Reference to custom policies for ROS - Resource Orchestration Service

If the system policies for Resource Orchestration Service (ROS) cannot meet your business requirements, you can create custom policies to implement the principle of least privilege. You can use custom policies to implement fine-grained permission management and improve resource access security. This topic describes custom policies for ROS and provides scenarios and examples of custom policies.

Overview

Resource Access Management (RAM) policies are classified into system policies and custom policies. You can create, update, and delete custom policies. You must manage the version updates of custom policies.

After you create a custom policy, you must attach the custom policy to the following RAM principal: RAM user, user group, or role. This way, the permissions specified in the policy can be granted to the principal.
You can delete a custom policy that is not attached to a principal. If a custom policy is attached to a principal, you must detach the custom policy from the principal before you delete the custom policy.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.

References

Common scenarios and examples of custom policies

Example 1: View stacks

The following policy allows RAM users to view all stacks that are deployed in the China (Beijing) region and the details of the stacks. The wildcard character (*) matches all stacks that are deployed in the China (Beijing) region.

{
  "Statement": [
    {
      "Action": [
        "ros:DescribeStacks",
        "ros:DescribeStackDetail"
      ],
      "Effect": "Allow",
      "Resource": "acs:ros:cn-beijing:*:stack/*"
    }
  ],
  "Version": "1"
}

Example 2: Create and view stacks

The following policy allows RAM users to create and view stacks in all regions:

{
  "Statement": [
    {
      "Action": [
        "ros:CreateStack",
        "ros:DescribeStacks",
        "ros:DescribeStackDetail",
        "ros:ValidateTemplate"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "1"
}

Example 3: Update a stack

The following policy allows a RAM user whose ID is 12345**** to update a stack whose ID is 94dd5431-2df6-4415-81ca-732a7082****:

{
  "Statement": [
    {
      "Action": [
        "ros:UpdateStack"
      ],
      "Effect": "Allow",
      "Resource": "acs:ros:cn-beijing:12345****:stack/94dd5431-2df6-4415-81ca-732a7082****"
    }
  ],
  "Version": "1"
}

Example 4: Access all features and resources only of ROS
The following policy allows RAM users to access all features and resources only of ROS by using the Alibaba Cloud Management Console or API from the CIDR block 42.120.XX.XX/24 over HTTPS. This policy takes effect regardless of whether you use Alibaba Cloud Security Token Service (STS) to grant temporary access permissions on ROS. The policy includes the following parameters:
- acs:SourceIp: The value is set to 42.120.XX.XX/24. A value of 42.120.XX.XX/24 indicates that the features and resources are accessed from the CIDR block 42.120.XX.XX/24.
- acs:SecureTransport: The value is set to true. A value of true indicates that the features and resources are accessed over HTTPS.
```
{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ros:*",
      "Resource": "*",
      "Condition": {
        "IpAddress": {
          "acs:SourceIp": "42.120.XX.XX/24"
        },
        "Bool": {
          "acs:SecureTransport": "true"
        }
      }
    }
  ],
  "Version": "1"
}
```
Example 5: Access all features and resources of ROS and whether to access ECS
- If you use STS to grant temporary access permissions on ROS, you cannot specify the acs:SourceIp and acs:SecureTransport parameters in pass-through mode. In this case, you can attach the following policy to RAM users. This way, the RAM users can access all features and resources of ROS by using the Alibaba Cloud Management Console or API from the CIDR block 42.120.XX.XX/24 over HTTPS. This policy does not allow RAM users to access other services, including Elastic Compute Service (ECS).
- If you do not use STS to grant temporary access permissions on ROS, you can attach the following policy to RAM users. This way, the RAM users can access all features and resources of ROS and ECS by using the Alibaba Cloud Management Console or API from the CIDR block 42.120.XX.XX/24 over HTTPS. This policy does not allow RAM users to access other services.
  Note
  If you do not use STS to grant temporary access permissions on ROS, you can specify the acs:SourceIp and acs:SecureTransport parameters in pass-through mode to allow access to the following services: ECS, Virtual Private Cloud (VPC), Server Load Balancer (SLB), ApsaraDB RDS, Tair (Redis OSS-compatible), Alibaba Cloud DNS PrivateZone, Container Service for Kubernetes (ACK), Function Compute, Object Storage Service (OSS), Simple Log Service (SLS), API Gateway, and ActionTrail.
```
{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ros:*",
        "ecs:*"
      ],
      "Resource": "*",
      "Condition": {
        "IpAddress": {
          "acs:SourceIp": "42.120.XX.XX/24"
        },
        "Bool": {
          "acs:SecureTransport": "true"
        }
      }
    }
  ],
  "Version": "1"
}
```

Example 6: Access and manage ROS resources by using tag-based authentication

The following policy allows RAM users to manage ROS resources to which the {"Enviroment": "TEST"} tag is added:

{
  "Statement": [
    {
      "Action": "ros:*",
      "Effect": "Allow",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "acs:ResourceTag/Enviroment": "TEST"
        }
      }
    }
  ],
  "Version": "1"
}

Authorization information reference

Before you use a custom policy, familiarize yourself with the permission control requirements and the authorization information of ROS. For more information, see RAM authorization.