+The generic service pattern is described in [service page](/developer-guide/services#service-structure-and-initialisation). You can find all the currently implemented services in the following locations:
+
+- Directly in the code, in location [`prowler/providers/alibabacloud/services/`](https://github.com/prowler-cloud/prowler/tree/master/prowler/providers/alibabacloud/services)
+- In the [Prowler Hub](https://hub.prowler.com/) for a more human-readable view.
+
+The best reference to understand how to implement a new service is following the [service implementation documentation](/developer-guide/services#adding-a-new-service) and taking other services already implemented as reference. In next subsection you can find a list of common patterns that are used across all Alibaba Cloud services.
+
+### Alibaba Cloud Service Common Patterns
+
+- Services communicate with Alibaba Cloud using the official Alibaba Cloud Python SDKs. Documentation for individual services can be found in the [Alibaba Cloud SDK documentation](https://www.alibabacloud.com/help/en/sdk).
+- Every Alibaba Cloud service class inherits from `AlibabaCloudService`, ensuring access to session, identity, configuration, and client utilities.
+- The constructor (`__init__`) always calls `super().__init__` with the service name, provider, and optionally `global_service=True` for services that are not regional (e.g., RAM).
+- Resource containers **must** be initialized in the constructor. For regional services, resources are typically stored in dictionaries keyed by region and resource ID.
+- All Alibaba Cloud resources are represented as Pydantic `BaseModel` classes, providing type safety and structured access to resource attributes.
+- Alibaba Cloud SDK functions are wrapped in try/except blocks, with specific handling for errors, always logging errors.
+- Regional services use `self.regional_clients` to maintain clients for each audited region.
+- The `__threading_call__` method is used for parallel execution across regions or resources.
+
+### Example Service Implementation
+
+```python
+from prowler.lib.logger import logger
+from prowler.providers.alibabacloud.lib.service.service import AlibabaCloudService
+
+
+class MyService(AlibabaCloudService):
+ def __init__(self, provider):
+ # Initialize parent class with service name
+ super().__init__("myservice", provider)
+
+ # Initialize resource containers
+ self.resources = {}
+
+ # Discover resources using threading
+ self.__threading_call__(self._describe_resources)
+
+ def _describe_resources(self, regional_client):
+ try:
+ region = regional_client.region
+ response = regional_client.describe_resources()
+
+ for resource in response.body.resources:
+ self.resources[resource.id] = MyResource(
+ id=resource.id,
+ name=resource.name,
+ region=region,
+ # ... other attributes
+ )
+ except Exception as error:
+ logger.error(
+ f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+ )
+```
+
+## Specific Patterns in Alibaba Cloud Checks
+
+The Alibaba Cloud checks pattern is described in [checks page](/developer-guide/checks). You can find all the currently implemented checks:
+
+- Directly in the code, within each service folder, each check has its own folder named after the name of the check. (e.g. [`prowler/providers/alibabacloud/services/ram/ram_no_root_access_key/`](https://github.com/prowler-cloud/prowler/tree/master/prowler/providers/alibabacloud/services/ram/ram_no_root_access_key))
+- In the [Prowler Hub](https://hub.prowler.com/) for a more human-readable view.
+
+The best reference to understand how to implement a new check is following the [check implementation documentation](/developer-guide/checks#creating-a-check) and taking other similar checks as reference.
+
+### Check Report Class
+
+The `CheckReportAlibabaCloud` class models a single finding for an Alibaba Cloud resource in a check report. It is defined in [`prowler/lib/check/models.py`](https://github.com/prowler-cloud/prowler/blob/master/prowler/lib/check/models.py) and inherits from the generic `Check_Report` base class.
+
+#### Purpose
+
+`CheckReportAlibabaCloud` extends the base report structure with Alibaba Cloud-specific fields, enabling detailed tracking of the resource, resource ID, ARN, and region associated with each finding.
+
+#### Constructor and Attribute Population
+
+When you instantiate `CheckReportAlibabaCloud`, you must provide the check metadata and a resource object. The class will attempt to automatically populate its Alibaba Cloud-specific attributes from the resource, using the following logic:
+
+- **`resource_id`**:
+ - Uses `resource.id` if present.
+ - Otherwise, uses `resource.name` if present.
+ - Defaults to an empty string if not available.
+
+- **`resource_arn`**:
+ - Uses `resource.arn` if present.
+ - Defaults to an empty string if not available.
