All Products
Search

This Product

    Security Center:Best practices to manage permissions of RAM users

    Document Center

    Security Center:Best practices to manage permissions of RAM users

    Last Updated:Apr 15, 2024

    If you want to implement fine-grained access control for the features of Security Center on Resource Access Management (RAM) users, you can attach system policies or custom policies to the RAM users. This topic describes how to attach system policies and custom policies to RAM users to implement fine-grained access control.

    Background information

    RAM provides the following types of policies for cloud services: system policies and custom policies. System policies are created by Alibaba Cloud. You cannot modify system policies. To implement fine-grained access control on Security Center, you can use custom policies.

    Note

    Alibaba Cloud provides the AliyunYundunSASFullAccess and AliyunYundunSASReadOnlyAccess system policies that grant permissions on Security Center. If you attach the AliyunYundunSASFullAccess policy to a RAM user, the RAM user is granted full permissions on Security Center. If you attach the AliyunYundunSASReadOnlyAccess policy to a RAM user, the RAM user is granted read-only permissions on Security Center.

    Prerequisites

    A RAM user is created. For more information, see Create a RAM user.

    Attach a system policy to the RAM user

    Alibaba Cloud provides both system policies that are related to Billing Management and system policies that grant access or management permissions on Security Center. When a RAM user purchases, renews, or unsubscribes from Security Center, the system may display a message, which indicates that the RAM user does not have the required permissions. When a RAM user accesses Security Center, the system may display a message, which indicates that the RAM user does not have the required permissions and must check the permissions. In these cases, perform the following steps to attach the required system policies to the RAM user.

    Important

    The system policies that are related to Billing Management take effect on all cloud services. If you attach the system policies that are related to Billing Management to a RAM user, the RAM user can purchase, renew, and unsubscribe from the resources of all cloud services.

    1. Log on to the RAM console with an Alibaba Cloud account or a RAM user who has administrative rights.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, find the required RAM user and click Add Permissions in the Actions column.

    4. In the Add Permissions panel, grant permissions to the RAM user.

      1. Select the authorization scope.

      2. The system automatically sets the Principal parameter to the current RAM user. You do not need to manually specify the Principal parameter.

      3. Select a system policy based on the following scenarios and click OK.

        Scenario

        System policy

        Purchase, renew, or unsubscribe from Security Center

        AliyunBSSOrderAccess and AliyunBSSRefundAccess

        Access Security Center in read-only mode

        AliyunYundunSASReadOnlyAccess

        Manage Security Center

        AliyunYundunSASFullAccess

    5. Click Complete.

    Attach a custom policy to the RAM user

    To implement fine-grained access control on Security Center, you can perform the following steps to attach a custom policy to the RAM user:

    Step 1: Create a custom policy that grants permissions on Security Center

    1. Log on to the RAM console with an Alibaba Cloud account or a RAM user who has administrative rights.

    2. In the left-side navigation pane, choose Permissions > Policies.

    3. On the Policies page, click Create Policy.

    4. On the Create Policy page, click the JSON tab.

      Configure a policy based on your business requirements.

      Note

      The policy that specifies the permissions on O&M operations allows a RAM user to use the vulnerability scan, vulnerability fixing, and baseline check features, and perform operations in the Assets module. For more information about the operations that are allowed by the policy, see the actions and descriptions in the Operations that are supported by custom policies table.

