All Products
Search
Document Center

Resource Access Management:Use RAM to limit the IP addresses that are allowed to access Alibaba Cloud resources

Last Updated:Sep 07, 2023

This topic describes how to use Resource Access Management (RAM) to limit the IP addresses that are allowed to access Alibaba Cloud resources. This ensures a higher level of data security.

Prerequisites

You have a basic knowledge of policy elements, structure, and syntax before you create a custom policy. For more information, see Policy elements and Policy structure and syntax.

Background information

An enterprise has purchased multiple types of Alibaba Cloud resources. The resources include Elastic Compute Service (ECS) instances, ApsaraDB RDS instances, Server Load Balancer (SLB) instances, and Object Storage Service (OSS) buckets. To ensure business and data security, the enterprise requires users to access Alibaba Cloud resources only from specific IP addresses, such as the IP addresses of the internal network of the enterprise.

To authorize users to access Alibaba Cloud resources only from specific IP addresses, create a custom policy and attach the policy to the RAM user.

Step 1: Create a custom policy

  1. Log on to the RAM console with an Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Policy page, click the JSON tab.
  5. Enter the policy document and click Next to edit policy information.

    The following policy document specifies thstep_gro_e4s_dunat the RAM users can access ECS instances only by using 192.0.2.0/24 and 203.0.113.2. In this case, the acs:SourceIp condition key in the Condition element is set to 192.0.2.0/24 and 203.0.113.2.

    {
      "Statement": [
        {
          "Action": "ecs:*",
          "Effect": "Allow",
          "Resource": "*",
          "Condition": {
            "IpAddress": {
              "acs:SourceIp":[
              "192.0.2.0/24",
              "203.0.113.2"
             ]
            }
          }
        }
      ],
      "Version": "1"
    }
    Note

    The Condition element applies only to the actions specified for the current policy. You can replace 192.0.2.0/24 and 203.0.113.2 with the IP address or CIDR block of your network.

  6. Specify the Name and Description fields.
  7. Check and optimize the document of the custom policy.
    • Basic optimization

      The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:

      • Deletes unnecessary conditions.
      • Deletes unnecessary arrays.
    • Optional:Advanced optimization

      You can move the pointer over Optional advanced optimize and click Perform. The system performs the following operations during the advanced optimization:

      • Splits resources or conditions that are incompatible with actions.
      • Narrows down resources.
      • Deduplicates or merges policy statements.
  8. Click OK.

Step 2: Create a RAM user

Procedure

  1. Log on to the RAM console with your Alibaba Cloud account.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, click Create User.

  4. In the User Account Information section of the Create User page, configure the following parameters:

    • Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).

    • Display Name: The display name can be up to 128 characters in length.

    • (Optional) Tag: You can click the edit icon. In the dialog box that appears, specify the Tag Key and Tag Value parameters. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.

    Note

    You can click Add User to create multiple RAM users at a time.

  5. In the Access Mode section, select an access mode and configure the required parameters.

    To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This way, the RAM user for an individual is separated from the RAM user for a program.

    • Console Access

      If the RAM user represents an individual, we recommend that you select Console Access for the RAM user. This way, the RAM user can use a username and password to access Alibaba Cloud. If you select Console Access, you must configure the following parameters:

      • Console Password: You can select Automatically Regenerate Default Password or Reset Custom Password. If you select Reset Custom Password, you must specify a password. The password must meet the complexity requirements. For more information, see Configure a password policy for RAM users.

      • Password Reset: specifies whether the RAM user is required to reset the password upon the next logon.

      • Multi-factor Authentication: specifies whether to enable multi-factor authentication (MFA) for the RAM user. If you select Required to Enable MFA for the RAM user, the RAM user must bind an MFA device when the RAM user logs on to the Alibaba Cloud Management Console. For more information, see Bind an MFA device to a RAM user.

    • OpenAPI Access

      If the RAM user represents a program, we recommend that you select OpenAPI Access for the RAM user. This way, the RAM user can use an AccessKey pair to access Alibaba Cloud. If you select OpenAPI Access, the system automatically generates an AccessKey ID and AccessKey secret for the RAM user. For more information, see Create an AccessKey pair.

  6. Click OK.

Step 3: Attach the policy to the RAM user

Attach the policy that you created in Step 1 to the RAM user that you created in Step 2.

  1. Log on to the RAM console with an Alibaba Cloud account.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, find the required RAM user, and click Add Permissions in the Actions column.

  4. In the Add Permissions panel, grant permissions to the RAM user.

    1. Select the authorization scope.

      • Alibaba Cloud Account: The permissions take effect on the current Alibaba Cloud account.

      • Specific Resource Group: The permissions take effect in a specific resource group.

        Note

        If you select Specific Resource Group for Authorized Scope, make sure that the cloud service supports resource groups. For more information, see Services that work with Resource Group.

    2. Specify the principal.

      The principal is the RAM user to which you want to grant permissions.

    3. Select policies.

      RAM supports the following types of policies: system policies and custom policies. You can choose policies based on your business requirements.

      Note

      You can attach a maximum of five policies to a RAM user at a time. If you want to attach more than five policies to a RAM user, perform the operation multiple times.

  5. Click OK.

  6. Click Complete.