This topic describes examples of custom control policies.

Overview

Policy 1: You are not allowed to modify or delete RAM users, RAM user groups, or RAM roles

Policy content:

{
    "Statement": [
        {
            "Action": [
                "ram:Attach*",
                "ram:Detach*",
                "ram:BindMFADevice",
                "ram:CreateAccessKey",
                "ram:CreateLoginProfile",
                "ram:CreatePolicyVersion",
                "ram:DeleteAccessKey",
                "ram:DeleteGroup",
                "ram:DeleteLoginProfile",
                "ram:DeletePolicy",
                "ram:DeletePolicyVersion",
                "ram:DeleteRole",
                "ram:DeleteUser",
                "ram:DisableVirtualMFA",
                "ram:AddUserToGroup",
                "ram:RemoveUserFromGroup",
                "ram:SetDefaultPolicyVersion",
                "ram:UnbindMFADevice",
                "ram:UpdateAccessKey",
                "ram:UpdateGroup",
                "ram:UpdateLoginProfile",
                "ram:UpdateRole",
                "ram:UpdateUser"
            ],
            "Resource": "*",
            "Effect": "Deny",         
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN":"acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
               }
           }
        }
    ],
    "Version": "1"
}

The preceding policy defines that you are not allowed to modify or delete RAM users, RAM user groups, or RAM roles, including their permissions.

Note In this policy, only ResourceDirectoryAccountAccessRole that is used to access member accounts by default in a resource directory can perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot perform these operations. You can also specify RAM users or RAM roles who can perform the operations by changing the value of PrincipalARN.

Policy 2: You are not allowed to modify the role ResourceDirectoryAccountAccessRole or change its permissions

Policy content:

{
   "Version": "1",
   "Statement": [
       {
           "Effect": "Deny",
           "Action": [
               "ram:UpdateRole",
               "ram:DeleteRole",
               "ram:AttachPolicyToRole",
               "ram:DetachPolicyFromRole"
           ],
           "Resource": "acs:ram:*:*:role/ResourceDirectoryAccountAccessRole"
       }
   ]
}

Policy 3: You are not allowed to modify or delete specified RAM users

Policy content:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ram:AttachPolicyToUser",
                "ram:DetachPolicyFromUser",
                "ram:AddUserToGroup",
                "ram:RemoveUserFromGroup",
                "ram:UpdateUser",
                "ram:DeleteUser",             
                "ram:CreateLoginProfile",
                "ram:UpdateLoginProfile",
                "ram:DeleteLoginProfile",              
                "ram:CreateAccessKey",
                "ram:DeleteAccessKey",
                "ram:UpdateAccessKey",
                "ram:BindMFADevice",
                "ram:UnbindMFADevice",
                "ram:DisableVirtualMFA"
            ],
            "Resource": [
                "acs:ram:*:*:user/Alice"
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ]
}

The preceding policy defines that you are not allowed to modify or delete specified RAM users, including their permissions. For example, if a RAM user Alice exists, you cannot perform the preceding operations on Alice. You can specify the Alibaba Cloud account to which Alice belongs, such as acs:ram:*:18299873****:user/Alice.

Note In this policy, only ResourceDirectoryAccountAccessRole that is used to access member accounts by default in a resource directory can perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot perform these operations. You can also specify RAM users or RAM roles who can perform the operations by changing the value of PrincipalARN.

Policy 4: You are not allowed to enable logon to the Alibaba Cloud Management Console for an existing RAM user

Policy content:

{
    "Statement": [
        {
            "Action": [
                "ram:CreateLoginProfile",
                "ram:UpdateLoginProfile"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ],
    "Version": "1"
}

The preceding policy defines that you are not allowed to enable logon to the Alibaba Cloud Management Console for an existing RAM user. However, you can still enable logon to the Alibaba Cloud Management Console for a new RAM user.

Note In this policy, only ResourceDirectoryAccountAccessRole that is used to access member accounts by default in a resource directory can perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot perform these operations. You can also specify RAM users or RAM roles who can perform the operations by changing the value of PrincipalARN.