      Scenario

      Script

      Read-only permissions in the Assets module

      {
    "Version": "1",
    "Statement": [
        {
           "Action": [
                     "yundun-sas:DescribeCloudCenterInstances",
                     "yundun-sas:DescribeFieldStatistics",
                     "yundun-sas:DescribeCriteria"
                     ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

      Permissions to perform security checks in the Assets module

      {
    "Version": "1",
    "Statement": [
        {
            "Action": "yundun-sas:ModifyPushAllTask",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

      Read-only permissions on the vulnerability management feature

      {
    "Version": "1",
    "Statement": [
        {
           "Action": [
                     "yundun-aegis:DescribeVulList",
                     "yundun-sas:DescribeVulWhitelist"
                     ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

      Permissions on the vulnerability management feature

      {
    "Version": "1",
    "Statement": [
        {
           "Action": "yundun-aegis:OperateVul",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

      Permissions on O&M operations

      {
    "Version": "1",
    "Statement": [{
            "Action": [
                "yundun-aegis:OperateVul",
                "yundun-aegis:ModifyStartVulScan"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "yundun-aegis:FixCheckWarnings",
                "yundun-aegis:IgnoreHcCheckWarnings",
                "yundun-aegis:ValidateHcWarnings"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ecs:RebootInstance",
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "acs:MFAPresent": "true"
                }
            }
        },
        {
            "Action": "ecs:*",
            "Effect": "Allow",
            "Resource": [
                "acs:ecs:*:*:*"
            ]
        },
        {
            "Action": "ecs:CreateSnapshot",
            "Effect": "Allow",
            "Resource": [
                "acs:ecs:*:*:*",
                "acs:ecs:*:*:snapshot/*"
            ]
        },
        {
            "Action": [
                "ecs:Describe*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }, {
            "Action": [
                "yundun-sas:ModifyPushAllTask",
                "yundun-sas:DeleteTagWithUuid",
                "yundun-sas:ModifyTagWithUuid",
                "yundun-sas:CreateOrUpdateAssetGroup",
                "yundun-sas:DeleteGroup",
                "yundun-sas:ModifyAssetImportant",
                "yundun-sas:RefreshAssets"

            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

    5. Click Next to edit policy information. On the page that appears, configure the Name and Description parameters for the policy.

    6. Click OK.

    Step 2: Attach the custom policy to the RAM user

    1. Log on to the RAM console with an Alibaba Cloud account or a RAM user who has administrative rights.

    2. In the left-side navigation pane, choose Permissions > Grants.

    3. On the Permission page, click Grant Permission.

    4. In the Grant Permission panel, grant permissions to the RAM user.

      By default, a newly created RAM user does not have any permissions.

      1. Select the authorization scope.

      2. Specify the principal.

        The principal is the RAM user to which you want to grant permissions.

      3. In the System Policy tab, search for and click the AliyunYundunSASReadOnlyAccess policy.

        This system policy grants the RAM user read-only permissions on Security Center.

      4. Click the Custom Policy tab and select the custom policy that is created in Step 1: Create a custom policy that grants permissions on Security Center.

    5. Click OK.

    Operations that are supported by custom policies

    The following tables describe the operations supported by custom policies that grant permissions on Security Center.

    Note

    In most cases, each action supported by a custom policy corresponds to one API operation of a cloud service.

    Assets

    Action in a policy

    Description

    Operation

    yundun-sas:DescribeCloudCenterInstances

    Queries asset information. The information includes asset types, alerts, and the status of the Security Center agent.

    DescribeCloudCenterInstances

    yundun-sas:DescribeFieldStatistics

    Queries the statistics of servers.

    DescribeFieldStatistics

    yundun-sas:DescribeCriteria

    Queries the search conditions when you query an asset. You can specify a keyword for fuzzy search.

    DescribeCriteria

    yundun-sas:ModifyPushAllTask

    Performs security checks on servers.

    ModifyPushAllTask

    yundun-sas:DescribeDomainCount

    Queries the number of domain assets.

    ModifyPushAllTask

    yundun-sas:DeleteGroup

    Deletes a server group.

    DeleteGroup

    yundun-sas:DescribeSearchCondition

    Queries the filter conditions that are used to search for specific assets.

    DescribeSearchCondition

    yundun-sas:DescribeImageStatistics

    Queries the risk statistics of container images.

    DescribeImageStatistics

    yundun-sas:DescribeGroupedTags

    Queries the statistics of asset tags.

