The Control Policy feature allows you to manage the permission boundaries of the folders or member accounts in a resource directory in a centralized manner. This feature is implemented based on the resource directory. You can use this feature to develop common or dedicated rules for access control. The Control Policy feature does not grant permissions but only defines permission boundaries. A member account in a resource directory can be used to access resources only after it is granted the required permissions by using the Resource Access Management (RAM) service.

Scenarios

After an enterprise creates a resource directory and creates member accounts for all departments, the enterprise must manage the use of these member accounts. Otherwise, operations and maintenance (O&M) rules may be violated, which results in security risks and superfluous costs. The resource directory provides the Control Policy feature. This feature enables the enterprise to formulate control policies in a centralized manner by using the enterprise management account of the resource directory. The enterprise can then attach these policies to the folders and member accounts in the resource directory. These policies control access to the resources within the member accounts. This ensures security compliance and controllable costs. For example, the enterprise is not allowed to use a member account to apply for domain names or delete log records.

Types of control policies

  • System control policy

    System control policies are automatically generated by the system. You can view but cannot create, modify, or delete these policies. After you enable the Control Policy feature, the system attaches a system control policy named FullAliyunAccess to all the folders and member accounts in your resource directory by default. This policy allows all operations on all your cloud resources.

  • Custom control policy

    Custom control policies are customized by users. You can create, modify, or delete these policies. After you create a custom control policy, you must attach the policy to folders or member accounts for the policy to take effect. If you no longer require the custom control policy, you can detach it from the folders or member accounts.

    Note You can set the Effect parameter only to Deny in a custom control policy.

How it works

The Control Policy feature works in the following way:

  1. Use the enterprise management account of your resource directory to enable the Control Policy feature. For more information, see Enable the Control Policy feature.

    After the feature is enabled, the system attaches the system control policy FullAliyunAccess to all the folders and member accounts in your resource directory by default. This policy allows all operations on all your cloud resources. This prevents resource access failures caused by inappropriate control policy configurations.

  2. Use the enterprise management account to create control policies. For more information, see Create a custom control policy.
  3. Use the enterprise management account to attach the policies to specific folders or member accounts. For more information, see Attach a custom control policy.

    Control policies can be attached to all the folders or member accounts in your resource directory. If you attach a control policy to a folder, this policy also applies to all of its subfolders. For example, you attach Policy A to a folder and Policy B to one of its subfolders. In this case, both policies apply to the subfolder and all the member accounts in the subfolder.

    Note We recommend that you first attach a control policy to only a few folders or member accounts to ensure that the control policy can take effect as expected. If the control policy takes effect as expected, you can attach it to all the other folders or member accounts in your resource directory.
  4. When a RAM user or role of a member account accesses an Alibaba Cloud service, the system matches the access request with the control policies. After that, the system checks the permissions of the RAM user or role. The following description provides the details of the process:
    • The system matches the access request with control policies level by level in reverse order based on the resource directory. The matching starts from the member account that manages the resource the RAM user or role wants to access.
    • If a Deny control policy is matched, the system terminates control policy matching and does not authenticate the permissions of the RAM user or role. Then, the system denies the access request.
    • If no Deny or Allow control policy is matched, the system terminates control policy matching and does not authenticate the permissions of the RAM user or role. Then, the system denies the access request.
    • If no Deny control policy is matched but an Allow control policy is matched, the system matches the access request with the control policies that are attached to an upper-level object. The matching ends when the Root folder is matched. If the Root folder passes the matching, the whole resource directory passes the matching. Then, the system checks the permissions of the RAM user or role. For more information, see Policy evaluation process.
    • Control policies do not apply to service-linked roles. For more information about service-linked roles, see Service-linked roles.
    • When you access a member account, the system evaluates both the control policies that are attached to the member account and the control policies that are attached to all its parent folders. This ensures that the control policies that are attached to a folder take effect on all the member accounts in the folder and all the member accounts in its subfolders.
    Note The control policies that are configured within a resource directory also take effect for all the RAM users and roles of the resource accounts and cloud accounts in the resource directory.

Configure an existing custom control policy to allow access from specific Alibaba Cloud services

Custom control policies limit the permissions on access to the resources of the member accounts to which the control policies are attached. The permissions that are specified in the control policies are prohibited. As a result, some Alibaba Cloud services may fail to access the resources.

