If you want to control the access of Security Center O&M engineers, you can create custom policies in the Resource Access Management (RAM) console and attach the policies to the RAM user of the O&M engineers. For example, you can limit the engineers to use only the vulnerability detection, vulnerability fixing, and baseline check features of Security Center. This facilitates fine-grained access control. This topic describes how to create custom policies for the O&M engineers of Security Center.

Prerequisites

A RAM user is created for the O&M engineers. For more information, see Create a RAM user.

Background information

RAM provides two types of policies for cloud services: system policies and custom policies. To implement fine-grained access control on Security Center, you can use custom policies. This topic describes how to create custom policies only for the O&M engineers. You can follow this topic to limit the engineers to use only the vulnerability detection, vulnerability fixing, and baseline check features of Security Center, and to perform operations only on the Assets page. If you require fine-grained access control on other personnel, you can still create custom policies. For more information, see Create custom policies and attach the policies to RAM users.

Step 1: Create custom policies for the O&M engineers

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Custom Policy page, specify Policy Name and Note.
  5. Set Configuration Mode to Script and specify Policy Document.Create Custom Policy
    Enter the following code in the code editor below Policy Document.
    Note The following policy allows a RAM user to use the vulnerability detection, vulnerability fixing, baseline check features, and perform operations on the Assets page. After you create the policy, the RAM user can perform the operations allowed by the policy. For more information about the operations that are allowed by the policy, see Action parameter in a policy.
    {
        "Version": "1",
        "Statement": [{
                "Action": [
                    "yundun-aegis:OperateVul",
                    "yundun-aegis:ModifyStartVulScan"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "yundun-aegis:FixCheckWarnings",
                    "yundun-aegis:IgnoreHcCheckWarnings",
                    "yundun-aegis:ValidateHcWarnings"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "ecs:RebootInstance",
                "Effect": "Allow",
                "Resource": "*",
                "Condition": {
                    "Bool": {
                        "acs:MFAPresent": "true"
                    }
                }
            },
            {
                "Action": "ecs:*",
                "Effect": "Allow",
                "Resource": [
                    "acs:ecs:*:*:*"
                ]
            },
            {
                "Action": "ecs:CreateSnapshot",
                "Effect": "Allow",
                "Resource": [
                    "acs:ecs:*:*:*",
                    "acs:ecs:*:*:snapshot/*"
                ]
            },
            {
                "Action": [
                    "ecs:Describe*"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }, {
                "Action": [
                    "yundun-sas:ModifyPushAllTask",
                    "yundun-sas:DeleteTagWithUuid",
                    "yundun-sas:ModifyTagWithUuid",
                    "yundun-sas:CreateOrUpdateAssetGroup",
                    "yundun-sas:DeleteGroup",
                    "yundun-sas:ModifyAssetImportant",
                    "yundun-sas:RefreshAssets"
    
                ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
  6. Click OK.

Step 2: Grant permissions to the RAM user of the O&M engineers

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Grants.
  3. On the Grants page, click Grant Permission.
  4. In the Add Permissions panel, select the RAM user to which you want to grant permissions from the Principal drop-down list.
    By default, a newly created RAM user does not have any permissions.
  5. In the Select Policy section, select the permissions that you want to grant to the RAM user.
    You must perform the following operations to select the permissions:
    1. Click System Policy, enter AliyunYundunSASReadOnlyAccess in the search box, and then click the search result.
      This system policy grants the RAM user the read-only permissions on Security Center.
    2. Click Custom Policy.
    3. Select the custom policy that you create in Step 1. For more information, see Step 1: Create custom policies for the O&M engineers.
      This custom policy grants the RAM user the permissions such as performing operations on the Assets page and using the vulnerability detection, vulnerability fixing, and baseline check features of Security Center. This way, the RAM user can perform the following operations, such as performing security checks on servers, detecting vulnerabilities on servers with a few clicks, and fixing vulnerabilities.
  6. Click OK.

Action parameter in a policy

Feature Action Description
Vulnerability fixing yundun-aegis:OperateVul Handle vulnerabilities. For example, you can ignore or fix vulnerabilities. You can also verify whether vulnerabilities are fixed.
yundun-aegis:ModifyStartVulScan Detect vulnerabilities with a few clicks.
ecs:RebootInstance Restart a server after the vulnerabilities on the server are fixed.
ecs:CreateSnapshot Create snapshots before vulnerability fixing.
Baseline check yundun-aegis:FixCheckWarnings Fix baseline risks.
yundun-aegis:IgnoreHcCheckWarnings Ignore or cancel ignoring baseline risks.
yundun-aegis:ValidateHcWarnings Verify whether baseline risks are fixed.
Assets yundun-sas:ModifyPushAllTask Perform security checks on servers.
yundun-sas:DeleteTagWithUuid Delete a custom tag.
yundun-sas:ModifyTagWithUuid Modify the relationship between a tag and a server or cloud service.
yundun-sas:CreateOrUpdateAssetGroup Modify the relationship between a server and a server group.
yundun-sas:DeleteGroup Delete one or more asset groups.
yundun-sas:ModifyAssetImportant Modify asset importance tags.
yundun-sas:RefreshAssets Update the information about all assets.

References

Create custom policies and attach the policies to RAM users

Use RAM to manage permissions of O&M engineers

Policy elements

Policy structure and syntax