If system policies do not meet your requirements, you can create custom policies to achieve least privilege. Custom policies provide fine-grained permission control and are an effective way to improve resource access security. This topic describes scenarios and provides policy examples for using custom policies with Alibaba Cloud DNS.
What are custom policies?
In Resource Access Management (RAM), custom policies are policies that you can create, update, and delete in addition to system policies. You are responsible for the version maintenance of your custom policies.
After you create a custom policy, you can attach it to a Resource Access Management (RAM) user, user group, or RAM role. The RAM identity then gains the access permissions specified in the policy.
You can delete custom policies. Before you delete a policy, ensure that it is not referenced. If the policy is referenced, you must revoke the permissions in its reference records.
Custom policies support versioning. You can manage the versions of your custom policies using the RAM versioning feature.
Operation document
Common scenarios and examples for custom policies
Example 1: Manage permissions for authoritative DNS resolution of a domain name
Grant a RAM user permissions to view and edit domain names and manage DNS records on the Authoritative Zone page of the Alibaba Cloud DNS console.
{
"Version": "1",
"Statement": [
{
"Action": "alidns:*",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"alidns.aliyuncs.com",
"gtm.aliyuncs.com"
]
}
}
}
]
}Example 2: Grant read-only permissions for authoritative DNS resolution of a domain name
Grant a RAM user read-only permissions to view domain names and DNS records on the Authoritative Zone page of the Alibaba Cloud DNS console. The user cannot edit or modify them.
{
"Version": "1",
"Statement": [
{
"Action": [
"alidns:Describe*",
"alidns:Get*",
"alidns:List*",
"alidns:Query*",
"alidns:Check*",
"alidns:Search*",
"alidns:ValidateDomainCanAdd"
],
"Resource": "*",
"Effect": "Allow"
}
]
}Example 3: Grant a RAM user permissions to manage the DNS records of a domain name
In the
Actionfield, specify the operations that the RAM user can perform, such as adding, modifying, and deleting DNS records.In the
Resourcefield, specify the domain name that can be managed. This restricts the allowed operations to the specified resource.Attach the policy to the specified RAM user.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"alidns:AddDomainRecord",
"alidns:DeleteDomainRecord",
"alidns:DeleteSubDomainRecords",
"alidns:UpdateDomainRecord",
"alidns:UpdateDomainRecordsTTL"
],
"Resource": [
"acs:alidns:*:1413397765616316:domain/your-domainname"
]
}
]
}Note: Permissions can be granted only at the domain name granularity. If you want a RAM user to manage DNS records for a specific subdomain, such as demo.example.com, instead of for the entire example.com domain, you must add demo.example.com as an independent subdomain. For more information, see Subdomain management. Then, you can grant permissions using the method described above.
Authorization reference
To use custom policies, you must understand your permission control requirements and the authorization information for Alibaba Cloud DNS. For more information, see Authorization information.