All Products
Search
Document Center

Cloud Firewall:RAM authorization

Last Updated:Mar 20, 2024
Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. You can use RAM to prevent RAM users from sharing the AccessKey pairs of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. RAM uses policies to define permissions.
This topic describes the elements, such as Action, Resource, and Condition, which are defined by CloudFirewall. You can use the elements to create policies in RAM. The code (RamCode) in RAM that is used to indicate CloudFirewall is yundun-cloudfirewall. You can grant permissions on CloudFirewall at the SERVICE.

General structure of a policy

Policies can be stored as JSON files. The following code provides an example on the general structure of a policy:
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}
The following list describes the fields in the policy:
  • Effect: specifies the authorization effect. Valid values: Allow, Deny.
  • Action: specifies one or more API operations that are allowed or denied. For more information, see the Action section of this topic.
  • Resource: specifies one or more resources to which the policy applies. You can use an Alibaba Cloud Resource Name (ARN) to specify a resource. For more information, see the Resource section of this topic.
  • Condition: specifies one or more conditions that are required for the policy to take effect. This is an optional field. For more information, see the Condition section of this topic.
    • Condition_operator: specifies the conditional operators. Different types of conditions support different conditional operators. For more information, see Policy elements.
    • Condition_key: specifies the condition keys.
    • Condition_value: specifies the condition values.

