This topic describes how to create custom policies that define a set of permissions on Security Center and attach the custom policies to Resource Access Management (RAM) users. RAM users that have different policies attached can have permissions on different features of Security Center. This enables fine-grained access control.
Prerequisites
Background information
AliyunYundunSASFullAccess and AliyunYundunSASReadOnlyAccess. If you attach AliyunYundunSASFullAccess to a RAM user, the user has all permissions
on Security Center. If you attach AliyunYundunSASReadOnlyAccess to a RAM user, the
user has read-only permissions on Security Center.
To enable fine-grained access control for cloud services, you can create custom RAM policies and attach the policies to RAM users.
This topic uses examples to describe how to create custom policies that define a set of permissions on Security Center and attach the policies to RAM users. For more information about RAM policies, see Policy structure and syntax. For more information about basic concepts used in RAM, see Terms.
Step 1: Create custom policies that define a set of permissions on Security Center
- In Configuration Mode, select Script and edit the policy content.
Common custom policies:- Assets
- Create custom policies that define read-only permissions on the Assets page
The following custom policy defines permissions to view assets and server statistics on the Assets page. In the Action field,
yundun-sas:DescribeCloudCenterInstances,yundun-sas:DescribeFieldStatistics, andyundun-sas:DescribeCriteriaare added to grant permissions. To attach the policy to RAM users, perform the operations described in Step 2.{ "Version": "1", "Statement": [ { "Action": [ "yundun-sas:DescribeCloudCenterInstances", "yundun-sas:DescribeFieldStatistics", "yundun-sas:DescribeCriteria" ], "Resource": "*", "Effect": "Allow" } ] } - Create a custom policy that defines permissions to start security checks on the Assets
page
The following custom policy defines permissions to start security checks on the Assets page. In the Action field,
yundun-sas:ModifyPushAllTaskis added to grant permissions. To attach the policy to RAM users, perform the operations described in Step 2.{ "Version": "1", "Statement": [ { "Action": "yundun-sas:ModifyPushAllTask", "Resource": "*", "Effect": "Allow" } ] }
- Create custom policies that define read-only permissions on the Assets page
- Vulnerabilities
- Create a custom policy that defines read-only permissions on the Vulnerabilities page
The following custom policy defines permissions to view vulnerabilities and a whitelist of vulnerabilities on the Vulnerabilities page. In the Action field,
yundun-sas:DescribeVulListandyundun-sas:DescribeVulWhitelistare added to grant permissions. To attach the policy to RAM users, perform the operations described in Step 2.{ "Version": "1", "Statement": [ { "Action": [ "yundun-aegis:DescribeVulList", "yundun-sas:DescribeVulWhitelist" ], "Resource": "*", "Effect": "Allow" } ] } - Create a custom policy that defines permissions to fix vulnerabilities
The following custom policy defines permissions to fix vulnerabilities. In the Action field,
yundun-aegis:OperateVulis added to grant permissions. To attach the policy to RAM users, perform the operations described in Step 2.{ "Version": "1", "Statement": [ { "Action": "yundun-aegis:OperateVul", "Resource": "*", "Effect": "Allow" } ] }
- Create a custom policy that defines read-only permissions on the Vulnerabilities page
- Assets
Step 2: Attach custom policies to RAM users
- In the Select Policy section, select Custom Policy, and then select custom policies that you have created in Step 1: Create custom policies that define a set of permissions on Security Center.
Operations supported by custom policies
The following tables list custom policies that define permissions on the Assets and Vulnerabilities pages of Security Center.
