This topic describes how to specify CIDR block-specific RAM policies.

Example 1: Allow access from specified CIDR blocks

Allow access to Message Service (MNS) from the following CIDR blocks: 42.120.88.0/24 and 42.120.66.0/24.
{
    "Version": "1",
    "Statement": [
        {
            "Action": "mns:*",
            "Effect": "Allow",
            "Resource": "acs:mns:*:*:*",
            "Condition":{
                "IpAddress": {
                    "acs:SourceIp": ["42.120.88.0/24", "42.120.66.0/24"]
                }
            }
        }
    ]
}            

Example 2: Deny access from specified CIDR blocks

Deny access to MNS from any IP address that is not included in the following CIDR block: 42.120.88.0/24.

{
    "Version": "1",
    "Statement": [
        {
            "Action": "mns:*",
            "Effect": "Deny",
            "Resource": "acs:mns:*:*:*",
            "Condition":{
                "NotIpAddress": {
                    "acs:SourceIp": ["42.120.88.0/24"]
                }
            }
        }
    ]
}            
Notice The Deny rule is prior to the Allow rule in RAM policies. If you perform an access operation that is specified in the Deny rule, the operation fails. In this example, if you use an IP address that is not included in the 42.120.88.0/24 CIDR block to access MNS, an error message is returned because you are not authorized to access MNS.

Example 3: Authorize a RAM user to read resources in the MNS console

Authorize a RAM user to view lists of queues and topics, and parameters of each queue or topic.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "mns:ListQueue",
        "mns:ListTopic",
        "mns:GetQueueAttributes",
        "mns:GetTopicAttributes"
      ],
      "Resource": "acs:mns:*:*:*"
    }
  ]
}