All Products
Search
Document Center

Cloud Firewall:Configure policies to deny sensitive data access

Last Updated:Jun 20, 2026

By default, Alibaba Cloud Network Detection and Response (NDR) lets you view and download the details of sensitive data and related packet payloads. To prevent sensitive data leaks, you can restrict permissions to view and export this data. This topic describes how to use Resource Access Management (RAM) to create policies that prevent a RAM user from viewing and exporting sensitive data.

Supported sensitive data types

Note

A hyphen (-) in the table indicates an empty cell.

No.

Type

No.

Type

No.

Type

No.

Type

No.

Type

No.

Type

1

Debit card

9

ID card (the Chinese mainland)

17

AccessKeyId

25

Mainland Travel Permit for Hong Kong and Macao Residents

33

Passport number (the Chinese mainland)

41

Officer ID card

2

Private key

10

ID card (Hong Kong, China)

18

Name (Simplified Chinese)

26

Address (the Chinese mainland)

34

Mobile phone number (the Chinese mainland)

42

Email

3

License plate number (the Chinese mainland)

11

Landline number (the Chinese mainland)

19

Gender

27

Ethnicity

35

Province (the Chinese mainland)

43

City (the Chinese mainland)

4

Name (Traditional Chinese)

12

Name (English)

20

ID card number (Malaysia)

28

ID card number (Singapore)

36

International Bank Account Number (SWIFT code)

44

U.S. Social Security Number (SSN)

5

Landline number (United States)

13

Religious belief

21

MAC address

29

JDBC connection string

37

PEM certificate

45

AccessKeySecret

6

IMEI

14

MEID

22

Linux passwd file

30

Linux shadow file

38

Business license number

46

Tax registration certificate number

7

Organization code

15

Unified Social Credit Identifier

23

Vehicle Identification Number (VIN)

31

Alibaba Cloud AccessKey pair

39

Password

47

LegacyOpenaiApiKey

8

ProjectOpenaiApiKey

16

BailianApiKey

24

HuggingFaceApiKey

32

GroqApiKey

40

PaiEasToken

48

Prerequisites

  • You have a RAM user. For more information, see Create a RAM user.

  • The management account must have the required permissions to use Resource Access Management (RAM), create RAM users, and manage policies.

Sensitive data permissions

Permission

Description

yundun-cloudfirewall:DescribeDecryptData

Decrypt sensitive data

yundun-cloudfirewall:DescribeAssetRiskDataPublicLogPayload

View packet payloads of sensitive data transmissions

yundun-cloudfirewall:CreateExportTask

Export data

Procedure

Create custom policies

  1. In the left-side navigation pane, choose Permissions > Policies. Click Create Policy and select the JSON tab.

  2. On the JSON tab, paste the following policy, and then click OK.

    {
        "Version": "1",
        "Statement": [
            {
                "Action": "yundun-cloudfirewall:DescribeDecryptData",
                "Resource": "*",
                "Effect": "Deny"
            },
            {
                "Action": "yundun-cloudfirewall:DescribeAssetRiskDataPublicLogPayload",
                "Resource": "*",
                "Effect": "Deny"
            }
        ]
    }
  3. In the Create Policy dialog box, set the policy name to DenyViewingSensitiveData and click OK.

  4. On the Policies page, click Create Policy. On the JSON tab, paste the following policy, and then click OK.

    {
        "Version": "1",
        "Statement": [
            {
              "Action": "yundun-cloudfirewall:CreateExportTask",
              "Resource": "*",
              "Effect": "Deny"
            }
        ]
    }
  5. In the Create Policy dialog box, set the Name to DenyExportingData, set the Note to Denies permission to export data, and then click OK.

Configure policies

  1. In the left-side navigation pane, choose Identities > Users. Find the target user and click Add Permissions in the Actions column.

  2. Select the required policies to deny viewing sensitive data and exporting data, along with the necessary system policies for Network Detection and Response (NDR). In the Add Permissions panel, set Authorized Scope to account-level, and then search for and select the required policies in the Select Policy section.

    Policy name

    Description

    AliyunYundunCloudFirewallReadOnlyAccess

    Grants read-only access to Cloud Firewall.

    AliyunYundunCloudFirewallFullAccess

    Grants full access to manage Cloud Firewall.

    DenyViewingSensitiveData

    Denies a RAM user permission to view sensitive data.

    DenyExportingData

    Denies a RAM user permission to export data.

    Note

    You can add policies that deny viewing sensitive data and exporting data to both read-only and administrative permissions for Cloud Firewall.

  3. Click OK.

Verify the policies

  1. Sign in to the Agentic NDR Console.

  2. In the left-side navigation pane, choose Risks.

  3. Click the Logon Activity tab. On the Privileged Accounts, Weak Passwords, Plaintext Credential, and Leaked AK/SK tabs, verify the following restrictions:

    • Click Sensitive Information. The action should be denied and a notification should appear.

    • Click the export icon image. The action should be denied and a notification should appear.

    • In the Actions column of an entry, click Details. In the Details panel, verify the following:

      Verify that both clicking View payload and clicking the export icon image are denied.

  4. Click the Sensitive Data tab.

    • At the top right of the list, click the export icon image. The action should be denied and a notification should appear.

    • In the Actions column of an entry, click Details. In the Details panel, verify the following:

      • Clicking a number in the Sensitive Information Items column or clicking View payload should be denied.

      • Clicking the export icon image should be denied.