Use RAM policies to manage the permissions of RAM users on ApsaraDB RDS instances - ApsaraDB RDS

This topic describes how to attach Resource Access Management (RAM) policies to RAM users to manage the permissions of the RAM users on ApsaraDB RDS instances.

Introduction

Alibaba Cloud allows you to use RAM policies to improve the security of RDS instances. You can use RAM policies to grant different permissions to RAM users on RDS instances. For more information, see RAM policies for ApsaraDB RDS.

Note For more information about RAM policies, see Policy overview.

Procedure

Log on to the RAM console.
In the left-side navigation pane, choose Permissions > Policies.
On the page that appears, click Create Policy. On the JSON tab of the page that appears, enter the RAM policy script and click Next Step.
Note
- You can find the RAM policy script in the Code column in the "RAM policies for ApsaraDB RDS" section of this topic.
- For more information about the syntax and structure of RAM policies, see Policy structure and syntax.
In the Basic Information section of the page that appears, enter a policy name in the Name field. Then, click OK. You can find the name of the RAM policy in the Policy column in the "RAM policies for ApsaraDB RDS" section of this topic.
Note You can also customize the name of the RAM policy. The name of the RAM policy must meet the following requirements:
- The name must be 1 to 128 characters in length.
- The name can contain letters, digits, and hyphens (-).
On the page that appears, click Grant Permission.
1. Configure the Authorized Scope parameter.
  - Alibaba Cloud Account: The authorization takes effect on all resources in the current Alibaba Cloud account.
  - Specific Resource Group: The authorization takes effect on resources in a specified resource group.
    
    Note If you want to select the Specific Resource Group option, make sure that ApsaraDB RDS supports resource groups. For more information, see Services that work with Resource Group.
2. Configure the Principal parameter.
  
  Note The Principal parameter specifies the RAM user to which you want to attach the RAM policy. You can enter a part of the username to perform a fuzzy match to search for the RAM user.
3. Set the Select Policy parameter to Custom Policy.
4. Select the RAM policy that you created in Step 4. Then, click OK.
  
  Note You can enter a part of the name of the RAM policy in the search box above the listed RAM policies to perform a fuzzy match to search for the RAM policy.

