All Products
Search
Document Center

ApsaraDB RDS:Use RAM policies to manage the permissions of RAM users on ApsaraDB RDS instances

Last Updated:Apr 26, 2023

This topic describes how to attach Resource Access Management (RAM) policies to RAM users to manage the permissions of the RAM users on ApsaraDB RDS instances.

Introduction

Alibaba Cloud allows you to use RAM policies to improve the security of RDS instances. You can use RAM policies to grant different permissions to RAM users on RDS instances. For more information, see RAM policies for ApsaraDB RDS.

Note

For more information about RAM policies, see Policy overview.

Procedure

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Permissions > Policies.

  3. On the page that appears, click Create Policy. On the JSON tab of the page that appears, enter the RAM policy script and click Next to edit policy information.

    Note
  4. In the Basic Information section of the page that appears, enter a policy name in the Name field. Then, click OK. You can find the name of the RAM policy in the Policy column in the "RAM policies for ApsaraDB RDS" section of this topic.

    Note

    You can also customize the name of the RAM policy. The name of the RAM policy must meet the following requirements:

    • The name must be 1 to 128 characters in length.

    • The name can contain letters, digits, and hyphens (-).

  5. On the page that appears, click Grant Permission.

    1. Configure the Authorized Scope parameter.

      • Alibaba Cloud Account: The authorization takes effect on all resources in the current Alibaba Cloud account.

      • Specific Resource Group: The authorization takes effect on resources in a specified resource group.

        Note

        If you want to select the Specific Resource Group option, make sure that ApsaraDB RDS supports resource groups. For more information, see Services that work with Resource Group.

    2. Configure the Principal parameter.

      Note

      The Principal parameter specifies the RAM user to which you want to attach the RAM policy. You can enter a part of the username to perform a fuzzy match to search for the RAM user.

    3. Set the Select Policy parameter to Custom Policy.

    4. Select the RAM policy that you created in Step 4. Then, click OK.

      Note

      You can enter a part of the name of the RAM policy in the search box above the listed RAM policies to perform a fuzzy match to search for the RAM policy.

RAM policies for ApsaraDB RDS

Item

Policy

Code

Description

Instance creation

CreateRdsWithNonDiskEncryptionForbidden

Click to expand

{ 
  "Statement": [ 
    {
      "Action": [
        "rds:CreateDBInstance", 
        "rds:PreCheckCreateOrder", 
        "rds:CreateOrder"
      ], 
      "Effect": "Deny", 
      "Resource": "*", 
      "Condition": {
        "Bool": { 
          "rds:DiskEncryptionRequired": "false" 
        } 
      } 
    } 
  ], 
  "Version": "1" 
}

This policy is used to prevent users from creating RDS instances that do not use encrypted disks.

Note

This policy takes effect only when users create primary RDS instances. This policy does not take effect when users create read-only RDS instances or restore data to new RDS instances.

CreateRdsWithNonVPCNetworkTypeForbidden

Click to expand

{ 
  "Statement": [
    {
      "Action": [
        "rds:CreateDBInstance",
        "rds:PreCheckCreateOrder",
        "rds:CreateOrder"
      ], 
      "Effect": "Deny", 
      "Resource": "*", 
      "Condition": { 
        "StringNotEquals": { 
          "rds:InstanceNetworkType": "VPC" 
        } 
      }
    } 
  ], 
  "Version": "1" 
}

This policy is used to prevent users from creating RDS instances whose network types are not Virtual Private Cloud (VPC).

Note

This policy takes effect only when users create primary RDS instances. This policy does not take effect when users create read-only RDS instances or restore data to new RDS instances.

Network configurations

DatabaseConnectionNonVPCNetworkTypeForbidden

Click to expand

{
  "Statement": [
    {
      "Action": "rds:ModifyDBInstanceNetworkType", 
      "Effect": "Deny", 
      "Resource": "*", 
      "Condition": {
        "StringNotEquals": {
          "rds:InstanceNetworkType": "VPC" 
        }
      }
    }
  ],
  "Version": "1" 
}

This policy is used to prevent users from changing the network type of RDS instances to classic network.

Security configurations

DataSecuritySSLDisabledForbidden

Click to expand

{ 
  "Statement": [
    {
      "Action": "rds:ModifyDBInstanceSSL", 
      "Effect": "Deny", 
      "Resource": "*", 
      "Condition": {
        "StringEquals": { 
          "rds:SSLEnabled": "0" 
        }
      }
    }
  ],
  "Version": "1" 
}

This policy is used to prevent users from disabling SSL encryption for RDS instances.

