All Products
Search
Document Center

Resource Management:Examples of custom access control policies

Last Updated:Nov 06, 2023

This topic provides examples of custom access control policies.

Policy used to prohibit the modification and deletion of RAM users, RAM user groups, and RAM roles

Document:

{
    "Statement": [
        {
            "Action": [
                "ram:Attach*",
                "ram:Detach*",
                "ram:BindMFADevice",
                "ram:CreateAccessKey",
                "ram:CreateLoginProfile",
                "ram:CreatePolicyVersion",
                "ram:DeleteAccessKey",
                "ram:DeleteGroup",
                "ram:DeleteLoginProfile",
                "ram:DeletePolicy",
                "ram:DeletePolicyVersion",
                "ram:DeleteRole",
                "ram:DeleteUser",
                "ram:DisableVirtualMFA",
                "ram:AddUserToGroup",
                "ram:RemoveUserFromGroup",
                "ram:SetDefaultPolicyVersion",
                "ram:UnbindMFADevice",
                "ram:UpdateAccessKey",
                "ram:UpdateGroup",
                "ram:UpdateLoginProfile",
                "ram:UpdateRole",
                "ram:UpdateUser"
            ],
            "Resource": "*",
            "Effect": "Deny",         
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN":"acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
               }
           }
        }
    ],
    "Version": "1"
}

The preceding policy prohibits the modification and deletion of RAM users, RAM user groups, and RAM roles and the modification of their permissions.

Note

In this policy, only ResourceDirectoryAccountAccessRole, which is the default role used to access members in a resource directory, can be used to perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot be used to perform these operations. You can also specify RAM users or RAM roles that can be used to perform the operations by changing the value of PrincipalARN.

Policy used to prohibit the modification of the role ResourceDirectoryAccountAccessRole and its permissions

Document:

{
   "Version": "1",
   "Statement": [
       {
           "Effect": "Deny",
           "Action": [
               "ram:UpdateRole",
               "ram:DeleteRole",
               "ram:AttachPolicyToRole",
               "ram:DetachPolicyFromRole"
           ],
           "Resource": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
       }
   ]
}

Policy used to prohibit the modification and deletion of the specified RAM users

Document:

{
    "Version": "1",
    "Statement": [{
        "Action": [
            "ram:AttachPolicyToUser",
            "ram:DetachPolicyFromUser",
            "ram:AddUserToGroup",
            "ram:RemoveUserFromGroup",
            "ram:UpdateUser",
            "ram:DeleteUser",
            "ram:CreateLoginProfile",
            "ram:UpdateLoginProfile",
            "ram:DeleteLoginProfile",
            "ram:CreateAccessKey",
            "ram:DeleteAccessKey",
            "ram:UpdateAccessKey",
            "ram:BindMFADevice",
            "ram:UnbindMFADevice",
            "ram:DisableVirtualMFA"
        ],
        "Resource": [
            "acs:ram:*:*:user/Alice"
        ],
        "Effect": "Deny",
        "Condition": {
            "StringNotLike": {
                "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
            }
        }
    }]
}

The preceding policy prohibits the modification and deletion of the specified RAM user Alice and the modification of the permissions of Alice. You can specify the Alibaba Cloud account to which Alice belongs, such as acs:ram:*:18299873****:user/Alice.

Note

In this policy, only ResourceDirectoryAccountAccessRole, which is the default role used to access members in a resource directory, can be used to perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot be used to perform these operations. You can also specify RAM users or RAM roles that can be used to perform the operations by changing the value of PrincipalARN.

Policy used to prohibit logon to the Alibaba Cloud Management Console from being enabled for an existing RAM user

Document:

{
    "Statement": [
        {
            "Action": [
                "ram:CreateLoginProfile",
                "ram:UpdateLoginProfile"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ],
    "Version": "1"
}

The preceding policy prohibits logon to the Alibaba Cloud Management Console from being enabled for an existing RAM user. Logon to the Alibaba Cloud Management Console can still be enabled for a new RAM user.

Note

In this policy, only ResourceDirectoryAccountAccessRole, which is the default role used to access members in a resource directory, can be used to perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot be used to perform these operations. You can also specify RAM users or RAM roles that can be used to perform the operations by changing the value of PrincipalARN.

Policy used to prohibit a RAM user or RAM role from being used to delete some resources if MFA is not complete for the RAM or RAM role

Document:

{
  "Statement": [
    {
      "Action": "ecs:DeleteInstance",
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "acs:MFAPresent": "false"
        }
      }
    }
  ],
  "Version": "1"
}

The preceding policy prohibits a RAM user or RAM role from being used to delete Elastic Compute Service (ECS) instances if multi-factor authentication (MFA) is not complete for the RAM or RAM role. If you want to delete other resources, change the value of Action to the actions for the resources.

