What is a system policy?
A policy defines a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. Alibaba Cloud Resource Access Management (RAM) provides system policies and custom policies. All system policies are created and updated by Alibaba Cloud. You can use system policies, but you cannot modify them. You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. During service iteration, ACK adds new permissions to system policies to support new features and capabilities. The update of a system policy affects all RAM identities to which the policy is attached, including RAM users, RAM user groups, and RAM roles. For more information about RAM policies, see Policy overview.
System policies are designed for new users to quickly get started with Alibaba Cloud products on the management console, though they also enable the use of more advanced methods like API operations or CLI commands. If you are familiar with the advanced methods, we recommend that you use custom policies to implement finer-grained control on who is permitted to call what API operations, thereby improving security.
System policies can be classified into service system policies, service role policies, and service-linked role policies. Some cloud services provide only one or two of the three types of policies. For more information, see the policy types that are described in the following section.
Service system policies
AliyunCSFullAccess
The AliyunCSFullAccess policy: Provides full access to Container Service via Management Console. It can be attached to RAM identities.
AliyunCSReadOnlyAccess
The AliyunCSReadOnlyAccess policy: Provides read-only access to Container Service via Management Console. It can be attached to RAM identities.
Service role policies
AliyunCISDefaultRolePolicy
The AliyunCISDefaultRolePolicy policy is the dedicated authorization policy of the AliyunCISDefaultRole service role. By default, The policy for AliyunCISDefaultRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCSAIAssistantRolePolicy
The AliyunCSAIAssistantRolePolicy policy is the dedicated authorization policy of the AliyunCSAIAssistantRole service role. By default, CS will use this role to access your resources in other services. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCSDefaultRolePolicy
The AliyunCSDefaultRolePolicy policy is the dedicated authorization policy of the AliyunCSDefaultRole service role. By default, The policy for AliyunCSDefaultRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCSKubernetesAuditRolePolicy
The AliyunCSKubernetesAuditRolePolicy policy is the dedicated authorization policy of the AliyunCSKubernetesAuditRole service role. By default, The policy for AliyunCSKubernetesAuditRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCSKubernetesAuditRolePolicy
AliyunCSManagedAcrRolePolicy
The AliyunCSManagedAcrRolePolicy policy is the dedicated authorization policy of the AliyunCSManagedAcrRole service role. By default, The policy for AliyunCSManagedAcrRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCSManagedApiGWRolePolicy
The AliyunCSManagedApiGWRolePolicy policy is the dedicated authorization policy of the AliyunCSManagedApiGWRole service role. By default, CS will use this role to access your resources in other services. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCSManagedApiGWRolePolicy
AliyunCSManagedArmsRolePolicy
The AliyunCSManagedArmsRolePolicy policy is the dedicated authorization policy of the AliyunCSManagedArmsRole service role. By default, The policy for AliyunCSManagedArmsRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCSManagedAutoScalerRolePolicy
The AliyunCSManagedAutoScalerRolePolicy policy is the dedicated authorization policy of the AliyunCSManagedAutoScalerRole service role. By default, The policy for AliyunCSManagedAutoScalerRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCSManagedAutoScalerRolePolicy
AliyunCSManagedBackupRestoreRolePolicy
The AliyunCSManagedBackupRestoreRolePolicy policy is the dedicated authorization policy of the AliyunCSManagedBackupRestoreRole service role. By default, The policy for AliyunCSManagedBackupRestoreRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCSManagedBackupRestoreRolePolicy
AliyunCSManagedCmsRolePolicy
The AliyunCSManagedCmsRolePolicy policy is the dedicated authorization policy of the AliyunCSManagedCmsRole service role. By default, The policy for AliyunCSManagedCmsRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCSManagedCostRolePolicy
The AliyunCSManagedCostRolePolicy policy is the dedicated authorization policy of the AliyunCSManagedCostRole service role. By default, The policy for AliyunCSManagedCostRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCSManagedCsiPluginRolePolicy
The AliyunCSManagedCsiPluginRolePolicy policy is the dedicated authorization policy of the AliyunCSManagedCsiPluginRole service role. By default, CS will use this role to access your resources in other services. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCSManagedCsiPluginRolePolicy
AliyunCSManagedCsiProvisionerRolePolicy
The AliyunCSManagedCsiProvisionerRolePolicy policy is the dedicated authorization policy of the AliyunCSManagedCsiProvisionerRole service role. By default, CS will use this role to access your resources in other services. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCSManagedCsiProvisionerRolePolicy
AliyunCSManagedCsiRolePolicy
The AliyunCSManagedCsiRolePolicy policy is the dedicated authorization policy of the AliyunCSManagedCsiRole service role. By default, The policy for AliyunCSManagedCsiRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCSManagedEdgeRolePolicy
The AliyunCSManagedEdgeRolePolicy policy is the dedicated authorization policy of the AliyunCSManagedEdgeRole service role. By default, The policy for AliyunCSManagedEdgeRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCSManagedKubernetesRolePolicy
The AliyunCSManagedKubernetesRolePolicy policy is the dedicated authorization policy of the AliyunCSManagedKubernetesRole service role. By default, The policy for AliyunCSManagedKubernetesRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCSManagedKubernetesRolePolicy
AliyunCSManagedLogRolePolicy
The AliyunCSManagedLogRolePolicy policy is the dedicated authorization policy of the AliyunCSManagedLogRole service role. By default, The policy for AliyunCSManagedLogRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCSManagedMseRolePolicy
The AliyunCSManagedMseRolePolicy policy is the dedicated authorization policy of the AliyunCSManagedMseRole service role. By default, The policy for AliyunCSManagedMseRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCSManagedNetworkRolePolicy
The AliyunCSManagedNetworkRolePolicy policy is the dedicated authorization policy of the AliyunCSManagedNetworkRole service role. By default, The policy for AliyunCSManagedNetworkRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCSManagedNetworkRolePolicy
AliyunCSManagedNimitzRolePolicy
The AliyunCSManagedNimitzRolePolicy policy is the dedicated authorization policy of the AliyunCSManagedNimitzRole service role. By default, The policy for AliyunCSManagedNimitzRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCSManagedNimitzRolePolicy
AliyunCSManagedNlcRolePolicy
The AliyunCSManagedNlcRolePolicy policy is the dedicated authorization policy of the AliyunCSManagedNlcRole service role. By default, The policy for AliyunCSManagedNlcRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCSManagedSecurityRolePolicy
The AliyunCSManagedSecurityRolePolicy policy is the dedicated authorization policy of the AliyunCSManagedSecurityRole service role. By default, The policy for AliyunCSManagedSecurityRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCSManagedSecurityRolePolicy
AliyunCSServerlessKubernetesRolePolicy
The AliyunCSServerlessKubernetesRolePolicy policy is the dedicated authorization policy of the AliyunCSServerlessKubernetesRole service role. By default, The policy for AliyunCSServerlessKubernetesRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
References
By default, RAM identities do not have any permissions. RAM identities can access cloud resources within an Alibaba Cloud account only after an account administrator grants the required permissions to the RAM identities. To ensure resource security, we recommend that you grant only the required permissions to the RAM identities based on the principle of least privilege. For more information, see the following topics: