This topic describes how to create custom policies that define a set of permissions on Security Center and attach the custom policies to Resource Access Management (RAM) users. RAM users that have different policies attached can have permissions on different features of Security Center. This enables fine-grained access control.
Prerequisites
Background information
AliyunYundunSASFullAccess
and AliyunYundunSASReadOnlyAccess
. If you attach AliyunYundunSASFullAccess to a RAM user, the user has all permissions
on Security Center. If you attach AliyunYundunSASReadOnlyAccess to a RAM user, the
user has read-only permissions on Security Center.
To enable fine-grained access control for cloud services, you can create custom RAM policies and attach the policies to RAM users.
This topic uses examples to describe how to create custom policies that define a set of permissions on Security Center and attach the policies to RAM users. For more information about RAM policies, see Policy structure and syntax. For more information about basic concepts used in RAM, see Terms.
Step 1: Create custom policies that define a set of permissions on Security Center
Step 2: Attach custom policies to RAM users
Operations supported by custom policies
The following tables list custom policies that define permissions on the Assets and Vulnerabilities pages of Security Center.
Action | Description | Supported API operation |
---|---|---|
yundun-sas:DescribeCloudCenterInstances | Queries information about assets, including asset types, alerts, and the Security Center agent status. | DescribeCloudCenterInstances |
yundun-sas:DescribeFieldStatistics | Queries the statistics of assets. | DescribeFieldStatistics |
yundun-sas:DescribeCriteria | Queries the search conditions that can be specified to query assets. | DescribeCriteria |
yundun-sas:ModifyPushAllTask | Starts all security checks. | ModifyPushAllTask |
yundun-sas:DescribeDomainCount | Queries the number of domain assets that are protected by Security Center. | DescribeDomainCount |
yundun-sas:DeleteGroup | Deletes an asset group. | DeleteGroup |
yundun-sas:DescribeVolDingdingMessage | Queries the QR code of a DingTalk group where you can receive notifications. | DescribeVolDingdingMessage |
yundun-sas:DescribeSearchCondition | Queries search conditions. | DescribeSearchCondition |
yundun-sas:DescribeSasAssetStatisticsColumn | Queries the asset information based on the displayed columns on the Server tab. | DescribeSasAssetStatisticsColumn |
yundun-sas:DescribeImageStatistics | Queries the number of risky container images. | DescribeImageStatistics |
yundun-sas:DescribeGroupedTags | Queries the tags of assets. | DescribeGroupedTags |
yundun-sas:DescribeDomainCount | Queries the number of domain assets that are protected by Security Center. | DescribeDomainCount |
yundun-sas:DescribeCloudProductFieldStatistics | Queries cloud services that are protected by Security Center. | DescribeCloudProductFieldStatistics |
yundun-sas:DescribeCloudCenterInstances | Queries information about assets, including asset types, alerts, and the Security Center agent status. | DescribeCloudCenterInstances |
yundun-sas:DescribeAllGroups | Queries all server groups. | DescribeAllGroups |
yundun-sas:DeleteGroup | Deletes an asset group. | DeleteGroup |
yundun-sas:CreateOrUpdateAssetGroup | Modifies the relationship between an asset and an asset group. | CreateOrUpdateAssetGroup |
yundun-sas:DescribeInstanceStatistics | Queries the risk information of assets. | DescribeInstanceStatistics |
yundun-sas:AddTagWithUuid | Adds tags to specific assets. | AddTagWithUuid |
yundun-sas:DeleteTagWithUuid | Removes tags from assets. | DeleteTagWithUuid |
yundun-sas:PauseClient | Starts or pauses the Security Center agent. | PauseClient |
yundun-sas:ModifyTagWithUuid | Modifies the relationship between a tag and an asset. | ModifyTagWithUuid |
yundun-sas:ModifyAssetImportant | Modifies the importance of assets. | ModifyAssetImportant |
yundun-sas:DescribeSasAssetStatisticsColumn | Queries the asset information based on the displayed columns on the Server tab. | DescribeSasAssetStatisticsColumn |
yundun-sas:RefreshAssets | Synchronizes the data of all assets. | RefreshAssets |
yundun-sas:ExportRecord | Exports baseline check results, asset fingerprints, and AccessKey leak information to Excel files. | ExportRecord |
yundun-sas:DescribeExportInfo | Queries the progress of a task that exports asset information. | DescribeExportInfo |
yundun-sas:DescribeIpTags | Queries the tags of IP addresses. | DescribeIpTags |
yundun-sas:DescribeDomainList | Queries domain assets. | DescribeDomainList |
yundun-sas:DescribeDomainDetail | Queries the details of a domain asset. | DescribeDomainDetail |
yundun-sas:DescribeDomainSecureScore | Queries the security score of a website. | DescribeDomainSecureScore |
yundun-sas:DescribeDomainSecureStatistics | Queries the risk information of a website. | DescribeDomainSecureStatistics |
yundun-sas:DescribeDomainSecureRiskList | Queries risky websites. | DescribeDomainSecureRiskList |
yundun-sas:DescribeDomainSecureAlarmList | Queries websites for which alerts are generated. | DescribeDomainSecureAlarmList |
yundun-sas:DescribeDomainSecureVulList | Queries websites that have vulnerabilities. | DescribeDomainSecureVulList |
yundun-sas:DescribeDomainSecureSuggests | Queries the website security reports and suggestions provided by Security Center. | DescribeDomainSecureSuggests |
yundun-aegis:DescribeAssetDetailByUuid | Queries the details of a server based on a universally unique identifier (UUID). | DescribeAssetDetailByUuid |
Action | Description | Supported API operation |
---|---|---|
yundun-sas:DescribeVulWhitelist | Queries the vulnerabilities in the whitelist. The vulnerabilities are listed in pages. | DescribeVulWhitelist |
yundun-sas:ModifyOperateVul | Manages a detected vulnerability. For example, you can verify, ignore, or fix a vulnerability. | ModifyOperateVul |
yundun-sas:ModifyVulTargetConfig | Configures vulnerability detection settings on a server. | ModifyVulTargetConfig |
yundun-aegis:DescribeConcernNecessity | Queries the priority of a vulnerability. | DescribeConcernNecessity |
yundun-aegis:DescribeVulList | Queries vulnerabilities by type. | DescribeVulList |
yundun-aegis:OperateVul | Manages a detected vulnerability. For example, you can verify, ignore, or fix a vulnerability. | OperateVul |
yundun-aegis:DescribeImageVulList | Queries container image vulnerabilities detected by Security Center. | DescribeImageVulList |
ecs:DescribeSnapshots | Queries all snapshots of an Elastic Compute Service (ECS) instance or a disk. | DescribeSnapshots |
ecs:DescribeDisks | Queries disks. | DescribeDisks |
ecs:CreateSnapshot | Creates snapshots for a specified disk. | CreateSnapshot |
References
Use RAM to limit the IP addresses used to access Alibaba Cloud resources
Use RAM to limit the time of access to Alibaba Cloud resources