+
+- **`region`**:
+ - Uses `resource.region` if present.
+ - Defaults to an empty string if not available.
+
+If the resource object does not contain the required attributes, you must set them manually in the check logic.
+
+Other attributes are inherited from the `Check_Report` class, from which you **always** have to set the `status` and `status_extended` attributes in the check logic.
+
+#### Example Usage
+
+```python
+from prowler.lib.check.models import Check, CheckReportAlibabaCloud
+from prowler.providers.alibabacloud.services.myservice.myservice_client import myservice_client
+
+
+class myservice_example_check(Check):
+ def execute(self) -> list[CheckReportAlibabaCloud]:
+ findings = []
+
+ for resource in myservice_client.resources.values():
+ report = CheckReportAlibabaCloud(
+ metadata=self.metadata(),
+ resource=resource
+ )
+ report.region = resource.region
+ report.resource_id = resource.id
+ report.resource_arn = f"acs:myservice::{myservice_client.audited_account}:resource/{resource.id}"
+
+ if resource.is_compliant:
+ report.status = "PASS"
+ report.status_extended = f"Resource {resource.name} is compliant."
+ else:
+ report.status = "FAIL"
+ report.status_extended = f"Resource {resource.name} is not compliant."
+
+ findings.append(report)
+
+ return findings
+```
+
+## Authentication Methods
+
+The Alibaba Cloud provider supports multiple authentication methods, prioritized in the following order:
+
+1. **Credentials URI** - Retrieve credentials from an external URI endpoint
+2. **OIDC Role Authentication** - For applications running in ACK with RRSA enabled
+3. **ECS RAM Role** - For ECS instances with attached RAM roles
+4. **RAM Role Assumption** - Cross-account access with role assumption
+5. **STS Temporary Credentials** - Pre-obtained temporary credentials
+6. **Permanent Access Keys** - Static access key credentials
+7. **Default Credential Chain** - Automatic credential discovery
+
+For detailed authentication configuration, see the [Authentication documentation](/user-guide/providers/alibabacloud/authentication).
+
+## Regions
+
+Alibaba Cloud has multiple regions across the globe. By default, Prowler audits all available regions. You can specify specific regions using the `--regions` CLI argument:
+
+```bash
+prowler alibabacloud --regions cn-hangzhou cn-shanghai
+```
+
+The list of supported regions is maintained in [`prowler/providers/alibabacloud/config.py`](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/alibabacloud/config.py).
diff --git a/docs/docs.json b/docs/docs.json
index c25a4f363a..65cf7d3070 100644
--- a/docs/docs.json
+++ b/docs/docs.json
@@ -294,6 +294,7 @@
"developer-guide/aws-details",
"developer-guide/azure-details",
"developer-guide/gcp-details",
+ "developer-guide/alibabacloud-details",
"developer-guide/kubernetes-details",
"developer-guide/m365-details",
"developer-guide/github-details",
diff --git a/docs/images/cli/add-cloud-provider.png b/docs/images/cli/add-cloud-provider.png
index dd42e73047..d8f19b2054 100644
Binary files a/docs/images/cli/add-cloud-provider.png and b/docs/images/cli/add-cloud-provider.png differ
diff --git a/docs/images/cli/cloud-providers-page.png b/docs/images/cli/cloud-providers-page.png
index 0581e0132f..dcbce73a10 100644
Binary files a/docs/images/cli/cloud-providers-page.png and b/docs/images/cli/cloud-providers-page.png differ
diff --git a/docs/images/providers/add-alibaba-account-id.png b/docs/images/providers/add-alibaba-account-id.png
new file mode 100644
index 0000000000..2e49f995cc
Binary files /dev/null and b/docs/images/providers/add-alibaba-account-id.png differ
diff --git a/docs/images/providers/alibaba-account-id.png b/docs/images/providers/alibaba-account-id.png
new file mode 100644
index 0000000000..89e79b1f20
Binary files /dev/null and b/docs/images/providers/alibaba-account-id.png differ
diff --git a/docs/images/providers/alibaba-connect-via-credentials-static.png b/docs/images/providers/alibaba-connect-via-credentials-static.png
new file mode 100644
index 0000000000..f9b9a00ee6
Binary files /dev/null and b/docs/images/providers/alibaba-connect-via-credentials-static.png differ
