This topic describes how to create custom policies that define a set of permissions on Security Center and attach the custom policies to Resource Access Management (RAM) users. RAM users that have different policies attached can have permissions on different features of Security Center. This enables fine-grained access control.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.

Background information

RAM provides two types of access control policies for cloud services: system policies and custom policies. System policies are created by Alibaba Cloud and cannot be modified.
Note Alibaba Cloud provides the following system policies that define permissions on Security Center: AliyunYundunSASFullAccess and AliyunYundunSASReadOnlyAccess. If you attach AliyunYundunSASFullAccess to a RAM user, the user has all permissions on Security Center. If you attach AliyunYundunSASReadOnlyAccess to a RAM user, the user has read-only permissions on Security Center.

To enable fine-grained access control for cloud services, you can create custom RAM policies and attach the policies to RAM users.

This topic uses examples to describe how to create custom policies that define a set of permissions on Security Center and attach the policies to RAM users. For more information about RAM policies, see Policy structure and syntax. For more information about basic concepts used in RAM, see Terms.

Step 1: Create custom policies that define a set of permissions on Security Center

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the page that appears, specify the Policy Name and Note parameters.
  5. In Configuration Mode, select Script and edit the policy content.Create a custom policy
    Common custom policies:
    • Assets
      • Create custom policies that define read-only permissions on the Assets page

        The following custom policy defines permissions to view assets and server statistics on the Assets page. In the Action field, yundun-sas:DescribeCloudCenterInstances, yundun-sas:DescribeFieldStatistics, and yundun-sas:DescribeCriteria are added to grant permissions. To attach the policy to RAM users, perform the operations described in Step 2.

        {
            "Version": "1",
            "Statement": [
                {
                   "Action": [
                             "yundun-sas:DescribeCloudCenterInstances",
                             "yundun-sas:DescribeFieldStatistics",
                             "yundun-sas:DescribeCriteria"
                             ],
                    "Resource": "*",
                    "Effect": "Allow"
                }
            ]
        }
      • Create a custom policy that defines permissions to start security checks on the Assets page

        The following custom policy defines permissions to start security checks on the Assets page. In the Action field, yundun-sas:ModifyPushAllTask is added to grant permissions. To attach the policy to RAM users, perform the operations described in Step 2.

        {
            "Version": "1",
            "Statement": [
                {
                    "Action": "yundun-sas:ModifyPushAllTask",
                    "Resource": "*",
                    "Effect": "Allow"
                }
            ]
        }
    • Vulnerabilities
      • Create a custom policy that defines read-only permissions on the Vulnerabilities page

        The following custom policy defines permissions to view vulnerabilities and a whitelist of vulnerabilities on the Vulnerabilities page. In the Action field, yundun-sas:DescribeVulList and yundun-sas:DescribeVulWhitelist are added to grant permissions. To attach the policy to RAM users, perform the operations described in Step 2.

        {
            "Version": "1",
            "Statement": [
                {
                   "Action": [
                             "yundun-aegis:DescribeVulList",
                             "yundun-sas:DescribeVulWhitelist"
                             ],
                    "Resource": "*",
                    "Effect": "Allow"
                }
            ]
        }
      • Create a custom policy that defines permissions to fix vulnerabilities

        The following custom policy defines permissions to fix vulnerabilities. In the Action field, yundun-aegis:OperateVul is added to grant permissions. To attach the policy to RAM users, perform the operations described in Step 2.

        {
            "Version": "1",
            "Statement": [
                {
                   "Action": "yundun-aegis:OperateVul",
                    "Resource": "*",
                    "Effect": "Allow"
                }
            ]
        }
  6. Click OK.

Step 2: Attach custom policies to RAM users

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Grants.
  3. On the Grants page, click Grant Permission.
  4. In the Principal column, select a RAM user to which you want to attach a policy.
    By default, a RAM user that you newly create has no permissions. For information about how to create a RAM user, see Create a RAM user.
  5. In the Select Policy section, select Custom Policy, and then select custom policies that you have created in Step 1: Create custom policies that define a set of permissions on Security Center.Add permissions
  6. Click OK.
  7. Click Complete.

Operations supported by custom policies

The following tables list custom policies that define permissions on the Assets and Vulnerabilities pages of Security Center.