Policy used to prohibit the modification of user-based SSO settings

Document:

{
    "Statement": [
        {
            "Action": [
                "ram:SetSamlSsoSettings"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ],
    "Version": "1"
}
Note

In this policy, only ResourceDirectoryAccountAccessRole, which is the default role used to access members in a resource directory, can be used to perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot be used to perform these operations. You can also specify RAM users or RAM roles that can be used to perform the operations by changing the value of PrincipalARN.

Policy used to prohibit the modification of role-based SSO settings

Document:

{
    "Statement": [
        {
            "Action": [
                "ram:CreateSAMLProvider",
                "ram:DeleteSAMLProvider",
                "ram:UpdateSAMLProvider"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ],
    "Version": "1"
}
Note

In this policy, only ResourceDirectoryAccountAccessRole, which is the default role used to access members in a resource directory, can be used to perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot be used to perform these operations. You can also specify RAM users or RAM roles that can be used to perform the operations by changing the value of PrincipalARN.

Policy used to prohibit the Delivery feature of ActionTrail from being disabled and prohibit the destination to which ActionTrail delivers events from being changed

Document:

{
    "Statement": [
        {
            "Action": [
                "actiontrail:UpdateTrail",
                "actiontrail:DeleteTrail",
                "actiontrail:StopLogging"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ],
    "Version": "1"
}
Note

In this policy, only ResourceDirectoryAccountAccessRole, which is the default role used to access members in a resource directory, can be used to perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot be used to perform these operations. You can also specify RAM users or RAM roles that can be used to perform the operations by changing the value of PrincipalARN.

Policy used to prohibit access to some network services

Document:

{
    "Statement": [
        {
            "Action": [
                "vpc:*HaVip*",
                "vpc:*RouteTable*",
                "vpc:*VRouter*",
                "vpc:*RouteEntry*",
                "vpc:*VSwitch*",
                "vpc:*Vpc*",
                "vpc:*Cen*",           
                "vpc:*NetworkAcl*"
            ],
            "Resource": "*",
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        },
        {
            "Action": [
                "vpc:*VpnGateway*",
                "vpc:*VpnConnection*",
                "vpc:*CustomerGateway*",
                "vpc:*SslVpnServer*",
                "vpc:*SslVpnClientCert*",
                "vpc:*VpnRoute*",
                "vpc:*VpnPbrRoute*"
            ],
            "Resource": "*",
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ],
    "Version": "1"
}

The preceding policy prohibits access to Virtual Private Cloud (VPC) and VPN Gateway. If you want to prohibit access to other network services, change the value of Action to the actions for these network services.

Note

In this policy, only ResourceDirectoryAccountAccessRole, which is the default role used to access members in a resource directory, can be used to perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot be used to perform these operations. You can also specify RAM users or RAM roles that can be used to perform the operations by changing the value of PrincipalARN.

Policy used to prohibit the creation of network resources (EIPs and NAT gateways) that can be used to access the Internet

Document:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "vpc:AllocateEipAddress",
                "vpc:AllocateEipAddressPro",
                "vpc:AllocateEipSegmentAddress",
                "vpc:CreateNatGateway"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ]
}
Note

In this policy, only ResourceDirectoryAccountAccessRole, which is the default role used to access members in a resource directory, can be used to perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot be used to perform these operations. You can also specify RAM users or RAM roles that can be used to perform the operations by changing the value of PrincipalARN.

Policy used to prohibit access to network services that are connected to on-premises resources

Document:

{
    "Statement": [
       {
            "Action": [
                "vpc:*PhysicalConnection*",
                "vpc:*VirtualBorderRouter*",
                "cen:*",
                "vpc:*VpnGateway*",
                "vpc:*VpnConnection*",
                "vpc:*CustomerGateway*",
                "vpc:*SslVpnServer*",
                "vpc:*SslVpnClientCert*",
                "vpc:*VpnRoute*",
                "vpc:*VpnPbrRoute*",
                "smartag:*"
            ],
            "Resource": "*",
            "Effect": "Deny"         
        }
    ],
    "Version": "1"
}

The preceding policy prohibits access to network services that are connected to on-premises resources. These network services include Express Connect, Cloud Enterprise Network, VPN Gateway, and Smart Access Gateway.

Policy used to prohibit the use of some features provided by Billing Management

Document:

{
    "Statement": [
       {
            "Action": [
                "bss:DescribeOrderList",
                "bss:DescribeOrderDetail",
                "bss:PayOrder",
                "bss:CancelOrder"
            ],
            "Resource": "*",
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ],
    "Version": "1"
}

The preceding policy prohibits the use of the Orders feature provided by Billing Management. If you want to prohibit the use of other features, change the value of Action to the actions for these features.