diff --git a/docs/images/providers/alibaba-connect-via-credentials.png b/docs/images/providers/alibaba-connect-via-credentials.png
new file mode 100644
index 0000000000..f9b9a00ee6
Binary files /dev/null and b/docs/images/providers/alibaba-connect-via-credentials.png differ
diff --git a/docs/images/providers/alibaba-credentials-form.png b/docs/images/providers/alibaba-credentials-form.png
new file mode 100644
index 0000000000..3cefc0253c
Binary files /dev/null and b/docs/images/providers/alibaba-credentials-form.png differ
diff --git a/docs/images/providers/alibaba-get-role-arn.png b/docs/images/providers/alibaba-get-role-arn.png
new file mode 100644
index 0000000000..d95822a18e
Binary files /dev/null and b/docs/images/providers/alibaba-get-role-arn.png differ
diff --git a/docs/images/providers/alibaba-ram-role-overview.png b/docs/images/providers/alibaba-ram-role-overview.png
new file mode 100644
index 0000000000..a9420d0749
Binary files /dev/null and b/docs/images/providers/alibaba-ram-role-overview.png differ
diff --git a/docs/images/providers/launch-scan-alibaba.png b/docs/images/providers/launch-scan-alibaba.png
new file mode 100644
index 0000000000..324e1334c4
Binary files /dev/null and b/docs/images/providers/launch-scan-alibaba.png differ
diff --git a/docs/images/providers/select-alibaba-cloud.png b/docs/images/providers/select-alibaba-cloud.png
new file mode 100644
index 0000000000..8b65931472
Binary files /dev/null and b/docs/images/providers/select-alibaba-cloud.png differ
diff --git a/docs/images/providers/select-auth-method-alibaba.png b/docs/images/providers/select-auth-method-alibaba.png
new file mode 100644
index 0000000000..ffd0083bf0
Binary files /dev/null and b/docs/images/providers/select-auth-method-alibaba.png differ
diff --git a/docs/images/prowler-app/add-cloud-provider.png b/docs/images/prowler-app/add-cloud-provider.png
index dd42e73047..d8f19b2054 100644
Binary files a/docs/images/prowler-app/add-cloud-provider.png and b/docs/images/prowler-app/add-cloud-provider.png differ
diff --git a/docs/images/prowler-app/cloud-providers-page.png b/docs/images/prowler-app/cloud-providers-page.png
index 0581e0132f..dcbce73a10 100644
Binary files a/docs/images/prowler-app/cloud-providers-page.png and b/docs/images/prowler-app/cloud-providers-page.png differ
diff --git a/docs/user-guide/cli/img/add-cloud-provider.png b/docs/user-guide/cli/img/add-cloud-provider.png
index dd42e73047..d8f19b2054 100644
Binary files a/docs/user-guide/cli/img/add-cloud-provider.png and b/docs/user-guide/cli/img/add-cloud-provider.png differ
diff --git a/docs/user-guide/cli/img/cloud-providers-page.png b/docs/user-guide/cli/img/cloud-providers-page.png
index 0581e0132f..dcbce73a10 100644
Binary files a/docs/user-guide/cli/img/cloud-providers-page.png and b/docs/user-guide/cli/img/cloud-providers-page.png differ
diff --git a/docs/user-guide/img/add-cloud-provider.png b/docs/user-guide/img/add-cloud-provider.png
index dd42e73047..d8f19b2054 100644
Binary files a/docs/user-guide/img/add-cloud-provider.png and b/docs/user-guide/img/add-cloud-provider.png differ
diff --git a/docs/user-guide/img/cloud-providers-page.png b/docs/user-guide/img/cloud-providers-page.png
index 0581e0132f..dcbce73a10 100644
Binary files a/docs/user-guide/img/cloud-providers-page.png and b/docs/user-guide/img/cloud-providers-page.png differ
diff --git a/docs/user-guide/providers/alibabacloud/getting-started-alibabacloud.mdx b/docs/user-guide/providers/alibabacloud/getting-started-alibabacloud.mdx
index 469f026b5a..c38cc42e37 100644
--- a/docs/user-guide/providers/alibabacloud/getting-started-alibabacloud.mdx
+++ b/docs/user-guide/providers/alibabacloud/getting-started-alibabacloud.mdx
@@ -2,26 +2,111 @@
title: 'Getting Started With Alibaba Cloud on Prowler'
---
-## Prowler CLI
+import { VersionBadge } from "/snippets/version-badge.mdx"
-### Configure Alibaba Cloud Credentials
+Prowler supports Alibaba Cloud both from the CLI and from Prowler Cloud. This guide walks you through the requirements, how to connect the provider in the UI, and how to run scans from the command line.