Policy 5: You must complete MFA when you use a RAM user or RAM role to delete some resources

Policy content:

{
  "Statement": [
    {
      "Action": "ecs:DeleteInstance",
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "acs:MFAPresent": "false"
        }
      }
    }
  ],
  "Version": "1"
}

The preceding policy defines that you must complete multi-factor authentication (MFA) when you use a RAM user or RAM role to delete Elastic Compute Service (ECS) instances. If you want to delete other resources, replace the content of Action with the action for the resources.

Policy 6: You are not allowed to modify user-based SSO settings

Policy content:

{
    "Statement": [
        {
            "Action": [
                "ram:SetSamlSsoSettings"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ],
    "Version": "1"
}
Note In this policy, only ResourceDirectoryAccountAccessRole that is used to access member accounts by default in a resource directory can perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot perform these operations. You can also specify RAM users or RAM roles who can perform the operations by changing the value of PrincipalARN.

Policy 7: You are not allowed to modify role-based SSO settings

Policy content:

{
    "Statement": [
        {
            "Action": [
                "ram:CreateSAMLProvider",
                "ram:DeleteSAMLProvider",
                "ram:UpdateSAMLProvider"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ],
    "Version": "1"
}
Note In this policy, only ResourceDirectoryAccountAccessRole that is used to access member accounts by default in a resource directory can perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot perform these operations. You can also specify RAM users or RAM roles who can perform the operations by changing the value of PrincipalARN.

Policy 8: You are not allowed to disable the Delivery feature of ActionTrail or change the destination to which ActionTrail delivers events

Policy content:

{
    "Statement": [
        {
            "Action": [
                "actiontrail:UpdateTrail",
                "actiontrail:DeleteTrail",
                "actiontrail:StopLogging"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ],
    "Version": "1"
}
Note In this policy, only ResourceDirectoryAccountAccessRole that is used to access member accounts by default in a resource directory can perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot perform these operations. You can also specify RAM users or RAM roles who can perform the operations by changing the value of PrincipalARN.

Policy 9: You are not allowed to access some network services

Policy content:

{
    "Statement": [
        {
            "Action": [
                "vpc:*HaVip*",
                "vpc:*RouteTable*",
                "vpc:*VRouter*",
                "vpc:*RouteEntry*",
                "vpc:*VSwitch*",
                "vpc:*Vpc*",
                "vpc:*Cen*",           
                "vpc:*NetworkAcl*"
            ],
            "Resource": "*",
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        },
        {
            "Action": [
                "vpc:*VpnGateway*",
                "vpc:*VpnConnection*",
                "vpc:*CustomerGateway*",
                "vpc:*SslVpnServer*",
                "vpc:*SslVpnClientCert*",
                "vpc:*VpnRoute*",
                "vpc:*VpnPbrRoute*"
            ],
            "Resource": "*",
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ],
    "Version": "1"
}

The preceding policy defines that you are not allowed to access Virtual Private Cloud (VPC) and VPN Gateway. If you want to deny access to other network services, replace the content of Action with the action for these network services.

Note In this policy, only ResourceDirectoryAccountAccessRole that is used to access member accounts by default in a resource directory can perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot perform these operations. You can also specify RAM users or RAM roles who can perform the operations by changing the value of PrincipalARN.

Policy 10: You are not allowed to create network resources (EIPs and NAT gateways) that can be used to access the Internet

Policy content:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "vpc:AllocateEipAddress",
                "vpc:AllocateEipAddressPro",
                "vpc:AllocateEipSegmentAddress",
                "vpc:CreateNatGateway",
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ]
}
Note In this policy, only ResourceDirectoryAccountAccessRole that is used to access member accounts by default in a resource directory can perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot perform these operations. You can also specify RAM users or RAM roles who can perform the operations by changing the value of PrincipalARN.

