All Products
Search
Document Center

Elastic Compute Service:Restrict source IPs for OpenAPI calls

Last Updated:May 15, 2026

Use a RAM policy to restrict OpenAPI calls to trusted source IPs, reducing the blast radius of a leaked AccessKey.

Security risks

By default, any entity with a valid AccessKey can call OpenAPI from any IP address. A leaked AccessKey — through misconfiguration, hardcoded source code, or an employee's departure — gives an attacker direct control over your cloud resources, potentially causing data theft, malicious deletion, or unexpected charges.

How it works

A RAM policy with an acs:SourceIp condition restricts API calls to trusted IPs, such as your company's egress IP or a Bastionhost IP. Even if an AccessKey is leaked, calls succeed only from those addresses.

When acs:SourceIp lists multiple IPs or CIDR ranges, they are evaluated with OR logic: a call succeeds if the source IP matches any entry.

Limitations

  • RAM users only: Source IP restriction policies apply to RAM users only, not to the Alibaba Cloud account itself.

  • Public IPs only: The acs:SourceIp condition evaluates the caller's public egress IP or NAT Gateway egress IP — not the private IP within a VPC.

Prerequisites

Ensure that you have:

  • An Alibaba Cloud account with RAM administrator permissions.

  • The egress IP address or CIDR range to allow (for example, your company's outbound IP or a Bastionhost IP).

Restrict source IPs with the RAM console

Step 1: Create a RAM user

Source IP restriction policies attach to RAM users, not to the Alibaba Cloud account.

  1. Log on to the RAM console as an Alibaba Cloud account or a RAM administrator.

  2. In the left navigation pane, choose Identities > Users.

  3. On the Users page, click Create User, enter the user information, click OK, and complete the security verification.

Step 2: Create a custom policy

  1. In the left navigation pane, choose Permissions > Policies.

  2. On the Access Policies page, click Create Policy.

  3. On the Create Policy page, click the JSON tab and enter the following policy:

    Field Description Example
    Action Operations to allow. Use ecs:* for all ECS operations, or * for all cloud services. "ecs:*"
    acs:SourceIp Allowed IPs or CIDR ranges. Multiple entries use OR logic — a call succeeds if the source IP matches any entry. "200.1.1.0/24", "213.1.2.3"
    {
      "Version": "1",
      "Statement": [
        {
          "Action": "ecs:*",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "IpAddress": {
              "acs:SourceIp": [
                "200.1.xxx.xxx/24",
                "213.1.xxx.xxx"
              ]
            }
          }
        }
      ]
    }

    Replace the placeholder values before you save the policy.

  4. Enter a Policy Name (for example, RestrictIPAccess), optionally add a description, click OK, and complete the security verification.

Step 3: Attach the policy to the RAM user

  1. In the left navigation pane, choose Identities > Users.

  2. On the Users page, find the target RAM user and click Add Permissions in the Actions column.

  3. In the Grant Permission panel, select the policy and click Grant Permissions.

Restrict source IPs with the API

Call the following RAM API operations in sequence:

  1. Call CreateUser to create a RAM user:

    • UserName: The logon name.

    • DisplayName: The display name.

  2. Call CreatePolicy to create the policy:

    • PolicyName: The policy name, such as RestrictIPAccess.

    • PolicyDocument: The JSON policy document with allowed IPs in the acs:SourceIp field.

  3. Call AttachPolicyToUser to attach the policy to the RAM user:

    • PolicyType: Custom.

    • PolicyName: such as RestrictIPAccess.

    • UserName: such as TestUser.

Compliance

Use the following scripts with Alibaba Cloud CLI to audit and remediate source IP restrictions across all RAM users.

Check: find RAM users without a source IP restriction

Lists all RAM users without the specified policy attached.

#!/bin/bash

# Replace with your policy name and ARN.
POLICY_NAME="RestrictIPAccess"
POLICY_ARN="acs:ram::123456789012:policy/RestrictIPAccess"

USER_LIST=$(aliyun ram ListUsers | jq -r '.Users.User[].UserName')

for USER in $USER_LIST; do
  POLICIES=$(aliyun ram ListPoliciesForUser --UserName $USER | jq -r '.Policies.Policy[].PolicyName')

  if ! echo "$POLICIES" | grep -q "$POLICY_NAME"; then
    echo "User $USER is not attached to policy $POLICY_ARN"
  fi
done

Fix: attach a source IP restriction to RAM users in bulk

Attaches the policy to every RAM user that does not already have it.

#!/bin/bash

# Replace with your policy name and ARN.
POLICY_NAME="RestrictIPAccess"
POLICY_ARN="acs:ram::123456789012:policy/RestrictIPAccess"

USER_LIST=$(aliyun ram ListUsers | jq -r '.Users.User[].UserName')

for USER in $USER_LIST; do
  POLICIES=$(aliyun ram ListPoliciesForUser --UserName $USER | jq -r '.Policies.Policy[].PolicyName')

  if ! echo "$POLICIES" | grep -q "^${POLICY_NAME}$"; then
    echo "Attaching policy $POLICY_ARN to user $USER ..."
    aliyun ram AttachPolicyToUser \
      --PolicyType Custom \
      --PolicyName $POLICY_NAME \
      --UserName $USER

    if [ $? -eq 0 ]; then
      echo "Policy attached to $USER."
    else
      echo "Failed to attach policy to $USER. Check your permissions or verify the policy exists."
    fi
  else
    echo "User $USER already has the policy. Skipping."
  fi
done