-Prowler requires Alibaba Cloud credentials to perform security checks. Authentication is available through the following methods (in order of priority):
+## Prerequisites
-1. **Credentials URI** (Recommended for centralized credential services)
-2. **OIDC Role Authentication** (Recommended for ACK/Kubernetes)
-3. **ECS RAM Role** (Recommended for ECS instances)
-4. **RAM Role Assumption** (Recommended for cross-account access)
-5. **STS Temporary Credentials**
-6. **Permanent Access Keys**
-7. **Default Credential Chain**
+Before you begin, make sure you have:
+
+1. An **Alibaba Cloud Account ID** (visible in the Alibaba Cloud Console under your profile).
+2. **Credentials** with appropriate permissions:
+ - **RAM User with Access Keys**: For static credential authentication.
+ - **RAM Role**: For cross-account access using role assumption (recommended).
+3. The required permissions for Prowler to audit your resources. See the [Alibaba Cloud Authentication](/user-guide/providers/alibabacloud/authentication) guide for the full list of required permissions.
+
+
+
+ Onboard Alibaba Cloud using Prowler Cloud
+
+
+ Onboard Alibaba Cloud using Prowler CLI
+
+
+
+## Prowler Cloud
+
+
+
+### Step 1: Get Your Alibaba Cloud Account ID
+
+1. Log in to the [Alibaba Cloud Console](https://home.console.alibabacloud.com/)
+2. Click on your profile avatar in the top-right corner
+3. Locate and copy your Account ID
+
+
+
+### Step 2: Access Prowler Cloud or Prowler App
+
+1. Navigate to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app)
+2. Go to "Configuration" > "Cloud Providers"
+
+ 
+
+3. Click "Add Cloud Provider"
+
+ 
+
+4. Select "Alibaba Cloud"
+
+ 
+
+5. Enter your Alibaba Cloud Account ID and optionally provide a friendly alias
+
+ 
+
+### Step 3: Choose and Provide Authentication
+
+After the Account ID is in place, select the authentication method that matches your Alibaba Cloud setup:
+
+
+
+#### RAM Role Assumption (Recommended)
+
+Use this method for secure cross-account access. For detailed instructions on how to create the RAM role, see the [Authentication guide](/user-guide/providers/alibabacloud/authentication#ram-role-assumption-recommended-for-cross-account).
+
+1. Enter the **Role ARN** (format: `acs:ram:::role/`)
+2. Enter the **Access Key ID** and **Access Key Secret** of the RAM user that will assume the role
+
+ 
+
+
+The RAM user whose credentials you provide must have permission to assume the target role. For more details, see the [Alibaba Cloud AssumeRole API documentation](https://www.alibabacloud.com/help/en/ram/developer-reference/api-sts-2015-04-01-assumerole).
+
+
+#### Credentials (Static Access Keys)
+
+Use static credentials for quick scans (not recommended for production). For detailed setup, see the [Authentication guide](/user-guide/providers/alibabacloud/authentication#permanent-access-keys).
+
+1. Enter the **Access Key ID** and **Access Key Secret**
+
+ 
-Prowler does not accept credentials through command-line arguments. Provide credentials through environment variables or the Alibaba Cloud credential chain.
-
+Static access keys are long-lived credentials. For production environments, consider using RAM Role Assumption instead.
-#### Option 1: Environment Variables (Permanent Credentials)
+### Step 4: Launch the Scan
+
+1. Click "Next" to review your configuration
+2. Click "Launch Scan" to start auditing your Alibaba Cloud account
+
+ 
+
+---
+
+## Prowler CLI
+
+
+
+You can also run Alibaba Cloud assessments directly from the CLI. Both command-line flags and environment variables are supported.
+
+### Step 1: Select an Authentication Method
+
+Choose one of the following authentication methods. For the complete list and detailed configuration, see the [Authentication guide](/user-guide/providers/alibabacloud/authentication).
