This topic describes how to use RAM to limit the time of accessing Alibaba Cloud resources to enable a higher level of security.

Prerequisites

Background information

Enterprise A has purchased more than one type of Alibaba Cloud resources, such as ECS instances, RDS instances, SLB instances, and OSS buckets. To ensure business and data security, this enterprise wants RAM users to only access Alibaba Cloud resources during the working hours.

Solution

To only allow RAM users to access Alibaba Cloud resources during the specified period, create and attach a custom policy for the RAM users.

  1. Create a RAM user.
  2. Create a custom policy.
  3. Grant permission to a RAM user.

Create a custom policy

  1. In the left-side navigation pane, click Policies under Permissions.
  2. On the Policies page, click Create Policy.
  3. On the page that appears, specify the Policy Name and Note parameters.
  4. Under Configuration Mode, select Script. Copy and paste the following sample script to the Policy Document area, and edit the script based on your business needs.

    Limit the time of accessing Alibaba Cloud resources

    If the following policy is attached to a RAM user, the RAM user can only access ECS instances before 17:00 on August 12, 2019 (UTC+8). In this case, the acs:CurrentTime parameter in Condition is set to 2019-08-12T17:00:00+08:00.

    {
      "Statement": [
        {
          "Action": "ecs:*",
          "Effect": "Allow",
          "Resource": "*",
          "Condition": {
              "DateLessThan": {
                  "acs:CurrentTime": "2019-08-12T17:00:00+08:00"
              }
          }
        }
      ],
      "Version": "1"
    }
    Note The Condition setting only applies to the actions that are specified for the current policy. You can change the 2019-08-12T17:00:00+08:00 value if necessary.
  5. Click OK.