Note

In this policy, only ResourceDirectoryAccountAccessRole, which is the default role used to access members in a resource directory, can be used to perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot be used to perform these operations. You can also specify RAM users or RAM roles that can be used to perform the operations by changing the value of PrincipalARN.

Policy used to prohibit the modification of CloudMonitor-related settings

Document:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "cms:Put*",
                "cms:Update*",
                "cms:Create*",
                "cms:Modify*",
                "cms:Disable*",
                "cms:Enable*",
                "cms:Delete*",
                "cms:Send*",
                "cms:Subscribe*",
                "cms:Unsubscribe*",
                "cms:Remove*",
                "cms:CreateAction",
                "cms:Pause*",
                "cms:Stop*",
                "cms:Start*",
                "cms:BatchCreate*",
                "cms:ProfileSet",
                "cms:ApplyMonitoringTemplate"
            ],
            "Resource": "*",
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ]
}
Note

In this policy, only ResourceDirectoryAccountAccessRole, which is the default role used to access members in a resource directory, can be used to perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot be used to perform these operations. You can also specify RAM users or RAM roles that can be used to perform the operations by changing the value of PrincipalARN.

Policy used to prohibit the purchase of reserved instances

Document:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:PurchaseReservedInstancesOffering"
            ],
            "Resource": "*",
            "Effect": "Deny"
        }
    ]
}

Policy used to prohibit the creation of ECS instances in an unspecified VPC

Document:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:CreateInstance",
                "ecs:RunInstances"
            ],
            "Resource": "*",
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "vpc:VPC": "acs:vpc:cn-shenzhen:*:vpc/vpc-wz95ya85js0avrkabc****"
                }
            }
        }
    ]
}

In the preceding policy, acs:vpc:cn-shenzhen:*:vpc/vpc-wz95ya85js0avrkabc**** is used as a specified VPC. You can replace it based on your business requirements.

Policy used to prohibit the purchase of domain names

Document:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "domain:CreateOrderActivate"
            ],
            "Resource": "*",
            "Effect": "Deny"
        }
    ]
}

Policy used to prohibit access to the ticket system

Document:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "support:*",
                "workorder:*"
            ],
            "Resource": "*",
            "Effect": "Deny"
        }
    ]
}

Policy used to prohibit access to ECS in a specific region

Document:

{
    "Version": "1",
    "Statement": [{
        "Effect": "Deny",
        "Action": [
            "ecs:*"
        ],
        "Resource": "acs:ecs:us-east-1:*:*"
    }]
}

The preceding policy prohibits access to ECS in the US (Virginia) region.

Policy used to prohibit resource sharing outside a resource directory

Document:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "resourcesharing:CreateResourceShare",
                "resourcesharing:UpdateResourceShare"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "resourcesharing:RequestedAllowExternalTargets": "true"
                }
            }
        }
    ]
}

The preceding policy prohibits the creation of resource shares through which resources are shared to accounts outside the current resource directory.

Policy used to prohibit resource sharing with unexpected accounts

Document:

{
    "Version": "1",
    "Statement": [
      {
        "Effect": "Deny",
            "Action": [
                "resourcesharing:AssociateResourceShare",
                "resourcesharing:CreateResourceShare"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotLike": {
                    "resourcesharing:Target": [
                        "rd-3G****/r-Wm****/*",
                        "rd-3G****/r-Wm****",
                        "192796193830****"
                    ]
                }
            }
        }
    ]
}

The preceding policy allows resource sharing only with the account 192796193830**** and all members in the folder rd-3G****/r-Wm****. You can change the value of the resourcesharing:Target parameter based on your business requirements.

Policy used to prohibit the acceptance of resource sharing invitations from accounts outside a resource directory

Document:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "resourcesharing:AcceptResourceShareInvitation",
            "Resource": "*"
        }
    ]
}

The preceding policy prohibits the acceptance of resource sharing invitations from accounts outside the current resource directory. If principals and resource owners belong to the same resource directory, no resource sharing invitations are initiated. Therefore, this policy does not affect resource sharing within the same resource directory.

Policy used to prohibit sharing of unexpected types of resources

Document:

{
  "Version":  "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "resourcesharing:CreateResourceShare",
        "resourcesharing:UpdateResourceShare",
        "resourcesharing:AssociateResourceShare"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "resourcesharing:RequestedResourceType": ["VSwitch","Image","Snapshot"]
        }
      }
    }
  ]
}

The preceding policy allows sharing of only vSwitches, images, and snapshots.