This topic describes how to use RAM to limit the IP addresses that are used to access Alibaba Cloud resources. This feature of RAM enables a higher level of security.


Background information

Enterprise A has purchased more than one type of Alibaba Cloud resources, such as ECS instances, RDS instances, SLB instances, and OSS buckets. To ensure business and data security, this enterprise wants to only allow RAM users to access Alibaba Cloud resources from its IP addresses of the corporate intranet.


To only allow RAM users to access Alibaba Cloud resources from the specified IP addresses, create and attach a custom policy for the RAM users.

  1. Create a RAM user.
  2. Create a custom policy.
  3. Grant permission to a RAM user.

Create a custom policy

  1. In the left-side navigation pane, click Policies under Permissions.
  2. On the Policies page, click Create Policy.
  3. On the page that appears, specify the Policy Name and Note parameters.
  4. Under Configuration Mode, select Script. Copy and paste the following sample script to the Policy Document area, and edit the script based on your business needs.

    Limit the IP addresses used for accessing Alibaba Cloud resources

    If the following policy is attached to a RAM user, the RAM user can only access ECS instances from the IP addresses in the CIDR block range of In this case, the acs:SourceIp parameter in Condition is set to

      "Statement": [
          "Action": "ecs:*",
          "Effect": "Allow",
          "Resource": "*",
          "Condition": {
            "IpAddress": {
              "acs:SourceIp": ""
      "Version": "1"
    Note The Condition setting only applies to the actions that are specified for the current policy. You can change the CIDR block to the IP address of your corporate intranet.
  5. Click OK.