Action

CloudFirewall defines the values that you can use in the Action element of a policy statement. You can attach the policy to a RAM user or a RAM role so that the RAM user or the RAM role can perform a group of operations. You cannot authorize the RAM user or the RAM role to perform a specific operation in CloudFirewall. You can authorize the RAM user or the RAM role to perform only a group of operations at the service level. The following list describes the columns in the table:
  • Operation: a group of operations that you can authorize the RAM user or the RAM to perform.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the group of operations. You cannot grant permissions on this Alibaba Cloud service at the resource level. Therefore, you must grant permissions on all resources in this Alibaba Cloud service.
  • Condition key: the condition keys that are defined by the Alibaba Cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Generic Condition Keyword.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
ActionsAccess levelResource typeCondition keyAssociated operation
yundun-cloudfirewall:AddAddressBookWrite
All Resources
NoneNone
yundun-cloudfirewall:AddControlPolicyWrite
All Resources
NoneNone
yundun-cloudfirewall:AddInstanceMembersWrite
All Resources
NoneNone
yundun-cloudfirewall:BatchCopyVpcFirewallControlPolicyWrite
All Resources
NoneNone
yundun-cloudfirewall:CreateDownloadTaskWrite
All Resources
NoneNone
yundun-cloudfirewall:CreateNatFirewallControlPolicyWrite
All Resources
NoneNone
yundun-cloudfirewall:CreateTrFirewallV2Write
All Resources
NoneNone
yundun-cloudfirewall:CreateVpcFirewallCenConfigureWrite
All Resources
NoneNone
yundun-cloudfirewall:CreateVpcFirewallConfigureWrite
All Resources
NoneNone
yundun-cloudfirewall:CreateVpcFirewallControlPolicyWrite
All Resources
NoneNone
yundun-cloudfirewall:DeleteAddressBookWrite
All Resources
NoneNone
yundun-cloudfirewall:DeleteControlPolicyWrite
All Resources
NoneNone
yundun-cloudfirewall:DeleteControlPolicyTemplateRead
All Resources
NoneNone
yundun-cloudfirewall:DeleteDownloadTaskWrite
All Resources
NoneNone
yundun-cloudfirewall:DeleteInstanceMembersWrite
All Resources
NoneNone
yundun-cloudfirewall:DeleteNatFirewallControlPolicyWrite
All Resources
NoneNone
yundun-cloudfirewall:DeleteNatFirewallControlPolicyBatchWrite
All Resources
NoneNone
yundun-cloudfirewall:DeleteTrFirewallV2Write
All Resources
NoneNone
yundun-cloudfirewall:DeleteVpcFirewallCenConfigureWrite
All Resources
NoneNone
yundun-cloudfirewall:DeleteVpcFirewallConfigureWrite
All Resources
NoneNone
yundun-cloudfirewall:DeleteVpcFirewallControlPolicyWrite
All Resources
NoneNone
yundun-cloudfirewall:DescribeACLProtectTrendRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeAddressBookRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeAssetListRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeAssetRiskListRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeCfwRiskLevelSummaryRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeControlPolicyRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeDomainResolveRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeDownloadTaskList
All Resources
NoneNone
yundun-cloudfirewall:DescribeDownloadTaskTypeRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeInstanceMembersRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeInternetOpenIpRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeInternetTrafficTrendRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeInvadeEventListRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeNatAclPageStatusRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeNatFirewallControlPolicyList
All Resources
NoneNone
yundun-cloudfirewall:DescribeNatFirewallPolicyPriorUsedRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeOutgoingDestinationIPRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeOutgoingDomainRead
All Resources
NoneNone
yundun-cloudfirewall:DescribePolicyAdvancedConfigRead
All Resources
NoneNone
yundun-cloudfirewall:DescribePolicyPriorUsedRead
All Resources
NoneNone
yundun-cloudfirewall:DescribePrefixListsList
All Resources
NoneNone
yundun-cloudfirewall:DescribeRiskEventGroupRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeRiskEventPayloadRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeSignatureLibVersionWrite
All Resources
NoneNone
yundun-cloudfirewall:DescribeTrFirewallPolicyBackUpAssociationListRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeTrFirewallV2RoutePolicyListRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeTrFirewallsV2DetailRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeTrFirewallsV2ListRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeUserAssetIPTrafficInfoRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeVpcFirewallAclGroupListRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeVpcFirewallCenDetailRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeVpcFirewallCenListRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeVpcFirewallControlPolicyRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeVpcFirewallDefaultIPSConfigRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeVpcFirewallDetailRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeVpcFirewallIPSWhitelistRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeVpcFirewallListRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeVpcFirewallPolicyPriorUsedRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeVpcListLiteRead
All Resources
NoneNone
yundun-cloudfirewall:DescribeVpcZoneList
All Resources
NoneNone
yundun-cloudfirewall:DescribeVulnerabilityProtectedListRead
All Resources
NoneNone
yundun-cloudfirewall:ModifyAddressBookWrite
All Resources
NoneNone
yundun-cloudfirewall:ModifyControlPolicyWrite
All Resources
NoneNone
yundun-cloudfirewall:ModifyControlPolicyPositionWrite
All Resources
NoneNone
yundun-cloudfirewall:ModifyFirewallV2RoutePolicySwitchWrite
All Resources
NoneNone
yundun-cloudfirewall:ModifyInstanceMemberAttributesWrite
All Resources
NoneNone
yundun-cloudfirewall:ModifyNatFirewallControlPolicyWrite
All Resources
NoneNone
yundun-cloudfirewall:ModifyNatFirewallControlPolicyPositionWrite
All Resources
NoneNone
yundun-cloudfirewall:ModifyPolicyAdvancedConfigWrite
All Resources
NoneNone
yundun-cloudfirewall:ModifyVpcFirewallCenConfigureWrite
All Resources
NoneNone
yundun-cloudfirewall:ModifyVpcFirewallCenSwitchStatusWrite
All Resources
NoneNone
yundun-cloudfirewall:ModifyVpcFirewallConfigureWrite
All Resources
NoneNone
yundun-cloudfirewall:ModifyVpcFirewallControlPolicyWrite
All Resources
NoneNone
yundun-cloudfirewall:ModifyVpcFirewallControlPolicyPositionWrite
All Resources
NoneNone
yundun-cloudfirewall:ModifyVpcFirewallDefaultIPSConfigWrite
All Resources
NoneNone
yundun-cloudfirewall:ModifyVpcFirewallIPSWhitelistRead
All Resources
NoneNone
yundun-cloudfirewall:ModifyVpcFirewallSwitchStatusWrite
All Resources
NoneNone
yundun-cloudfirewall:PutDisableAllFwSwitchWrite
All Resources
NoneNone
yundun-cloudfirewall:PutDisableFwSwitchWrite
All Resources
NoneNone
yundun-cloudfirewall:PutEnableAllFwSwitchWrite
All Resources
NoneNone
yundun-cloudfirewall:PutEnableFwSwitchWrite
All Resources
NoneNone
yundun-cloudfirewall:ResetNatFirewallRuleHitCountWrite
All Resources
NoneNone
yundun-cloudfirewall:ResetVpcFirewallRuleHitCountWrite
All Resources
NoneNone

Resource

In CloudFirewall, you cannot specify an ARN in the Resource element in a policy statement. If you want to authorize a RAM user or a RAM role to access CloudFirewall, you cannot specify an ARN in the "Resource": "*".

Condition

CloudFirewall does not define service-specific condition keys. For more information about common condition keys that are defined by Alibaba Cloud, see Generic Condition Keyword.

What to do next

You can create a custom policy and attach the policy to a RAM user, RAM user group, or RAM role. For more information, see the following topics: