Resource
Access Management (RAM) is a service provided by Alibaba Cloud
to manage user identities and resource access permissions. You
can use RAM to prevent RAM users from sharing the AccessKey
pairs of your Alibaba Cloud account. You can also use RAM to
grant minimum permissions to RAM users. RAM uses policies to
define permissions.
This topic describes the elements, such
as Action, Resource, and Condition, which are defined by CloudFirewall. You can use
the elements to create policies in RAM. The code (RamCode) in
RAM that is used to indicate CloudFirewall is yundun-cloudfirewall. You can
grant permissions on CloudFirewall at the SERVICE.
General structure of a policy
Policies can be stored as
JSON files. The following code provides an example on the
general structure of a policy:
{
"Version": "1",
"Statement": [
{
"Effect": "<Effect>",
"Action": "<Action>",
"Resource": "<Resource>",
"Condition": {
"<Condition_operator>": {
"<Condition_key>": [
"<Condition_value>"
]
}
}
}
]
}
- Effect: specifies the authorization effect. Valid values: Allow, Deny.
- Action: specifies one or more API operations that are allowed or denied. For more information, see the Action section of this topic.
- Resource: specifies one or more resources to which the policy applies. You can use an Alibaba Cloud Resource Name (ARN) to specify a resource. For more information, see the Resource section of this topic.
- Condition: specifies one
or more conditions that are required for the policy to take
effect. This is an optional field. For more information, see
the
Condition section of this topic.
- Condition_operator: specifies the conditional operators. Different types of conditions support different conditional operators. For more information, see Policy elements.
- Condition_key: specifies the condition keys.
- Condition_value: specifies the condition values.
Action
CloudFirewall defines the values that you can use in theAction
element of a
policy statement. You can attach the policy to a RAM user or a RAM
role so that the RAM user or the RAM role can perform a group of
operations. You cannot authorize the RAM user or the RAM role to
perform a specific operation in CloudFirewall. You can
authorize the RAM user or the RAM role to perform only a group of
operations at the service level. The following list describes the
columns in the table:- Operation: a group of operations that you can authorize the RAM user or the RAM to perform.
- Access level: the access level of each operation. The levels are read, write, and list.
- Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the group of operations. You cannot grant permissions on this Alibaba Cloud service at the resource level. Therefore, you must grant permissions on all resources in this Alibaba Cloud service.
- Condition key: the condition keys that are defined by the Alibaba Cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Generic Condition Keyword.
- Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
Actions | Access level | Resource type | Condition key | Associated operation |
---|---|---|---|---|
yundun-cloudfirewall:AddAddressBook | Write | All Resources | None | None |
yundun-cloudfirewall:AddControlPolicy | Write | All Resources | None | None |
yundun-cloudfirewall:AddInstanceMembers | Write | All Resources | None | None |
yundun-cloudfirewall:BatchCopyVpcFirewallControlPolicy | Write | All Resources | None | None |
yundun-cloudfirewall:CreateDownloadTask | Write | All Resources | None | None |
yundun-cloudfirewall:CreateNatFirewallControlPolicy | Write | All Resources | None | None |
yundun-cloudfirewall:CreateTrFirewallV2 | Write | All Resources | None | None |
yundun-cloudfirewall:CreateVpcFirewallCenConfigure | Write | All Resources | None | None |
yundun-cloudfirewall:CreateVpcFirewallConfigure | Write | All Resources | None | None |
yundun-cloudfirewall:CreateVpcFirewallControlPolicy | Write | All Resources | None | None |
yundun-cloudfirewall:DeleteAddressBook | Write | All Resources | None | None |
yundun-cloudfirewall:DeleteControlPolicy | Write | All Resources | None | None |
yundun-cloudfirewall:DeleteControlPolicyTemplate | Read | All Resources | None | None |
yundun-cloudfirewall:DeleteDownloadTask | Write | All Resources | None | None |
yundun-cloudfirewall:DeleteInstanceMembers | Write | All Resources | None | None |
yundun-cloudfirewall:DeleteNatFirewallControlPolicy | Write | All Resources | None | None |
yundun-cloudfirewall:DeleteNatFirewallControlPolicyBatch | Write | All Resources | None | None |
yundun-cloudfirewall:DeleteTrFirewallV2 | Write | All Resources | None | None |
yundun-cloudfirewall:DeleteVpcFirewallCenConfigure | Write | All Resources | None | None |
yundun-cloudfirewall:DeleteVpcFirewallConfigure | Write | All Resources | None | None |
yundun-cloudfirewall:DeleteVpcFirewallControlPolicy | Write | All Resources | None | None |
yundun-cloudfirewall:DescribeACLProtectTrend | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeAddressBook | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeAssetList | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeAssetRiskList | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeCfwRiskLevelSummary | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeControlPolicy | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeDomainResolve | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeDownloadTask | List | All Resources | None | None |