| Action | Description | Supported API operation |
|---|---|---|
| yundun-sas:DescribeCloudCenterInstances | Queries information about assets, including asset types, alerts, and the Security Center agent status. | DescribeCloudCenterInstances |
| yundun-sas:DescribeFieldStatistics | Queries the statistics of assets. | DescribeFieldStatistics |
| yundun-sas:DescribeCriteria | Queries the search conditions that can be specified to query assets. | DescribeCriteria |
| yundun-sas:ModifyPushAllTask | Starts all security checks. | ModifyPushAllTask |
| yundun-sas:DescribeDomainCount | Queries the number of domain assets that are protected by Security Center. | DescribeDomainCount |
| yundun-sas:DeleteGroup | Deletes an asset group. | DeleteGroup |
| yundun-sas:DescribeVolDingdingMessage | Queries the QR code of a DingTalk group where you can receive notifications. | DescribeVolDingdingMessage |
| yundun-sas:DescribeSearchCondition | Queries search conditions. | DescribeSearchCondition |
| yundun-sas:DescribeSasAssetStatisticsColumn | Queries the asset information based on the displayed columns on the Server tab. | DescribeSasAssetStatisticsColumn |
| yundun-sas:DescribeImageStatistics | Queries the number of risky container images. | DescribeImageStatistics |
| yundun-sas:DescribeGroupedTags | Queries the tags of assets. | DescribeGroupedTags |
| yundun-sas:DescribeDomainCount | Queries the number of domain assets that are protected by Security Center. | DescribeDomainCount |
| yundun-sas:DescribeCloudProductFieldStatistics | Queries cloud services that are protected by Security Center. | DescribeCloudProductFieldStatistics |
| yundun-sas:DescribeCloudCenterInstances | Queries information about assets, including asset types, alerts, and the Security Center agent status. | DescribeCloudCenterInstances |
| yundun-sas:DescribeAllGroups | Queries all server groups. | DescribeAllGroups |
| yundun-sas:DeleteGroup | Deletes an asset group. | DeleteGroup |
| yundun-sas:CreateOrUpdateAssetGroup | Modifies the relationship between an asset and an asset group. | CreateOrUpdateAssetGroup |
| yundun-sas:DescribeInstanceStatistics | Queries the risk information of assets. | DescribeInstanceStatistics |
| yundun-sas:AddTagWithUuid | Adds tags to specific assets. | AddTagWithUuid |
| yundun-sas:DeleteTagWithUuid | Removes tags from assets. | DeleteTagWithUuid |
| yundun-sas:PauseClient | Starts or pauses the Security Center agent. | PauseClient |
| yundun-sas:ModifyTagWithUuid | Modifies the relationship between a tag and an asset. | ModifyTagWithUuid |
| yundun-sas:ModifyAssetImportant | Modifies the importance of assets. | ModifyAssetImportant |
| yundun-sas:DescribeSasAssetStatisticsColumn | Queries the asset information based on the displayed columns on the Server tab. | DescribeSasAssetStatisticsColumn |
| yundun-sas:RefreshAssets | Synchronizes the data of all assets. | RefreshAssets |
| yundun-sas:ExportRecord | Exports baseline check results, asset fingerprints, and AccessKey leak information to Excel files. | ExportRecord |
| yundun-sas:DescribeExportInfo | Queries the progress of a task that exports asset information. | DescribeExportInfo |
| yundun-sas:DescribeIpTags | Queries the tags of IP addresses. | DescribeIpTags |
| yundun-sas:DescribeDomainList | Queries domain assets. | DescribeDomainList |
| yundun-sas:DescribeDomainDetail | Queries the details of a domain asset. | DescribeDomainDetail |
| yundun-sas:DescribeDomainSecureScore | Queries the security score of a website. | DescribeDomainSecureScore |
| yundun-sas:DescribeDomainSecureStatistics | Queries the risk information of a website. | DescribeDomainSecureStatistics |
| yundun-sas:DescribeDomainSecureRiskList | Queries risky websites. | DescribeDomainSecureRiskList |
| yundun-sas:DescribeDomainSecureAlarmList | Queries websites for which alerts are generated. | DescribeDomainSecureAlarmList |
| yundun-sas:DescribeDomainSecureVulList | Queries websites that have vulnerabilities. | DescribeDomainSecureVulList |
| yundun-sas:DescribeDomainSecureSuggests | Queries the website security reports and suggestions provided by Security Center. | DescribeDomainSecureSuggests |
| yundun-aegis:DescribeAssetDetailByUuid | Queries the details of a server based on a universally unique identifier (UUID). | DescribeAssetDetailByUuid |
| Action | Description | Supported API operation |
|---|---|---|
| yundun-sas:DescribeVulWhitelist | Queries the vulnerabilities in the whitelist. The vulnerabilities are listed in pages. | DescribeVulWhitelist |
| yundun-sas:ModifyOperateVul | Manages a detected vulnerability. For example, you can verify, ignore, or fix a vulnerability. | ModifyOperateVul |
| yundun-sas:ModifyVulTargetConfig | Configures vulnerability detection settings on a server. | ModifyVulTargetConfig |
| yundun-aegis:DescribeConcernNecessity | Queries the priority of a vulnerability. | DescribeConcernNecessity |
| yundun-aegis:DescribeVulList | Queries vulnerabilities by type. | DescribeVulList |
| yundun-aegis:OperateVul | Manages a detected vulnerability. For example, you can verify, ignore, or fix a vulnerability. | OperateVul |
| yundun-aegis:DescribeImageVulList | Queries container image vulnerabilities detected by Security Center. | DescribeImageVulList |
| ecs:DescribeSnapshots | Queries all snapshots of an Elastic Compute Service (ECS) instance or a disk. | DescribeSnapshots |
| ecs:DescribeDisks | Queries disks. | DescribeDisks |
| ecs:CreateSnapshot | Creates snapshots for a specified disk. | CreateSnapshot |
References
Use RAM to limit the IP addresses used to access Alibaba Cloud resources
Use RAM to limit the time of access to Alibaba Cloud resources