This topic describes several Resource Access Management (RAM) policies that are specific to CIDR blocks.

Example 1: Allow access from specified CIDR blocks

The following sample RAM policy allows access from the 42.120.88.0/24 and 42.120.66.0/24 CIDR blocks to Message Service (MNS).
{
    "Version": "1",
    "Statement": [
        {
            "Action": "mns:*",
            "Effect": "Allow",
            "Resource": "acs:mns:*:*:*",
            "Condition":{
                "IpAddress": {
                    "acs:SourceIp": ["42.120.88.0/24", "42.120.66.0/24"]
                }
            }
        }
    ]
}            

Example 2: Deny access from specified CIDR blocks

The following sample RAM policy denies access from any IP address in the 42.120.88.0/24 CIDR block to MNS:

{
    "Version": "1",
    "Statement": [
        {
            "Action": "mns:*",
            "Effect": "Deny",
            "Resource": "acs:mns:*:*:*",
            "Condition":{
                "NotIpAddress": {
                    "acs:SourceIp": ["42.120.88.0/24"]
                }
            }
        }
    ]
}            
Notice The Deny rule has a higher priority than the Allow rule in RAM policies. If you perform an access operation that is specified in the Deny rule, the operation fails. In this example, if you use an IP address that is not included in the 42.120.88.0/24 CIDR block to access MNS, an error message is returned. This is because you are not authorized to access MNS.

Example 3: Authorize a RAM user to read resources in the MNS console

The following sample RAM policy authorizes a RAM user to view the list of queues and topics, and parameters of each queue or topic:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "mns:ListQueue",
        "mns:ListTopic",
        "mns:GetQueueAttributes",
        "mns:GetTopicAttributes"
      ],
      "Resource": "acs:mns:*:*:*"
    }
  ]
}