If system policies do not meet your requirements, you can configure custom policies to implement the principle of least privilege. You can use custom policies to achieve fine-grained control over permissions and increase resource access security. This topic describes the custom policy terms and authorization of Auto Scaling.
What is a custom policy?
Resource Access Management (RAM) policies are classified into system policies and custom policies. You can manage custom policies based on your business requirements.
After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.
You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, you must detach the RAM policy from the principal before you can delete the RAM policy.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.
References
Common scenarios and sample custom policies
Example 1: Create a scaling group that has tags
In this example, if you are assigned the following custom policy, you can create Scaling Group 1 only if you add tags environment:test and team:game1 during the creation.
{
"Effect": "Allow",
"Action": "ess:Create*",
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:RequestTag/environment": "test",
"acs:RequestTag/team": "game1"
}
}
}Example 2: Operate a scaling group that has specified tags
In this example, Scaling Group 1 has tags environment:test and team:game1. Scaling Group 2 has tags environment:dev and team:game2. If you are assigned the following custom policy, you can operate only Scaling Group 1.
{
"Version": "1",
"Statement": [
{
"Action": "ess:*",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:ResourceTag/environment": "test",
"acs:ResourceTag/Team": "game1"
}
}
},
{
"Action": "ess:*",
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:ResourceTag/environment": "dev",
"acs:ResourceTag/team": "game2"
}
}
},
{
"Effect": "Allow",
"Action": [
"ess:DescribeRegions",
"ess:CreateScheduledTask",
"ess:ModifyScheduledTask",
"ess:DescribeScheduledTasks",
"ess:DeleteScheduledTask",
"ess:CreateAlarm",
"ess:DescribeAlarms",
"ess:ModifyAlarm",
"ess:EnableAlarm",
"ess:DeleteAlarm"
],
"Resource": "*"
}
]
}Example 3: Create and operate a scaling group in a specified region
In this example, China (Hangzhou) and China (Beijing) are used. If you are assigned the following custom policy, you can create and operate a scaling group by using the Auto Scaling console or calling an API operation in the China (Hangzhou) region. You cannot create and operate a scaling group in the China (Beijing) region.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "ess:*",
"Resource": "acs:ess:cn-hangzhou:160998252992****:*"
},
{
"Effect": "Deny",
"Action": "ess:*",
"Resource": "acs:ess:cn-beijing:160998252992****:*"
},
{
"Effect": "Allow",
"Action": [
"ess:DescribeRegions",
"ess:CreateScheduledTask",
"ess:ModifyScheduledTask",
"ess:DescribeScheduledTasks",
"ess:DeleteScheduledTask",
"ess:CreateAlarm",
"ess:DescribeAlarms",
"ess:ModifyAlarm",
"ess:EnableAlarm",
"ess:DeleteAlarm"
],
"Resource": "*"
}
]
}Authorization
Before you create custom policies, you must understand the permission control requirements of your business and learn about the authorization rules of Auto Scaling. For more information, see RAM authorization.