Alibaba Cloud services may use service roles to access the resources of your account to implement some features. If the permissions of the service roles are prohibited by control policies, some features of the services cannot be used. If this is exactly what you expect from the control policies, no operations are required. Otherwise, perform the following steps:

  1. Determine the name of the service role used by the service for which you do not want to control access.

    You can log on to the RAM console to view all the service roles of your account.

  2. Add the "acs:PrincipalArn" key to the Condition parameter in the document of the policy that controls the access from the service. Then, specify the determined role name for the key. The following code provides an example:
    {
        "Statement": [
            {
                "Action": [
                    "ram:UpdateUser"
                ],
                "Resource": "*",
                "Effect": "Deny",         
                "Condition": {
                    "StringNotLike": {
                        "acs:PrincipalARN":"acs:ram:*:*:role/<Name of the service role>"
                   }
               }
            }
        ],
        "Version": "1"
    }

    For more information about the syntax of control policies, see Control policy languages.

Limits

Item Upper limit
Number of custom control policies that can be created in a resource directory 1,500
Number of custom control policies that can be attached to each folder or member account 10
Number of characters that each custom control policy can contain 2,048

Alibaba Cloud services that support control policies

Alibaba Cloud service Sub-service or Sub-module RAM code Documentation for API operations
RAM N/A ram List of API operations for RAM
RAM N/A ims List of API operations for Identity Management Service (IMS)
Elastic Compute Service (ECS) ECS ecs List of API operations for ECS
ECS Elastic Block Storage (EBS) ecs List of API operations for ECS
ECS Elastic GPU Service ecs List of API operations for ECS
ECS ECS Bare Metal Instance ecs List of API operations for ECS
ECS Super Computing Cluster ecs List of API operations for ECS
ECS Dedicated Host ecs List of API operations for ECS
ECS Alibaba Cloud Linux 2 ecs List of API operations for ECS
Auto Scaling N/A ess List of API operations for Auto Scaling
Container Service N/A cs None
Container Service for Kubernetes (ACK) N/A cs List of API operations for ACK
Elastic High Performance Computing (E-HPC) N/A ehpc List of API operations for E-HPC
Container Registry N/A cr List of API operations for Container Registry
Elastic Cloud Desktop Elastic Desktop Service (EDS) ecd List of API operations for EDS
Elastic Container Instance (ECI) N/A eci List of API operations for ECI
ApsaraDB RDS ApsaraDB RDS rds List of API operations for ApsaraDB RDS
ApsaraDB RDS ApsaraDB RDS for MySQL rds List of API operations for ApsaraDB RDS for MySQL
ApsaraDB RDS ApsaraDB RDS for SQL Server rds List of API operations for ApsaraDB RDS for SQL Server
ApsaraDB RDS ApsaraDB RDS for PostgreSQL rds List of API operations for ApsaraDB RDS for PostgreSQL
ApsaraDB RDS ApsaraDB RDS for PPAS rds List of API operations for ApsaraDB RDS for PPAS
ApsaraDB RDS ApsaraDB for MyBase rds List of API operations for ApsaraDB for MyBase
ApsaraDB for Redis N/A kvstore List of API operations for ApsaraDB for Redis
ApsaraDB for Memcache N/A kvstore List of API operations for ApsaraDB for Memcache
ApsaraDB for MongoDB N/A mongodb List of API operations for ApsaraDB for MongoDB
AnalyticDB for PostgreSQL N/A gpdb List of API operations for AnalyticDB for PostgreSQL
HybridDB for MySQL (deprecated) N/A petadata None
Data Transmission Service (DTS) N/A dts

None

Data Management N/A dms List of API operations for Data Management
AnalyticDB for MySQL N/A adb List of API operations for AnalyticDB for MySQL
ApsaraDB for HBase N/A hbase List of API operations for ApsaraDB for HBase
Advanced Database & Application Migration N/A adam None
Database Backup (DBS) N/A dbs List of API operations for DBS
Database Autonomy Service (DAS) N/A hdm None
Data Lake Analytics (DLA) N/A openanalytics List of API operations for DLA
ApsaraDB for Cassandra N/A cassandra List of API operations for ApsaraDB for Cassandra
LedgerDB N/A ledgerdb List of API operations for LedgerDB
Database Gateway (in public preview) N/A dg List of API operations for Database Gateway
Apsara File Storage NAS N/A nas List of API operations for Apsara File Storage NAS
Cloud Storage Gateway (CSG) N/A hcs-sgw

