Reference for DNS Custom Policies - - Alibaba Cloud Documentation Center

If DNS system policies do not meet your business requirements, you can configure custom policies based on the principle of least privilege for fine-grained permission management. This helps improve resource access security. This topic describes the scenarios where custom policies are used for Alibaba Cloud DNS and provides examples on how to use the custom policies.

What is a custom policy?

Resource Access Management (RAM) policies are classified into system policies and custom policies. You can create, update, and delete custom policies. You must manage the versions of custom policies on your own.

After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.
You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, you must detach the RAM policy from the principal before you can delete the RAM policy.
Custom policies support version control. You can manage the versions of custom policies based on the version management mechanism provided by RAM.

References

Common scenarios and examples

Example 1: Grants management permissions on authoritative DNS resolution page

Grant a RAM user permissions to view and edit domain names and update DNS records on the authoritative DNS resolution page in the Alibaba Cloud DNS console.

{
    "Version": "1",
    "Statement": [
        {
            "Action": "alidns:*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "alidns.aliyuncs.com",
                        "gtm.aliyuncs.com"
                    ]
                }
            }
        }
    ]
}

Example 2: Grants read-only permissions on authoritative DNS resolution page

Grant a RAM user permissions to view domain names and DNS records on the authoritative DNS resolution page in the Alibaba Cloud DNS console. Users do not have permissions to edit and modify domain names and DNS record.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "alidns:Describe*",
                "alidns:Get*",
                "alidns:List*",
                "alidns:Query*",
                "alidns:Check*",
                "alidns:Search*",
                "alidns:ValidateDomainCanAdd"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Authorization information

To use a custom policy, you must understand the permission control requirements of your business and the authorization information about Alibaba Cloud DNS. For more information, see Authorization information.