RAM policies for ApsaraDB RDS


Item	Policy	Code	Description
Instance creation	CreateRdsWithNonDiskEncryptionForbidden	Click to expand { "Statement": [ { "Action": "rds:CreateDBInstance", "rds:PreCheckCreateOrder", "rds:CreateOrder", "Effect": "Deny", "Resource": "*", "Condition": { "Bool": { "rds:DiskEncryptionRequired": "false" } } } ], "Version": "1" }	This policy is used to prevent users from creating RDS instances that do not use encrypted disks. Note This policy takes effect only when users create primary RDS instances. This policy does not take effect when users create read-only RDS instances or restore data to new RDS instances.
Instance creation	CreateRdsWithNonVPCNetworkTypeForbidden	Click to expand { "Statement": [ { "Action": ["rds:CreateDBInstance", "rds:PreCheckCreateOrder", "rds:CreateOrder"], "Effect": "Deny", "Resource": "*", "Condition": { "StringNotEquals": { "rds:InstanceNetworkType": "VPC" } } } ], "Version": "1" }	This policy is used to prevent users from creating RDS instances whose network types are not Virtual Private Cloud (VPC). Note This policy takes effect only when users create primary RDS instances. This policy does not take effect when users create read-only RDS instances or restore data to new RDS instances.
Network configurations	DatabaseConnectionNonVPCNetworkTypeForbidden	Click to expand { "Statement": [ { "Action": "rds:ModifyDBInstanceNetworkType", "Effect": "Deny", "Resource": "*", "Condition": { "StringNotEquals": { "rds:InstanceNetworkType": "VPC" } } } ], "Version": "1" }	This policy is used to prevent users from changing the network type of RDS instances to classic network.
Security configurations	DataSecuritySSLDisabledForbidden	Click to expand { "Statement": [ { "Action": "rds:ModifyDBInstanceSSL", "Effect": "Deny", "Resource": "*", "Condition": { "StringEquals": { "rds:SSLEnabled": "0" } } } ], "Version": "1" }	This policy is used to prevent users from disabling SSL encryption for RDS instances.
Security configurations	DataSecurityTDEDisabledForbidden	Click to expand { "Statement": [ { "Action": "rds:ModifyDBInstanceTDE", "Effect": "Deny", "Resource": "*", "Condition": { "StringNotEquals": { "rds:TDEStatus": "Enabled" } } } ], "Version": "1" }	This policy is used to prevent users from disabling Transparent Data Encryption (TDE) for RDS instances.
Database proxy configurations	DatabaseProxyWithNonVPCNetworkTypeForbidden	Click to expand { "Statement": [ { "Action": "rds:ModifyDBProxy", "Effect": "Deny", "Resource": "*", "Condition": { "StringNotEquals": { "rds:InstanceNetworkType": "VPC" } } } ], "Version": "1" }	This policy is used to prevent users from specifying public endpoints when the users enable the database proxy feature for RDS instances.
	DatabaseProxyCreateEndpointAddressWithNonVPCNetworkTypeForbidden	Click to expand { "Statement": [ { "Action": "rds:CreateDBProxyEndpointAddress", "Effect": "Deny", "Resource": "*", "Condition": { "StringNotEquals": { "rds:DBProxyConnectStringNetType": "VPC" } } } ], "Version": "1" }	This policy is used to prevent users from specifying public endpoints when the users create endpoints to connect to the database proxies of RDS instances.
	DatabaseProxyModifyEndpointAddressWithNonVPCNetworkTypeForbidden	Click to expand { "Statement": [ { "Action": "rds:ModifyDBProxyEndpointAddress", "Effect": "Deny", "Resource": "*", "Condition": { "StringNotEquals": { "rds:DBProxyConnectStringNetType": "VPC" } } } ], "Version": "1" }	This policy is used to prevent users from specifying public endpoints when the users modify the endpoints that are used to connect to the database proxies of RDS instances.
	DatabaseProxyDbProxyInstanceSslDisabledForbidden	Click to expand { "Statement": [ { "Action": "rds:ModifyDbProxyInstanceSsl", "Effect": "Deny", "Resource": "*", "Condition": { "StringEquals": { "rds:DbProxySslEnabled": "0" } } } ], "Version": "1" }	This policy is used to prevent users from disabling SSL encryption for the specified endpoints of the database proxies of RDS instances.
Backup-related configurations	BackupAndRestorationCrossBackupDisabledForbidden	Click to expand { "Statement": [ { "Action": "rds:ModifyInstanceCrossBackupPolicy", "Effect": "Deny", "Resource": "", "Condition": { "StringNotEquals": { "rds:BackupEnabled": "1" } } }, { "Action": "rds:ModifyInstanceCrossBackupPolicy", "Effect": "Deny", "Resource": "", "Condition": { "StringNotEquals": { "rds:LogBackupEnabled": "1" } } } ], "Version": "1" }	This policy is used to prevent users from disabling the cross-region backup feature for RDS instances.
Backup-related configurations	BackupAndRestorationBackupPolicyDisabledForbidden	Click to expand { "Statement": [ { "Action": "rds:ModifyBackupPolicy", "Effect": "Deny", "Resource": "", "Condition": { "StringEquals": { "rds:EnableBackupLog": "0" } } }, { "Action": "rds:ModifyBackupPolicy", "Effect": "Deny", "Resource": "", "Condition": { "StringEquals": { "rds:BackupLog": "Disabled" } } } ], "Version": "1" }	This policy is used to prevent users from disabling the log backup feature for RDS instances.
Event history	EventCenterActionEventEnableEventLogForbidden	Click to expand { "Statement": [ { "Action": "rds:ModifyActionEventPolicy", "Effect": "Deny", "Resource": "*", "Condition": { "StringNotEquals": { "rds:EnableEventLog": "False" } } } ], "Version": "1" }	This policy is used to prevent users from enabling the event history feature for RDS instances.