This topic describes how to use Resource Access Management (RAM) to limit the IP addresses that are used to access Alibaba Cloud resources. This ensures a higher level of data security.

Prerequisites

Background information

An enterprise has purchased multiple types of Alibaba Cloud resources, such as Elastic Compute Service (ECS) instances, ApsaraDB for RDS instances, Server Load Balancer (SLB) instances, and Object Storage Service (OSS) buckets. To ensure business and data security, this enterprise requires RAM users to access Alibaba Cloud resources only from the IP addresses of the enterprise intranet.

Solution

To allow a RAM user to access Alibaba Cloud resources only from specified IP addresses, create a custom policy and attach the policy to the RAM user.

  1. Create a RAM user. For more information, see Create a RAM user.
  2. Create a custom policy. For more information, see Create a custom policy.
  3. Attach the policy to the RAM user. For more information, see Grant permissions to a RAM user.

Create a custom policy

  1. Log on to the RAM console. In the left-side navigation pane, click Policies under Permissions.
  2. On the Policies page, click Create Policy.
  3. On the Create Custom Policy page, set the Policy Name and Note parameters.
  4. In the Configuration Mode section, select Script. Copy and paste the following sample script to the Policy Document section, and then edit the script based on your business requirements.
    Limit the IP addresses that are used to access Alibaba Cloud resources

    If the following policy is attached to a RAM user, the RAM user can access ECS instances only from IP addresses in the 192.168.0.0/16 CIDR block. This is because the value of the acs:SourceIp key in the Condition element is 192.168.0.0/16.

    {
      "Statement": [
        {
          "Action": "ecs:*",
          "Effect": "Allow",
          "Resource": "*",
          "Condition": {
            "IpAddress": {
              "acs:SourceIp": "192.168.0.0/16"
            }
          }
        }
      ],
      "Version": "1"
    }
    Note The Condition element applies only to the actions that are specified in the policy. You can change the 192.168.0.0/16 CIDR block to an IP address or CIDR block in your intranet.
  5. Click OK.