Assets
Action Description Supported API operation
yundun-sas:DescribeCloudCenterInstances Queries information about assets, including asset types, alerts, and the Security Center agent status. DescribeCloudCenterInstances
yundun-sas:DescribeFieldStatistics Queries the statistics of assets. DescribeFieldStatistics
yundun-sas:DescribeCriteria Queries the search conditions that can be specified to query assets. DescribeCriteria
yundun-sas:ModifyPushAllTask Starts all security checks. ModifyPushAllTask
yundun-sas:DescribeDomainCount Queries the number of domain assets that are protected by Security Center. DescribeDomainCount
yundun-sas:DeleteGroup Deletes an asset group. DeleteGroup
yundun-sas:DescribeVolDingdingMessage Queries the QR code of a DingTalk group where you can receive notifications. DescribeVolDingdingMessage
yundun-sas:DescribeSearchCondition Queries search conditions. DescribeSearchCondition
yundun-sas:DescribeSasAssetStatisticsColumn Queries the asset information based on the displayed columns on the Server tab. DescribeSasAssetStatisticsColumn
yundun-sas:DescribeImageStatistics Queries the number of risky container images. DescribeImageStatistics
yundun-sas:DescribeGroupedTags Queries the tags of assets. DescribeGroupedTags
yundun-sas:DescribeDomainCount Queries the number of domain assets that are protected by Security Center. DescribeDomainCount
yundun-sas:DescribeCloudProductFieldStatistics Queries cloud services that are protected by Security Center. DescribeCloudProductFieldStatistics
yundun-sas:DescribeCloudCenterInstances Queries information about assets, including asset types, alerts, and the Security Center agent status. DescribeCloudCenterInstances
yundun-sas:DescribeAllGroups Queries all server groups. DescribeAllGroups
yundun-sas:DeleteGroup Deletes an asset group. DeleteGroup
yundun-sas:CreateOrUpdateAssetGroup Modifies the relationship between an asset and an asset group. CreateOrUpdateAssetGroup
yundun-sas:DescribeInstanceStatistics Queries the risk information of assets. DescribeInstanceStatistics
yundun-sas:AddTagWithUuid Adds tags to specific assets. AddTagWithUuid
yundun-sas:DeleteTagWithUuid Removes tags from assets. DeleteTagWithUuid
yundun-sas:PauseClient Starts or pauses the Security Center agent. PauseClient
yundun-sas:ModifyTagWithUuid Modifies the relationship between a tag and an asset. ModifyTagWithUuid
yundun-sas:ModifyAssetImportant Modifies the importance of assets. ModifyAssetImportant
yundun-sas:DescribeSasAssetStatisticsColumn Queries the asset information based on the displayed columns on the Server tab. DescribeSasAssetStatisticsColumn
yundun-sas:RefreshAssets Synchronizes the data of all assets. RefreshAssets
yundun-sas:ExportRecord Exports baseline check results, asset fingerprints, and AccessKey leak information to Excel files. ExportRecord
yundun-sas:DescribeExportInfo Queries the progress of a task that exports asset information. DescribeExportInfo
yundun-sas:DescribeIpTags Queries the tags of IP addresses. DescribeIpTags
yundun-sas:DescribeDomainList Queries domain assets. DescribeDomainList
yundun-sas:DescribeDomainDetail Queries the details of a domain asset. DescribeDomainDetail
yundun-sas:DescribeDomainSecureScore Queries the security score of a website. DescribeDomainSecureScore
yundun-sas:DescribeDomainSecureStatistics Queries the risk information of a website. DescribeDomainSecureStatistics
yundun-sas:DescribeDomainSecureRiskList Queries risky websites. DescribeDomainSecureRiskList
yundun-sas:DescribeDomainSecureAlarmList Queries websites for which alerts are generated. DescribeDomainSecureAlarmList
yundun-sas:DescribeDomainSecureVulList Queries websites that have vulnerabilities. DescribeDomainSecureVulList
yundun-sas:DescribeDomainSecureSuggests Queries the website security reports and suggestions provided by Security Center. DescribeDomainSecureSuggests
yundun-aegis:DescribeAssetDetailByUuid Queries the details of a server based on a universally unique identifier (UUID). DescribeAssetDetailByUuid
Vulnerabilities
Action Description Supported API operation
yundun-sas:DescribeVulWhitelist Queries the vulnerabilities in the whitelist. The vulnerabilities are listed in pages. DescribeVulWhitelist
yundun-sas:ModifyOperateVul Manages a detected vulnerability. For example, you can verify, ignore, or fix a vulnerability. ModifyOperateVul
yundun-sas:ModifyVulTargetConfig Configures vulnerability detection settings on a server. ModifyVulTargetConfig
yundun-aegis:DescribeConcernNecessity Queries the priority of a vulnerability. DescribeConcernNecessity
yundun-aegis:DescribeVulList Queries vulnerabilities by type. DescribeVulList
yundun-aegis:OperateVul Manages a detected vulnerability. For example, you can verify, ignore, or fix a vulnerability. OperateVul
yundun-aegis:DescribeImageVulList Queries container image vulnerabilities detected by Security Center. DescribeImageVulList
ecs:DescribeSnapshots Queries all snapshots of an Elastic Compute Service (ECS) instance or a disk. DescribeSnapshots
ecs:DescribeDisks Queries disks. DescribeDisks
ecs:CreateSnapshot Creates snapshots for a specified disk. CreateSnapshot
Note In most cases, each operation supported by a custom policy corresponds to one API operation of a cloud service.

References

Policy elements

Policy structure and syntax

Use RAM to limit the IP addresses used to access Alibaba Cloud resources

Use RAM to limit the time of access to Alibaba Cloud resources