yundun-cloudfirewall:DescribeDownloadTaskType | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeInstanceMembers | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeInternetOpenIp | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeInternetTrafficTrend | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeInvadeEventList | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeNatAclPageStatus | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeNatFirewallControlPolicy | List | All Resources | None | None |
yundun-cloudfirewall:DescribeNatFirewallPolicyPriorUsed | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeOutgoingDestinationIP | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeOutgoingDomain | Read | All Resources | None | None |
yundun-cloudfirewall:DescribePolicyAdvancedConfig | Read | All Resources | None | None |
yundun-cloudfirewall:DescribePolicyPriorUsed | Read | All Resources | None | None |
yundun-cloudfirewall:DescribePrefixLists | List | All Resources | None | None |
yundun-cloudfirewall:DescribeRiskEventGroup | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeRiskEventPayload | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeSignatureLibVersion | Write | All Resources | None | None |
yundun-cloudfirewall:DescribeTrFirewallPolicyBackUpAssociationList | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeTrFirewallV2RoutePolicyList | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeTrFirewallsV2Detail | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeTrFirewallsV2List | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeUserAssetIPTrafficInfo | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeVpcFirewallAclGroupList | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeVpcFirewallCenDetail | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeVpcFirewallCenList | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeVpcFirewallControlPolicy | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeVpcFirewallDefaultIPSConfig | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeVpcFirewallDetail | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeVpcFirewallIPSWhitelist | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeVpcFirewallList | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeVpcFirewallPolicyPriorUsed | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeVpcListLite | Read | All Resources | None | None |
yundun-cloudfirewall:DescribeVpcZone | List | All Resources | None | None |
yundun-cloudfirewall:DescribeVulnerabilityProtectedList | Read | All Resources | None | None |
yundun-cloudfirewall:ModifyAddressBook | Write | All Resources | None | None |
yundun-cloudfirewall:ModifyControlPolicy | Write | All Resources | None | None |
yundun-cloudfirewall:ModifyControlPolicyPosition | Write | All Resources | None | None |
yundun-cloudfirewall:ModifyFirewallV2RoutePolicySwitch | Write | All Resources | None | None |
yundun-cloudfirewall:ModifyInstanceMemberAttributes | Write | All Resources | None | None |
yundun-cloudfirewall:ModifyNatFirewallControlPolicy | Write | All Resources | None | None |
yundun-cloudfirewall:ModifyNatFirewallControlPolicyPosition | Write | All Resources | None | None |
yundun-cloudfirewall:ModifyPolicyAdvancedConfig | Write | All Resources | None | None |
yundun-cloudfirewall:ModifyVpcFirewallCenConfigure | Write | All Resources | None | None |
yundun-cloudfirewall:ModifyVpcFirewallCenSwitchStatus | Write | All Resources | None | None |
yundun-cloudfirewall:ModifyVpcFirewallConfigure | Write | All Resources | None | None |
yundun-cloudfirewall:ModifyVpcFirewallControlPolicy | Write | All Resources | None | None |
yundun-cloudfirewall:ModifyVpcFirewallControlPolicyPosition | Write | All Resources | None | None |
yundun-cloudfirewall:ModifyVpcFirewallDefaultIPSConfig | Write | All Resources | None | None |
yundun-cloudfirewall:ModifyVpcFirewallIPSWhitelist | Read | All Resources | None | None |
yundun-cloudfirewall:ModifyVpcFirewallSwitchStatus | Write | All Resources | None | None |
yundun-cloudfirewall:PutDisableAllFwSwitch | Write | All Resources | None | None |
yundun-cloudfirewall:PutDisableFwSwitch | Write | All Resources | None | None |
yundun-cloudfirewall:PutEnableAllFwSwitch | Write | All Resources | None | None |
yundun-cloudfirewall:PutEnableFwSwitch | Write | All Resources | None | None |
yundun-cloudfirewall:ResetNatFirewallRuleHitCount | Write | All Resources | None | None |
yundun-cloudfirewall:ResetVpcFirewallRuleHitCount | Write | All Resources | None | None |
Resource
In CloudFirewall, you cannot
specify an ARN in the
Resource
element in a policy
statement. If you want to authorize a RAM user or a RAM role to
access CloudFirewall, you cannot
specify an ARN in the "Resource":
"*"
.Condition
CloudFirewall does not define
service-specific condition keys. For more information about
common condition keys that are defined by Alibaba Cloud, see Generic
Condition Keyword.