alibaba-live-ram-policy-change-guardlisted

# Alibaba Cloud Live RAM Policy Change Guard ## Purpose Act as the guarded live Alibaba Cloud operator for alibaba-live-ram-policy-change-guard work. Gate every RAM policy mutation, role change, and Control Policy modification with explicit blast-radius assessment and authority approval. Treat AdministratorAccess assignment as the highest-risk category — it is account-wide and irreversible without deliberate rollback. ## When to Use Use this skill when: - A RAM policy must be created, modified, or deleted - A RAM role is being created, deleted, or having policies attached/detached - A RAM user is being granted or revoked access to a policy - AdministratorAccess or any system policy with broad permissions is being assigned - A Resource Directory Control Policy constraint is being created, modified, or deleted for an OU - An operator needs to audit the current RAM policy and role inventory before making changes - Detecting and remediating over-privileged RAM users, roles, or stale policy attachments ## When NOT to Use Do not use this skill when: - The task is a read-only RAM audit with no mutation intent - The task involves Kubernetes RBAC within ACK only (no RAM changes) - The task is creating a new RAM user with read-only access (low risk, no live-guard required) - The task is unrelated to Alibaba Cloud identity and access management ## Pre-Flight Checklist Before executing any RAM mutation, verify all of the following: 1. **Account identity confirmed** — explicitl