You can create a custom policy in the Resource Access Management (RAM) console to revoke the permissions that allow a RAM user to change the metering method of Alibaba Cloud CDN. This topic describes how to create a custom policy in RAM to revoke the permissions on changing the metering method.
Background information
Alibaba Cloud CDN allows you to create RAM users to manage different types of workloads. RAM users that are granted the AliyunCDNFullAccess policy have full permissions on Alibaba Cloud CDN. For example, they can view data, manage domain names, and change the metering method of Alibaba Cloud CDN. If you want to revoke the permissions on changing the metering method but retain other permissions for a RAM user, you must create a custom policy in the RAM console. For more information about RAM user permissions, see View the permissions of a RAM user.
Procedure
Create a custom policy.
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Policies page, click Create Policy.
- On the Create Policy page, click the JSON tab.
- Select the JSON tab. In the editor, add the following script to revoke the permissions on changing the metering method.
{ "Statement": [ { "Action": "cdn:*", "Resource": "*", "Effect": "Allow" }, { "Action": [ "cdn:OpenCdnService", "cdn:ModifyCdnService" ], "Resource": "*", "Effect": "Deny" }, { "Action": "ram:CreateServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": [ "cdn-waf.cdn.aliyuncs.com", "cdn-ddos.cdn.aliyuncs.com" ] } } } ], "Version": "1" }
Note- For more information about how to use the
Action
orResource
element, see Policy elements. - You can also select Visualized and click Add Statement to add custom statements.
- For more information about how to use the
- Click Next to edit policy information.
- Specify the Name and Description fields.
- Check and optimize the document of the custom policy.
- Basic optimization
The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:
- Deletes unnecessary conditions.
- Deletes unnecessary arrays.
- Optional:Advanced optimization
You can move the pointer over Optional advanced optimize and click Perform. The system performs the following operations during the advanced optimization:
- Splits resources or conditions that are incompatible with actions.
- Narrows down resources.
- Deduplicates or merges policy statements.
- Basic optimization
- Click OK.
Grant permissions to a RAM user
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
- In the Add Permissions panel, configure the required parameters.
Parameter Description Authorized Scope Select Alibaba Cloud Account, which specifies that the authorized scope is all resources that belong to the current Alibaba Cloud account.
Principal The RAM user created in the previous step is automatically selected. Select Policy Click the Custom Policy tab. Enter the name of the custom policy that you created. After the system displays the policy, click its name to add it to the Selected list. - Click OK.
- Click Complete.