None

Server Load Balancer (SLB) SLB slb List of API operations for SLB
SLB Application Load Balancer (ALB) alb List of API operations for SLB
Virtual Private Cloud (VPC) N/A vpc List of API operations for VPC
Express Connect N/A vpc List of API operations for Express Connect
NAT Gateway N/A vpc List of API operations for NAT Gateway
VPN Gateway N/A vpc List of API operations for VPN Gateway
EIP Bandwidth Plan N/A vpc List of API operations for EIP Bandwidth Plan
Elastic IP Address (EIP) N/A eip List of API operations for EIP
Global Accelerator N/A ga List of API operations for Global Accelerator
Alibaba Cloud DNS PrivateZone N/A pvtz List of API operations for Alibaba Cloud DNS PrivateZone
Cloud Enterprise Network (CEN) N/A cen List of API operations for CEN
Smart Access Gateway (SAG) N/A smartag List of API operations for SAG
PrivateLink N/A privatelink List of API operations for PrivateLink
Cloud Shell N/A cloudshell None
Cloud Config N/A config List of API operations for Cloud Config
Enterprise Distributed Application Service (EDAS) N/A edas List of API operations for EDAS
Alibaba Cloud Service Mesh (ASM) N/A servicemesh None
Alibaba Cloud CDN N/A cdn List of API operations for Alibaba Cloud CDN
ApsaraVideo VOD N/A vod List of API operations for ApsaraVideo VOD
ApsaraVideo for Media Processing N/A mts List of API operations for ApsaraVideo for Media Processing
P2P CDN (PCDN) N/A pcdn

None

Real-Time Communication N/A rtc

None

Dynamic Route for CDN (DCDN) N/A dcdn List of API operations for DCDN
API Gateway N/A apigateway

None

Resource Management Resource Management resourcemanager List of API operations for Resource Management
Resource Management Tag tag List of API operations for Tag
CloudQuotation (CQ) N/A assettech None
Domains N/A domain List of API operations for Domains
Alibaba Cloud DNS Alibaba Cloud DNS alidns List of API operations for Alibaba Cloud DNS
Blockchain as a Service (BaaS) Decentralized Identity Service baasdis List of API operations for Decentralized Identity Service
Machine Learning Platform for AI N/A pai

None

Intelligent Speech Interaction N/A nls None
IoT Platform N/A iot List of API operations for IoT Platform
Link IoT Edge N/A iot List of API operations for Link IoT Edge
ApsaraDB for Lindorm Time Series Database (TSDB) hitsdb List of API operations for TSDB
DataV N/A datav None
Hologres N/A hologram None
Managed Security Service N/A mssp None
Data Security Center (DSC) N/A yundun-sddp List of API operations for DSC
Key Management Service (KMS) N/A kms List of API operations for KMS
Bastionhost Bastionhost yundun-bastionhost List of API operations for Bastionhost
Identity as a Service (IDaaS) N/A yundun-idaas None
Anti-DDoS Anti-DDoS yundun-ddos List of API operations for Anti-DDoS
Anti-DDoS Anti-DDoS Pro and Anti-DDoS Premium yundun-high List of API operations for Anti-DDoS Pro and Anti-DDoS Premium
GameShield N/A yundun-gameshield None
Cloud Firewall N/A yundun-cloudfirewall List of API operations for Cloud Firewall
Web Application Firewall (WAF) WAF yundun-waf List of API operations for WAF
SSL Certificates Service N/A yundun-cert List of API operations for SSL Certificates Service
Content Moderation N/A yundun-greenweb List of API operations for Content Moderation
Security Center N/A yundun-sas List of API operations for Security Center
Data Encryption Service N/A yundun-hsm None
Marketplace N/A acm

None

Message Center N/A notifications None
Support and Services N/A
  • support
  • workorder
List of API operations for Support and Services
Billing Management N/A
  • bss
  • bssapi
  • efc

None

CloudMonitor N/A cms List of API operations for CloudMonitor
ActionTrail N/A actiontrail List of API operations for ActionTrail