DataSecurityTDEDisabledForbidden

Click to expand

{ 
  "Statement": [
    {
      "Action": "rds:ModifyDBInstanceTDE", 
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "rds:TDEStatus": "Enabled" 
        }
      }
    }
  ], 
  "Version": "1"
}

This policy is used to prevent users from disabling Transparent Data Encryption (TDE) for RDS instances.

Database proxy configurations

DatabaseProxyWithNonVPCNetworkTypeForbidden

Click to expand

{ 
  "Statement": [
    { 
      "Action": "rds:ModifyDBProxy",
      "Effect": "Deny",
      "Resource": "*",
      "Condition": { 
        "StringNotEquals": {
          "rds:InstanceNetworkType": "VPC"
        }
      }
    }
  ],
  "Version": "1" 
}

This policy is used to prevent users from specifying public endpoints when the users enable the database proxy feature for RDS instances.

DatabaseProxyCreateEndpointAddressWithNonVPCNetworkTypeForbidden

Click to expand

{
  "Statement": [
    {
      "Action": "rds:CreateDBProxyEndpointAddress", 
      "Effect": "Deny",
      "Resource": "*",
      "Condition": { 
        "StringNotEquals": {
          "rds:DBProxyConnectStringNetType": "VPC"
        }
      }
    }
  ],
  "Version": "1" 
}

This policy is used to prevent users from specifying public endpoints when the users create endpoints to connect to the database proxies of RDS instances.

DatabaseProxyModifyEndpointAddressWithNonVPCNetworkTypeForbidden

Click to expand

{ 
  "Statement": [
    {
      "Action": "rds:ModifyDBProxyEndpointAddress",
      "Effect": "Deny", 
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "rds:DBProxyConnectStringNetType": "VPC"
        }
      }
    }
  ],
  "Version": "1" 
}

This policy is used to prevent users from specifying public endpoints when the users modify the endpoints that are used to connect to the database proxies of RDS instances.

DatabaseProxyDbProxyInstanceSslDisabledForbidden

Click to expand

{ 
  "Statement": [
    {
      "Action": "rds:ModifyDbProxyInstanceSsl",
      "Effect": "Deny",
      "Resource": "*", 
      "Condition": {
        "StringEquals": {
          "rds:DbProxySslEnabled": "0" 
        }
      }
    }
  ], 
  "Version": "1" 
}

This policy is used to prevent users from disabling SSL encryption for the specified endpoints of the database proxies of RDS instances.

Backup-related configurations

BackupAndRestorationCrossBackupDisabledForbidden

Click to expand

{ 
  "Statement": [
    {
      "Action": "rds:ModifyInstanceCrossBackupPolicy",
      "Effect": "Deny", 
      "Resource": "*",
      "Condition": { 
        "StringNotEquals": {
          "rds:BackupEnabled": "1" 
        }
      }
    },
    {
      "Action": "rds:ModifyInstanceCrossBackupPolicy",
      "Effect": "Deny", 
      "Resource": "*",
      "Condition": { 
        "StringNotEquals": {
          "rds:LogBackupEnabled": "1" 
        } 
      }
    }
  ],
  "Version": "1"
}

This policy is used to prevent users from disabling the cross-region backup feature for RDS instances.

BackupAndRestorationBackupPolicyDisabledForbidden

Click to expand

{ 
  "Statement": [
    {
      "Action": "rds:ModifyBackupPolicy",
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "rds:EnableBackupLog": "0"
        }
      }
    },
    {
      "Action": "rds:ModifyBackupPolicy",
      "Effect": "Deny", 
      "Resource": "*",
      "Condition": { 
        "StringEquals": {
          "rds:BackupLog": "Disabled"
        }
      }
    }
  ],
  "Version": "1"
}

This policy is used to prevent users from disabling the log backup feature for RDS instances.

Event history

EventCenterActionEventEnableEventLogForbidden

Click to expand

{ 
  "Statement": [
    { 
      "Action": "rds:ModifyActionEventPolicy",
      "Effect": "Deny",
      "Resource": "*",
      "Condition": { 
        "StringNotEquals": {
          "rds:EnableEventLog": "False"
        }
      }
    }
  ],
  "Version": "1" 
}

This policy is used to prevent users from enabling the event history feature for RDS instances.