Before you create or update a custom access control policy, you must understand the basic elements and usage rules of the languages for access control policies.

Elements

Element Description
Effect Specifies whether an access control policy results in an explicit allow or an explicit deny. Valid values: Allow and Deny.
Note You can set Effect only to Deny for custom access control policies.
Action Describes one or more operations that are allowed or not allowed for a resource.
Resource Specifies one or more objects that an access control policy covers.
Condition Specifies the conditions that are required for an access control policy to take effect.

Rules for using policy elements

  • Effect

    Valid values are Allow and Deny.

    Note You can set Effect only to Deny for custom access control policies.

    Example: "Effect": "Deny".

  • Action

    You can specify multiple values for this element. Valid values are the names of API operations from Alibaba Cloud services.

    Note In most cases, each Alibaba Cloud service has its own set of API operations. For more information, see the documentation of each Alibaba Cloud service.

    Syntax: <ram-code>:<action-name>.

    • ram-code: the Resource Access Management (RAM) code of an Alibaba Cloud service. For more information about the RAM code of each Alibaba Cloud service, see the RAM code column in Alibaba Cloud services that support control policies.
    • action-name: the names of API operations.

    Example: "Action": ["actiontrail:DeleteTrail", "ecs:DeleteInstance*"].

  • Resource

    Specifies one or more objects that an access control policy covers.

    Syntax: acs:<ram-code>:<region>:<account-id>:<relative-id>. The syntax is the same as the format of an Alibaba Cloud Resource Name (ARN).

    • acs: the abbreviation of Alibaba Cloud Service, which indicates the public cloud offerings of Alibaba Cloud.
    • ram-code: the RAM code of an Alibaba Cloud service. For more information about the RAM code of each Alibaba Cloud service, see the RAM code column in Alibaba Cloud services that support control policies.
    • region: the region where the service resides. You can specify an asterisk (*) for this field.
    • account-id: the ID of an Alibaba Cloud account. Example: 123456789012****. You can specify an asterisk (*) for this field.
    • relative-id: the ID of the service-related resource. The indications of this field vary based on specific services. The format of the relative-id field is similar to a file path.

    Example: "Resource": ["acs:ecs:*:*:instance/inst-001", "acs:ecs:*:*:instance/inst-002"].

  • Condition
    A condition block contains one or more conditions. Each condition consists of operators, keys, and values. Evaluation logic for a condition block

    Evaluation logic

    • You can specify one or more values for a condition key. If the value in a request matches one of the values, the condition is met.
    • You can specify one or more condition keys for a single condition operator in a condition. The condition is met only if all the requirements for the keys are met.
    • A condition block is met only if all of its conditions are met.

    Condition operators

    Condition operators can be classified into the following categories: string, numeric, date and time, Boolean, and IP address.

    Category Condition operator
    String
    • StringEquals
    • StringNotEquals
    • StringEqualsIgnoreCase
    • StringNotEqualsIgnoreCase
    • StringLike
    • StringNotLike
    Numeric
    • NumericEquals
    • NumericNotEquals
    • NumericLessThan
    • NumericLessThanEquals
    • NumericGreaterThan
    • NumericGreaterThanEquals
    Date and time
    • DateEquals
    • DateNotEquals
    • DateLessThan
    • DateLessThanEquals
    • DateGreaterThan
    • DateGreaterThanEquals
    Boolean Bool
    IP address
    • IpAddress
    • NotIpAddress

    Condition keys

    • The syntax of a common condition key is acs:<condition-key>.
      Common condition key Category Description
      acs:CurrentTime Date and time The time when the web server receives a request. Specify the time in the ISO 8601 format. Example: 2012-11-11T23:59:59Z.
      acs:SecureTransport Boolean Specifies whether a secure channel is used to send a request. For example, a request can be sent over HTTPS.
      acs:SourceIp IP address The IP address of the client that sends a request.
      Note If you specify only one value for the acs:SourceIp key, the value must be a specific IP address, such as 10.0.0.1. CIDR blocks such as 10.0.0.1/32 cannot be used.
      acs:MFAPresent Boolean Specifies whether a user completes multi-factor authentication (MFA) during logon.
      acs:PrincipalARN String Specifies the identity of an object that performs an operation. Example: acs:ram:*:*:role/*resourcedirectory*.
      Note You can specify an ARN only for a specified RAM role. The name can contain only lowercase letters.You can view the ARN of a RAM role on the role details page in the RAM console.
    • The syntax of a condition key that is specific to an Alibaba Cloud service is <ram-code>:<condition-key>.
      Condition key specific to an Alibaba Cloud service Alibaba Cloud service Category Description
      ecs:tag/<tag-key> ECS String The tag key of Elastic Compute Service (ECS) resources. This key can be customized.
      rds:ResourceTag/<tag-key> RDS String The tag key of ApsaraDB RDS resources. This key can be customized.

References

The syntax and structure of access control policies are similar to the permission policies in RAM. For more information, see Policy structure and syntax.