This topic describes how to use RAM to limit the time of accessing Alibaba Cloud resources to enable a higher level of security.
Prerequisites
- An Alibaba Cloud account is created. If not, create one before proceeding. To create an Alibaba Cloud account, click Create a new Alibaba Cloud account.
- The RAM service is activated, and you can log on to the RAM console. If the RAM service is not activated, activate the service before proceeding. For more information, see Activation methods.
- You have a basic knowledge of the policy elements, structure, and syntax before creating a custom policy. For more information, see Policy elements and Policy structure and grammar.
Background information
Enterprise A has purchased more than one type of Alibaba Cloud resources, such as ECS instances, RDS instances, SLB instances, and OSS buckets. To ensure business and data security, this enterprise wants RAM users to only access Alibaba Cloud resources during the working hours.
Solution
To only allow RAM users to access Alibaba Cloud resources during the specified period, create and attach a custom policy for the RAM users.
Create a custom policy
- Under Configuration Mode, select Script. Copy and paste the following sample script to the Policy Document area, and edit the script based on your business needs.
If the following policy is attached to a RAM user, the RAM user can only access ECS instances before 17:00 on August 12, 2019 (UTC+8). In this case, the
acs:CurrentTimeparameter inConditionis set to2019-08-12T17:00:00+08:00.{ "Statement": [ { "Action": "ecs:*", "Effect": "Allow", "Resource": "*", "Condition": { "DateLessThan": { "acs:CurrentTime": "2019-08-12T17:00:00+08:00" } } } ], "Version": "1" }Note TheConditionsetting only applies to the actions that are specified for the current policy. You can change the2019-08-12T17:00:00+08:00value if necessary.