+
+#### Environment Variables
```bash
export ALIBABA_CLOUD_ACCESS_KEY_ID="your-access-key-id"
@@ -29,104 +114,49 @@ export ALIBABA_CLOUD_ACCESS_KEY_SECRET="your-access-key-secret"
prowler alibabacloud
```
-#### Option 2: Environment Variables (STS Temporary Credentials)
-
-```bash
-export ALIBABA_CLOUD_ACCESS_KEY_ID="your-sts-access-key-id"
-export ALIBABA_CLOUD_ACCESS_KEY_SECRET="your-sts-access-key-secret"
-export ALIBABA_CLOUD_SECURITY_TOKEN="your-sts-security-token"
-prowler alibabacloud
-```
-
-#### Option 3: RAM Role Assumption (Environment Variables)
+#### RAM Role Assumption
```bash
export ALIBABA_CLOUD_ACCESS_KEY_ID="your-access-key-id"
export ALIBABA_CLOUD_ACCESS_KEY_SECRET="your-access-key-secret"
export ALIBABA_CLOUD_ROLE_ARN="acs:ram::123456789012:role/ProwlerAuditRole"
-export ALIBABA_CLOUD_ROLE_SESSION_NAME="ProwlerAssessmentSession" # Optional
prowler alibabacloud
```
-#### Option 4: RAM Role Assumption (CLI + Environment Variables)
+#### ECS RAM Role (for ECS instances)
```bash
-# Set credentials via environment variables
-export ALIBABA_CLOUD_ACCESS_KEY_ID="your-access-key-id"
-export ALIBABA_CLOUD_ACCESS_KEY_SECRET="your-access-key-secret"
-# Specify role via CLI argument
-prowler alibabacloud --role-arn acs:ram::123456789012:role/ProwlerAuditRole --role-session-name ProwlerAssessmentSession
-```
-
-#### Option 5: ECS Instance Metadata (ECS RAM Role)
-
-```bash
-# When running on an ECS instance with an attached RAM role
prowler alibabacloud --ecs-ram-role RoleName
-
-# Or using environment variable
-export ALIBABA_CLOUD_ECS_METADATA="RoleName"
-prowler alibabacloud
```
-#### Option 6: OIDC Role Authentication (for ACK/Kubernetes)
+### Step 2: Run the First Scan
-```bash
-# For applications running in ACK (Alibaba Container Service for Kubernetes) with RRSA enabled
-export ALIBABA_CLOUD_ROLE_ARN="acs:ram::123456789012:role/YourRole"
-export ALIBABA_CLOUD_OIDC_PROVIDER_ARN="acs:ram::123456789012:oidc-provider/ack-rrsa-provider"
-export ALIBABA_CLOUD_OIDC_TOKEN_FILE="/var/run/secrets/tokens/oidc-token"
-export ALIBABA_CLOUD_ROLE_SESSION_NAME="ProwlerOIDCSession" # Optional
-prowler alibabacloud
-
-# Or using CLI argument
-prowler alibabacloud --oidc-role-arn acs:ram::123456789012:role/YourRole
-```
-
-#### Option 7: Credentials URI (External Credential Service)
-
-```bash
-# Retrieve credentials from an external URI endpoint
-export ALIBABA_CLOUD_CREDENTIALS_URI="http://localhost:8080/credentials"
-prowler alibabacloud
-
-# Or using CLI argument
-prowler alibabacloud --credentials-uri http://localhost:8080/credentials
-```
-
-#### Option 8: Default Credential Chain
-
-The SDK automatically checks credentials in the following order:
-1. Environment variables (`ALIBABA_CLOUD_*` or `ALIYUN_*`)
-2. OIDC authentication (if OIDC environment variables are set)
-3. Configuration file (`~/.aliyun/config.json`)
-4. ECS instance metadata (if running on ECS)
-5. Credentials URI (if `ALIBABA_CLOUD_CREDENTIALS_URI` is set)
+#### Scan all regions
```bash
prowler alibabacloud
```
-### Specify Regions
-
-To run checks only in specific regions:
+#### Scan specific regions
```bash
prowler alibabacloud --regions cn-hangzhou cn-shanghai
```
-### Run Specific Checks
-
-To run specific checks:
+#### Run specific checks
```bash
prowler alibabacloud --checks ram_no_root_access_key ram_user_mfa_enabled_console_access
```
-### Run Compliance Framework
-
-To run a specific compliance framework:
+#### Run a compliance framework
```bash
prowler alibabacloud --compliance cis_2.0_alibabacloud
```
+
+### Additional Tips
+
+- Combine flags (for example, `--checks` or `--services`) just like with other providers.
+- Use `--output-modes` to export findings in JSON, CSV, ASFF, etc.
+- For more authentication options (OIDC, Credentials URI, STS), see the [Authentication guide](/user-guide/providers/alibabacloud/authentication).