Use a RAM policy to restrict OpenAPI calls to trusted source IPs, reducing the blast radius of a leaked AccessKey.
Security risks
By default, any entity with a valid AccessKey can call OpenAPI from any IP address. A leaked AccessKey — through misconfiguration, hardcoded source code, or an employee's departure — gives an attacker direct control over your cloud resources, potentially causing data theft, malicious deletion, or unexpected charges.
How it works
A RAM policy with an acs:SourceIp condition restricts API calls to trusted IPs, such as your company's egress IP or a Bastionhost IP. Even if an AccessKey is leaked, calls succeed only from those addresses.
When acs:SourceIp lists multiple IPs or CIDR ranges, they are evaluated with OR logic: a call succeeds if the source IP matches any entry.
Limitations
-
RAM users only: Source IP restriction policies apply to RAM users only, not to the Alibaba Cloud account itself.
-
Public IPs only: The
acs:SourceIpcondition evaluates the caller's public egress IP or NAT Gateway egress IP — not the private IP within a VPC.
Prerequisites
Ensure that you have:
-
An Alibaba Cloud account with RAM administrator permissions.
-
The egress IP address or CIDR range to allow (for example, your company's outbound IP or a Bastionhost IP).
Restrict source IPs with the RAM console
Step 1: Create a RAM user
Source IP restriction policies attach to RAM users, not to the Alibaba Cloud account.
-
Log on to the RAM console as an Alibaba Cloud account or a RAM administrator.
-
In the left navigation pane, choose Identities > Users.
-
On the Users page, click Create User, enter the user information, click OK, and complete the security verification.
Step 2: Create a custom policy
-
In the left navigation pane, choose Permissions > Policies.
-
On the Access Policies page, click Create Policy.
-
On the Create Policy page, click the JSON tab and enter the following policy:
Field Description Example ActionOperations to allow. Use ecs:*for all ECS operations, or*for all cloud services."ecs:*"acs:SourceIpAllowed IPs or CIDR ranges. Multiple entries use OR logic — a call succeeds if the source IP matches any entry. "200.1.1.0/24","213.1.2.3"{ "Version": "1", "Statement": [ { "Action": "ecs:*", "Resource": "*", "Effect": "Allow", "Condition": { "IpAddress": { "acs:SourceIp": [ "200.1.xxx.xxx/24", "213.1.xxx.xxx" ] } } } ] }Replace the placeholder values before you save the policy.
-
Enter a Policy Name (for example,
RestrictIPAccess), optionally add a description, click OK, and complete the security verification.
Step 3: Attach the policy to the RAM user
-
In the left navigation pane, choose Identities > Users.
-
On the Users page, find the target RAM user and click Add Permissions in the Actions column.
-
In the Grant Permission panel, select the policy and click Grant Permissions.
Restrict source IPs with the API
Call the following RAM API operations in sequence:
-
Call CreateUser to create a RAM user:
-
UserName: The logon name. -
DisplayName: The display name.
-
-
Call CreatePolicy to create the policy:
-
PolicyName: The policy name, such asRestrictIPAccess. -
PolicyDocument: The JSON policy document with allowed IPs in theacs:SourceIpfield.
-
-
Call AttachPolicyToUser to attach the policy to the RAM user:
-
PolicyType:Custom. -
PolicyName: such asRestrictIPAccess. -
UserName: such asTestUser.
-
Compliance
Use the following scripts with Alibaba Cloud CLI to audit and remediate source IP restrictions across all RAM users.
Check: find RAM users without a source IP restriction
Lists all RAM users without the specified policy attached.
#!/bin/bash
# Replace with your policy name and ARN.
POLICY_NAME="RestrictIPAccess"
POLICY_ARN="acs:ram::123456789012:policy/RestrictIPAccess"
USER_LIST=$(aliyun ram ListUsers | jq -r '.Users.User[].UserName')
for USER in $USER_LIST; do
POLICIES=$(aliyun ram ListPoliciesForUser --UserName $USER | jq -r '.Policies.Policy[].PolicyName')
if ! echo "$POLICIES" | grep -q "$POLICY_NAME"; then
echo "User $USER is not attached to policy $POLICY_ARN"
fi
done
Fix: attach a source IP restriction to RAM users in bulk
Attaches the policy to every RAM user that does not already have it.
#!/bin/bash
# Replace with your policy name and ARN.
POLICY_NAME="RestrictIPAccess"
POLICY_ARN="acs:ram::123456789012:policy/RestrictIPAccess"
USER_LIST=$(aliyun ram ListUsers | jq -r '.Users.User[].UserName')
for USER in $USER_LIST; do
POLICIES=$(aliyun ram ListPoliciesForUser --UserName $USER | jq -r '.Policies.Policy[].PolicyName')
if ! echo "$POLICIES" | grep -q "^${POLICY_NAME}$"; then
echo "Attaching policy $POLICY_ARN to user $USER ..."
aliyun ram AttachPolicyToUser \
--PolicyType Custom \
--PolicyName $POLICY_NAME \
--UserName $USER
if [ $? -eq 0 ]; then
echo "Policy attached to $USER."
else
echo "Failed to attach policy to $USER. Check your permissions or verify the policy exists."
fi
else
echo "User $USER already has the policy. Skipping."
fi
done