You can create a custom policy in the Resource Access Management (RAM) console to revoke the permissions that allow a RAM user to change the metering method of Alibaba Cloud CDN. This topic describes how to create a custom policy in RAM to revoke the permissions on changing the metering method.

Background information

Alibaba Cloud CDN allows you to create RAM users to manage different types of workloads. RAM users that are granted the AliyunCDNFullAccess policy have full permissions on Alibaba Cloud CDN. For example, they can view data, manage domain names, and change the metering method of Alibaba Cloud CDN. If you want to revoke the permissions on changing the metering method but retain other permissions for a RAM user, you must create a custom policy in the RAM console. For more information about RAM user permissions, see View the permissions of a RAM user.

Procedure

  1. Create a custom policy.
    1. Log on to the RAM console with your Alibaba Cloud account.
    2. In the left-side navigation pane, choose Permissions > Policies.
    3. On the Policies page, click Create Policy.
    4. On the Create Custom Policy page, configure a custom policy.
      Parameter Description
      Policy Name Enter an informative name for easy identification. For example, you can name the policy RevokeMeteringMethodPermission.
      Note Optional. Enter remarks for the permission policy.
      Configuration Mode

      Select Script. The following script is used to revoke the permissions on changing the metering method and retain other permissions:

      {
          "Statement": [
              {
                  "Action": "cdn:*",
                  "Resource": "*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "cdn:OpenCdnService",
                      "cdn:ModifyCdnService"
                  ],
                  "Resource": "*",
                  "Effect": "Deny"
              },
              {
                  "Action": "ram:CreateServiceLinkedRole",
                  "Resource": "*",
                  "Effect": "Allow",
                  "Condition": {
                      "StringEquals": {
                          "ram:ServiceName": [
                              "cdn-waf.cdn.aliyuncs.com",
                              "cdn-ddos.cdn.aliyuncs.com"
                          ]
                      }
                  }
              }
          ],
          "Version": "1"
      }
      Note
      • For more information about how to use the Action or Resource elements, see Policy elements.
      • You can also select Visualized and then click Add Statement to add custom statements.
      Policy Document Enter the content of the policy.
    5. Click OK.
  2. Attach the custom permission policy to a RAM user.
    1. Log on to the RAM console with your Alibaba Cloud account.
    2. Create a RAM user. This step is optional. For more information, see Create a RAM user.
      Note If you have already created a RAM user, skip this step.
    3. In the left-side navigation pane, choose Identities > Users.
    4. On the Users page, find the RAM user to which you want to attach the permission policy and click Add Permissions.
    5. In the Add Permissions panel, set the following parameters.
      Parameter Description
      Authorized Scope

      Select Alibaba Cloud Account, which specifies that the authorized scope is all resources that belong to the current Alibaba Cloud account.

      Principal The RAM user created in the previous step is automatically selected.
      Select Policy

      Select Custom Policy. Search for the custom policy that was created in the Create a custom policy step and click the policy name to add it to the right-side list. In this example, the name of the custom policy is RevokeMeteringMethodPermission.

    6. Click OK.
    7. Click Complete.