    DescribeGroupedTags

    yundun-sas:DescribeDomainCount

    Queries the number of domain assets.

    DescribeDomainCount

    yundun-sas:DescribeCloudProductFieldStatistics

    Queries the statistics of cloud services.

    DescribeCloudProductFieldStatistics

    yundun-sas:DescribeCloudCenterInstances

    Queries asset information.

    DescribeCloudCenterInstances

    yundun-sas:DescribeAllGroups

    Queries grouping information about all servers.

    DescribeAllGroups

    yundun-sas:CreateOrUpdateAssetGroup

    Creates a server group, adds servers to a server group, or removes servers from a server group.

    CreateOrUpdateAssetGroup

    yundun-sas:DescribeInstanceStatistics

    Queries the risk statistics of an asset.

    DescribeInstanceStatistics

    yundun-sas:PauseClient

    Enables or disables the Security Center agent.

    PauseClient

    yundun-sas:ModifyTagWithUuid

    Changes the names of the tags that are added to assets, or modifies the tags for assets.

    ModifyTagWithUuid

    yundun-sas:RefreshAssets

    Updates the information about all assets.

    RefreshAssets

    yundun-sas:ExportRecord

    Exports the check results of the Assets module, and the check results on the Configuration Assessment, Image Security, Attack Analysis, and AccessKey Leak Detection pages to Excel files.

    ExportRecord

    yundun-sas:DescribeExportInfo

    Queries the progress of the task that exports the list of assets.

    DescribeExportInfo

    yundun-sas:DescribeDomainList

    Queries domain assets.

    DescribeDomainList

    yundun-sas:DescribeDomainDetail

    Queries the details of a domain asset.

    DescribeDomainDetail

    yundun-aegis:DescribeAssetDetailByUuid

    Queries the details of a server by using the UUID of the server.

    DescribeAssetDetailByUuid

    Vulnerability fixing

    Action in a policy

    Description

    Operation

    yundun-sas:DescribeVulWhitelist

    Queries the whitelist of vulnerabilities by page.

    DescribeVulWhitelist

    yundun-sas:ModifyOperateVul

    Handles detected vulnerabilities. You can fix, check, or ignore the vulnerabilities.

    ModifyOperateVul

    yundun-sas:ModifyVulTargetConfig

    Configures vulnerability scan for a server.

    ModifyVulTargetConfig

    yundun-aegis:DescribeConcernNecessity

    Queries the priorities based on which vulnerabilities are fixed.

    DescribeConcernNecessity

    yundun-aegis:DescribeVulList

    Queries vulnerabilities by type.

    DescribeVulList

    yundun-aegis:ModifyOperateVul

    Handles detected vulnerabilities. You can fix, check, or ignore the vulnerabilities.

    ModifyOperateVul

    yundun-aegis:DescribeImageVulList

    Queries the details of vulnerabilities that are detected by using container image scan and the information about the affected images.

    DescribeImageVulList

    yundun-aegis:ExportVul

    Exports the list of vulnerabilities.

    ExportVul

    yundun-aegis:DescribeVulExportInfo

    Queries the progress of the task that exports the list of vulnerabilities.

    DescribeVulExportInfo

    Baseline check

    Action in a policy

    Description

    Operation

    yundun-aegis:FixCheckWarnings

    Fixes a baseline risk item.

    FixCheckWarnings

    yundun-aegis:IgnoreHcCheckWarnings

    Ignores or cancels ignoring baseline risks.

    IgnoreHcCheckWarnings

    yundun-aegis:ValidateHcWarnings

    Verifies whether baseline risk items are fixed.

    ValidateHcWarnings

    References

    Policy elements

    Policy structure and syntax

    Use RAM to manage permissions of O&M engineers

    Use RAM to limit the IP addresses that are allowed to access Alibaba Cloud resources

    Use RAM to limit the period of time in which users are allowed to access Alibaba Cloud resources