Policy 11: You are not allowed to access network services that are connected to on-premises resources

Policy content:

{
    "Statement": [
       {
            "Action": [
                "vpc:*PhysicalConnection*",
                "vpc:*VirtualBorderRouter*",
                "cen:*",
                "vpc:*VpnGateway*",
                "vpc:*VpnConnection*",
                "vpc:*CustomerGateway*",
                "vpc:*SslVpnServer*",
                "vpc:*SslVpnClientCert*",
                "vpc:*VpnRoute*",
                "vpc:*VpnPbrRoute*",
                "smartag:*"
            ],
            "Resource": "*",
            "Effect": "Deny"         
        }
    ],
    "Version": "1"
}

The preceding policy defines that you are not allowed to access network services that are connected to on-premises resources. These network services include Express Connect, Cloud Enterprise Network, VPN Gateway, and Smart Access Gateway.

Policy 12: You are not allowed to use some features provided by the User Center

Policy content:

{
    "Statement": [
       {
            "Action": [
                "bss:DescribeOrderList",
                "bss:DescribeOrderDetail",
                "bss:PayOrder",
                "bss:CancelOrder"
            ],
            "Resource": "*",
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ],
    "Version": "1"
}

The preceding policy defines that you are not allowed to use the Orders feature provided by the User Center. If you want to prohibit the use of other features, replace the content of Action with the action for these features.

Note In this policy, only ResourceDirectoryAccountAccessRole that is used to access member accounts by default in a resource directory can perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot perform these operations. You can also specify RAM users or RAM roles who can perform the operations by changing the value of PrincipalARN.

Policy 13: You are not allowed to modify the settings of Cloud Monitor

Policy content:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "cms:Put*",
                "cms:Update*",
                "cms:Create*",
                "cms:Modify*",
                "cms:Disable*",
                "cms:Enable*",
                "cms:Delete*",
                "cms:Send*",
                "cms:Subscribe*",
                "cms:Unsubscribe*",
                "cms:Remove*",
                "cms:CreateAction",
                "cms:Pause*",
                "cms:Stop*",
                "cms:Start*",
                "cms:BatchCreate*",
                "cms:ProfileSet",
                "cms:ApplyMonitoringTemplate"
            ],
            "Resource": "*",
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ]
}
Note In this policy, only ResourceDirectoryAccountAccessRole that is used to access member accounts by default in a resource directory can perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot perform these operations. You can also specify RAM users or RAM roles who can perform the operations by changing the value of PrincipalARN.

Policy 14: You are not allowed to purchase reserved instances

Policy content:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:PurchaseReservedInstancesOffering"
            ],
            "Resource": "*",
            "Effect": "Deny"
        }
    ]
}

Policy 15: You are not allowed to create ECS instances in an unspecified VPC

Policy content:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:CreateInstance",
                "ecs:RunInstances"
            ],
            "Resource": "*",
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "vpc:VPC": "acs:vpc:cn-shenzhen:*:vpc/vpc-wz95ya85js0avrkabc****"
                }
            }
        }
    ]
}

In the preceding policy, acs:vpc:cn-shenzhen:*:vpc/vpc-wz95ya85js0avrkabc**** is used as a specified VPC. You can replace it based on your business requirements.

Policy 16: You are not allowed to purchase domain names

Policy content:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "domain:CreateOrderActivate"
            ],
            "Resource": "*",
            "Effect": "Deny"
        }
    ]
}

Policy 17: You are not allowed to access Alibaba Cloud Marketplace

Policy content:

{
    "Version": "1",
    "Statement": [
        {
            "Action": "acm:*",
            "Resource": "*",
            "Effect": "Deny"
        }
    ]
}

Policy 18: You are not allowed to access the Support and Services console

Policy content:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "support:*",
                "workorder:*"
            ],
            "Resource": "*",
            "Effect": "Deny"
        }
    ]
}

Policy 19: You are not allowed to access ECS in specific region

Policy content:

{
    "Version": "1",
    "Statement": [{
        "Effect": "Deny",
        "Action": [
            "ecs:*"
        ],
        "Resource": "acs:ecs:us-east-1:*:*"
    }]
}

The preceding policy defines that you are not allowed to access Elastice Computing Service (ECS) in the US (Virginia) region.