If the system policies of Server Migration Center (SMC) fail to meet your business requirements, you can create custom policies to implement the principle of least privilege. You can use custom policies to manage permissions in a fine-grained manner and improve resource access security. This topic describes the scenarios in which you can use custom policies for SMC and provides sample custom policies.
What is a custom policy?
Resource Access Management (RAM) policies are classified into system policies and custom policies. You need to maintain custom policies.
After you create a custom policy, you need to attach it to a RAM user, a user group, or a RAM role so that the permissions specified in the policy can be granted to the principal.
You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, you must detach the RAM policy from the principal before you can delete the RAM policy.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.
References
Scenarios and sample custom policies
Example 1: Use a custom policy to grant only the permission to view the details of migration sources.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "smc:DescribeSourceServers" ], "Resource": [ "*" ] } ] }Example 2: Use a custom policy to grant the permissions to view the details of migration sources and migration jobs.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "smc:DescribeReplicationJobs", "smc:DescribeSourceServers" ], "Resource": [ "*" ] } ] }Example 3: Use a custom policy to grant the permissions to perform the following operations on migration sources: viewing details of migration sources, importing migration sources, modifying descriptions of migration sources, deleting migration sources, adding tags to migration sources, and removing tags from migration sources.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "smc:ImportSourceServer", "smc:DeleteSourceServer", "smc:ModifySourceServerAttribute", "smc:UntagResources", "smc:TagResources", "smc:DescribeSourceServers", "smc:ListTagResources" ], "Resource": [ "*" ] ] }Example 4: Use a custom policy to grant the permissions to perform the following operations on migration jobs: creating migration jobs, modifying migration jobs, querying migration jobs, viewing details of a migration job, deleting migration jobs, starting migration jobs, stopping migration jobs, and viewing logs of migration jobs.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "smc:DeleteReplicationJob", "smc:ModifyReplicationJobAttribute", "smc:StartReplicationJob", "smc:StopReplicationJob", "smc:CreateReplicationJob", "smc:DescribeReplicationJobDetails", "smc:DescribeReplicationJobLog", "smc:DescribeReplicationJobs" ], "Resource": [ "*" ] } ] }Example 5: Use a custom policy to grant permissions on all operations related to server migration.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "smc:*" ], "Resource": [ "*" ] } ] }Example 6: Use a custom policy to remove permissions to delete migration sources and migration jobs.
{ "Version": "1", "Statement": [ { "Effect": "Deny", "Action": [ "smc:DeleteReplicationJob", "smc:DeleteSourceServer" ], "Resource": [ "*" ] } ] }
References
To use a custom policy, you must understand the permissions that are required for your business and the information about Resource Access Management (RAM) authorization for SMC. For more information, see RAM authorization.