Before you create or update a custom control policy, you must understand the basic elements and usage rules of control policy languages.
|Effect||Specifies whether a control policy results in an explicit allow or an explicit deny.
Valid values: Allow and Deny.
Note You can set Effect for custom control policies only to Deny.
|Action||Describes one or more operations that are allowed or denied.|
|Resource||Specifies one or more objects that the control policy covers.|
|Condition||Specifies the conditions that are required for a policy to take effect.|
Rules for using policy elements
Valid values are Allow and Deny.Note You can set Effect for custom control policies only to Deny.
You can specify multiple values for this element. Valid values are the names of API operations from Alibaba Cloud services.Note In most cases, each Alibaba Cloud service has its own set of API operations. For more information about cloud services that support control policies, see Cloud services that support control policies.
service-name: the RAM (Resource Access Management) code. For more information about the RAM code that corresponds to each cloud service, see Cloud services that support control policies.
action-name: the names of the API operations.
"Action": ["actiontrail:DeleteTrail", "ecs:DeleteInstance*"]
Specifies one or more objects that the control policy covers.
acs:<service-name>:<region>:<account-id>:<relative-id>. The syntax is the same as the format of an Alibaba Cloud Resource Name (ARN).
acs: the abbreviation of Alibaba Cloud Service, which indicates the public cloud offerings of Alibaba Cloud.
service-name: the RAM code. For more information about the RAM code that corresponds to each cloud service, see Cloud services that support control policies.
region: the region information. You can enter an asterisk (
*) for this field.
account-id: the Alibaba Cloud account ID. Example:
123456789012****. You can specify an asterisk (
*) for this field.
relative-id: the ID of the service-related resource. The indications of this field vary depending on specific services. The format of the relative-id field is similar to a file path.
"Resource": ["acs:ecs:*:*:instance/inst-001", "acs:ecs:*:*:instance/inst-002"]
- ConditionA condition block contains one or more conditions. Each condition consists of operators, keys, and values.
- You can specify one or more values for a condition key. If the value in a request matches one of the values, the condition is met.
- You can specify one or more condition keys for a single condition operator in a condition. The condition is met only if all the requirements for the keys are met.
- A condition block is met only if all of its conditions are met.
Condition operators can be classified into the following categories: string, numeric, date and time, Boolean, and IP address.
Category Condition operator String
Date and time
Boolean Bool IP address
- The syntax of a common condition key is
Common condition key Category Description
Date and time The time when the web server receives a request. Specify the time in the ISO 8601 format. Example:
Boolean Specifies whether a secure channel is used to send a request. For example, a request can be sent over HTTPS.
IP address The IP address of the client that sends a request.Note If you specify only one value for the
acs:SourceIpkey, the value must be a specific IP address, such as 10.0.0.1. CIDR blocks such as 10.0.0.1/32 cannot be used.
Boolean Specifies whether a user completes multi-factor authentication (MFA) during logon.
String Specifies the identity of an object that performs an operation. Example:
acs:ram:*:*:role/*resourcedirectory*Note You can specify an ARN only for a specified RAM role. The name can contain only lowercase letters. You can view the ARN of a RAM role on the role details page in the RAM console.
- The syntax of a condition key that is specific to an Alibaba Cloud service is
Condition key specific to an Alibaba Cloud service Cloud service Category Description
ECS String The tag key for an ECS resource. This key can be customized.
RDS String The tag key for an ApsaraDB for RDS resource. This key can be customized.
The syntax and structure of control policies are similar to the policies in RAM. For more information, see Policy structure and syntax.