This topic describes how to attach Resource Access Management (RAM) policies to RAM users to manage the permissions of the RAM users on ApsaraDB RDS instances.

Introduction

Alibaba Cloud allows you to use RAM policies to improve the security of RDS instances. You can use RAM policies to grant different permissions to RAM users on RDS instances. For more information, see RAM policies for ApsaraDB RDS.

Note For more information about RAM policies, see Policy overview.

Procedure

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the page that appears, click Create Policy. On the JSON tab of the page that appears, enter the RAM policy script and click Next Step.
    Note
  4. In the Basic Information section of the page that appears, enter a policy name in the Name field. Then, click OK. You can find the name of the RAM policy in the Policy column in the "RAM policies for ApsaraDB RDS" section of this topic.
    Note You can also customize the name of the RAM policy. The name of the RAM policy must meet the following requirements:
    • The name must be 1 to 128 characters in length.
    • The name can contain letters, digits, and hyphens (-).
  5. On the page that appears, click Grant Permission.
    1. Configure the Authorized Scope parameter.
      • Alibaba Cloud Account: The authorization takes effect on all resources in the current Alibaba Cloud account.
      • Specific Resource Group: The authorization takes effect on resources in a specified resource group.
        Note If you want to select the Specific Resource Group option, make sure that ApsaraDB RDS supports resource groups. For more information, see Alibaba Cloud services that support resource groups.
    2. Configure the Principal parameter.
      Note The Principal parameter specifies the RAM user to which you want to attach the RAM policy. You can enter a part of the username to perform a fuzzy match to search for the RAM user.
    3. Set the Select Policy parameter to Custom Policy.
    4. Select the RAM policy that you created in Step 4. Then, click OK.
      Note You can enter a part of the name of the RAM policy in the search box above the listed RAM policies to perform a fuzzy match to search for the RAM policy.

RAM policies for ApsaraDB RDS

Item Policy Code Description
Instance creation CreateRdsWithNonDiskEncryptionForbidden
{ "Statement": [ { "Action": "rds:CreateDBInstance", "rds:PreCheckCreateOrder", "rds:CreateOrder", "Effect": "Deny", "Resource": "*", "Condition": { "Bool": { "rds:DiskEncryptionRequired": "false" } } } ], "Version": "1" }
This policy is used to prevent users from creating RDS instances that do not use encrypted disks.
Note This policy takes effect only when users create primary RDS instances. This policy does not take effect when users create read-only RDS instances or restore data to new RDS instances.
CreateRdsWithNonVPCNetworkTypeForbidden
{ "Statement": [ { "Action": ["rds:CreateDBInstance", "rds:PreCheckCreateOrder", "rds:CreateOrder"], "Effect": "Deny", "Resource": "*", "Condition": { "StringNotEquals": { "rds:InstanceNetworkType": "VPC" } } } ], "Version": "1" }
This policy is used to prevent users from creating RDS instances whose network types are not Virtual Private Cloud (VPC).
Note This policy takes effect only when users create primary RDS instances. This policy does not take effect when users create read-only RDS instances or restore data to new RDS instances.
Network configurations DatabaseConnectionNonVPCNetworkTypeForbidden
{ "Statement": [ { "Action": "rds:ModifyDBInstanceNetworkType", "Effect": "Deny", "Resource": "*", "Condition": { "StringNotEquals": { "rds:InstanceNetworkType": "VPC" } } } ], "Version": "1" }
This policy is used to prevent users from changing the network type of RDS instances to classic network.
Security configurations DataSecuritySSLDisabledForbidden
{ "Statement": [ { "Action": "rds:ModifyDBInstanceSSL", "Effect": "Deny", "Resource": "*", "Condition": { "StringEquals": { "rds:SSLEnabled": "0" } } } ], "Version": "1" }
This policy is used to prevent users from disabling SSL encryption for RDS instances.
DataSecurityTDEDisabledForbidden
{ "Statement": [ { "Action": "rds:ModifyDBInstanceTDE", "Effect": "Deny", "Resource": "*", "Condition": { "StringNotEquals": { "rds:TDEStatus": "Enabled" } } } ], "Version": "1" }
This policy is used to prevent users from disabling Transparent Data Encryption (TDE) for RDS instances.
Database proxy configurations DatabaseProxyWithNonVPCNetworkTypeForbidden
{ "Statement": [ { "Action": "rds:ModifyDBProxy", "Effect": "Deny", "Resource": "*", "Condition": { "StringNotEquals": { "rds:InstanceNetworkType": "VPC" } } } ], "Version": "1" }
This policy is used to prevent users from specifying public endpoints when the users enable the database proxy feature for RDS instances.
DatabaseProxyCreateEndpointAddressWithNonVPCNetworkTypeForbidden
{ "Statement": [ { "Action": "rds:CreateDBProxyEndpointAddress", "Effect": "Deny", "Resource": "*", "Condition": { "StringNotEquals": { "rds:DBProxyConnectStringNetType": "VPC" } } } ], "Version": "1" }
This policy is used to prevent users from specifying public endpoints when the users create endpoints to connect to the database proxies of RDS instances.
DatabaseProxyModifyEndpointAddressWithNonVPCNetworkTypeForbidden
{ "Statement": [ { "Action": "rds:ModifyDBProxyEndpointAddress", "Effect": "Deny", "Resource": "*", "Condition": { "StringNotEquals": { "rds:DBProxyConnectStringNetType": "VPC" } } } ], "Version": "1" }
This policy is used to prevent users from specifying public endpoints when the users modify the endpoints that are used to connect to the database proxies of RDS instances.
DatabaseProxyDbProxyInstanceSslDisabledForbidden
{ "Statement": [ { "Action": "rds:ModifyDbProxyInstanceSsl", "Effect": "Deny", "Resource": "*", "Condition": { "StringEquals": { "rds:DbProxySslEnabled": "0" } } } ], "Version": "1" }
This policy is used to prevent users from disabling SSL encryption for the specified endpoints of the database proxies of RDS instances.
Backup-related configurations BackupAndRestorationCrossBackupDisabledForbidden
{ "Statement": [ { "Action": "rds:ModifyInstanceCrossBackupPolicy", "Effect": "Deny", "Resource": "*", "Condition": { "StringNotEquals": { "rds:BackupEnabled": "1" } } }, { "Action": "rds:ModifyInstanceCrossBackupPolicy", "Effect": "Deny", "Resource": "*", "Condition": { "StringNotEquals": { "rds:LogBackupEnabled": "1" } } } ], "Version": "1" }
This policy is used to prevent users from disabling the cross-region backup feature for RDS instances.
BackupAndRestorationBackupPolicyDisabledForbidden
{ "Statement": [ { "Action": "rds:ModifyBackupPolicy", "Effect": "Deny", "Resource": "*", "Condition": { "StringNotEquals": { "rds:EnableBackupLog": "1" } } }, { "Action": "rds:ModifyBackupPolicy", "Effect": "Deny", "Resource": "*", "Condition": { "StringNotEquals": { "rds:BackupLog": "Enable" } } } ], "Version": "1" }
This policy is used to prevent users from disabling the log backup feature for RDS instances.
Event history EventCenterActionEventEnableEventLogForbidden
{ "Statement": [ { "Action": "rds:ModifyActionEventPolicy", "Effect": "Deny", "Resource": "*", "Condition": { "StringNotEquals": { "rds:EnableEventLog": "False" } } } ], "Version": "1" }
This policy is used to prevent users from enabling the event history feature for RDS instances.