This topic describes how to use RAM to limit the methods of accessing Alibaba Cloud resources to enable a higher level of security.

Prerequisites

Background information

Enterprise A has purchased more than one type of Alibaba Cloud resources, such as ECS instances, RDS instances, SLB instances, and OSS buckets. To ensure business and data security, this enterprise wants to only allow RAM users to access Alibaba Cloud resources by using the HTTPS method.

Solution

To only allow RAM users to access Alibaba Cloud resources by using the HTTPS method, create and attach a custom policy for the RAM users.

  1. Create a RAM user.
  2. Create a custom policy.
  3. Grant permission to a RAM user.

Create a custom policy

  1. In the left-side navigation pane, click Policies under Permissions.
  2. On the Policies page, click Create Policy.
  3. On the page that appears, specify the Policy Name and Note parameters.
  4. Under Configuration Mode, select Script. Copy and paste the following sample script to the Policy Document area, and edit the script based on your business needs.

    Limit the methods of accessing Alibaba Cloud resources

    If the following policy is attached to a RAM user, the RAM user can only access ECS instances by using the HTTPS method. In this case, the acs:SecureTransport parameter in Condition is set to true.

    {
      "Statement": [
        {
          "Action": "ecs:*",
          "Effect": "Allow",
          "Resource": "*",
          "Condition": {        
            "Bool": {
              "acs:SecureTransport": "true"
            }
          }
        }
      ],
      "Version": "1"
    }
    Note The Condition setting only applies to the actions that are specified for the current policy. The valid values for the acs:SecureTransport parameter include true and false.
  5. Click OK.