If Resource Management Service (RAM) system policies do not meet your business requirements, you can create custom policies to implement the principle of least privilege. You can use custom policies to manage permissions in a fine-grained manner and increase resource access security. This topic describes how to configure custom policies for Elastic Compute Service (ECS) and provides sample custom policies.
Background information
For information about how to create a custom policy, see Create custom policies.
Before you create a custom policy, we recommend that you understand the basic elements and syntax of policies. For more information, see Policy elements and Policy structure and syntax.
For information about how multiple policies take effect, see Policy evaluation process.
Sample custom policies
Custom policy that grants a RAM user the permissions to create pay-as-you-go ECS instances
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeImages",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"ecs:DescribeSecurityGroups",
"ecs:DescribeKeyPairs",
"ecs:DescribeTags",
"ecs:RunInstances"
],
"Resource": "*"
}
],
"Version": "1"
}
Custom policy that grants a RAM user the permissions to create subscription ECS instances
You can call bss-related API operations to query and pay for subscription orders. The corresponding system policy is AliyunBSSOrderAccess.
If you set autoPay to true when you call the RunInstances operation to create subscription ECS instances, you do not need the permissions to call bss-related API operations.
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeImages",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"ecs:DescribeSecurityGroups",
"ecs:DescribeKeyPairs",
"ecs:DescribeTags",
"ecs:RunInstances",
"bss:DescribeOrderList",
"bss:DescribeOrderDetail",
"bss:PayOrder",
"bss:CancelOrder"
],
"Resource": "*"
}
],
"Version": "1"
}
Custom policy that grants a RAM user the permissions to restart ECS instances
The following policy indicates that the authorized RAM user can restart ECS instances. The ECS instances can be restarted only when MFA is enabled for the RAM user and the RAM user uses MFA to log on. In this case, the acs:MFAPresent condition key in the Condition element is set to true.
{
"Statement": [
{
"Action": "ecs:RebootInstance",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"Bool": {
"acs:MFAPresent": "true"
}
}
}
],
"Version": "1"
}Custom policy that grants a RAM user the permissions to manage a specific ECS instance
The following policy indicates that the authorized RAM user can view all ECS instances under an Alibaba Cloud account, but the user can manage only the i-001 ECS instance.
{
"Statement": [
{
"Action": "ecs:*",
"Effect": "Allow",
"Resource": "acs:ecs:*:*:instance/i-001"
},
{
"Action": "ecs:Describe*",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "1"
}Custom policy that grants a RAM user the permissions to connect to a specific ECS instance by using Workbench
The following policy indicates that the authorized RAM user can view all ECS instances and resources in an Alibaba Cloud account, but the RAM user is allowed to connect to only the i-001 ECS instance by using Workbench.
{
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ecs-workbench:LoginInstance",
"Resource": "acs:ecs-workbench:*:*:workbench/i-001"
}
],
"Version": "1"
}Custom policy that prohibits a RAM user from connecting to ECS instances by using VNC
The following policy prevents you from using Virtual Network Computing (VNC) to connect to all ECS instances:
{
"Statement": [
{
"Effect": "Deny",
"Action": "ecs:DescribeInstanceVncUrl",
"Resource": "*"
}
],
"Version": "1"
}Custom policy that grants a RAM user the permissions to view ECS instances in a specific region
The following policy indicates that the authorized RAM user can view ECS instances in the China (Qingdao) region, but cannot view disks or snapshots in this region.
{
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:Describe*",
"Resource": "acs:ecs:cn-qingdao:*:instance/*"
}
],
"Version": "1"
}Custom policy that grants a RAM user the permissions to manage security groups in an Alibaba Cloud account
The following policy specifies that the authorized RAM user can manage ECS security groups within an Alibaba Cloud account.
{
"Version": "1",
"Statement": [
{
"Action": "ecs:*SecurityGroup*",
"Resource": "*",
"Effect": "Allow"
}
]
}Custom policy that grants a RAM user the permissions to create instance RAM roles
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs: CreateInstance",
"ecs: AttachInstanceRamRole",
"ecs: DetachInstanceRAMRole"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "*"
}
]
}
Custom policy that grants a RAM user the permissions to query information about existing ECS instances and block storage devices
{
"Statement": [
{
"Effect": "Allow",
"Action": ["ecs:DescribeInstances", "ecs:DescribeDisks"],
"Resource": "*"
}
],
"Version": "1"
}
Custom policy that grants a RAM user the permissions to purchase savings plans
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "bssapi:CreateSavingsPlansInstance",
"Resource": "*"
}
]
}Custom policy that denies a RAM user the permissions to create a default VPC when the RAM user creates ECS instances
ECS allows you to use RAM users to isolate operations between different business. By default, RAM users that are granted the AliyunECSFullAccess permission can perform operations on ECS resources, such as creating, viewing, and restarting ECS instances. If you want to deny a RAM user the permissions to create a default virtual private cloud (VPC) in a region where no VPCs are available when the RAM user creates ECS instances but you want to retain the other permissions for the RAM user, you can configure a custom policy.
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"vpc:CreateDefaultVpc": ["true"]
}
}
}
]
}
Custom policy that grants a RAM user the permissions to use prefix lists
{
"Statement": [
{
"Action": [
"ecs:CreatePrefixList",
"ecs:ModifyPrefixList",
"ecs:DescribePrefixLists",
"ecs:DescribePrefixListAssociations",
"ecs:DescribePrefixListAttributes",
"ecs:DeletePrefixList"
],
"Resource": "*",
"Effect": "Allow"
}
],
"Version": "1"
}
Custom policy that grants a RAM user the permissions to use Cloud Assistant
For more information, see the Cloud Assistant Agent-specific sample custom policies section of the "Grant a RAM user permissions to use Cloud Assistant" topic.
Custom policy that grants a RAM user the permissions to read OSS buckets
{
"Version": "1",
"Statement": [
{
"Action": ["oss:GetObject", "oss:GetBucketLocation", "oss:GetBucketInfo"],
"Resource": "*",
"Effect": "Allow"
}
]
}
Custom policy that grants a RAM user the permissions to read and write OSS buckets
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetObject",
"oss:GetBucketLocation",
"oss:GetBucketInfo",
"oss:PutObject",
"oss:DeleteObject",
"oss:AbortMultipartUpload",
"oss:ListMultipartUploads",
"oss:ListParts"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
Custom policy that grants a RAM user the permissions to access ECS resources only over HTTPS
{
"Statement": [
{
"Action": "ecs:*",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"Bool": {
"acs:SecureTransport": "true"
}
}
}
],
"Version": "1"
}Custom policy that grants a RAM user the permissions to create only encrypted disks
For specific enterprises that have high security compliance requirements, all RAM users who belong to the Alibaba Cloud accounts of the enterprises require data encryption to ensure data confidentiality. You can attach the custom policy to a RAM user to grant the RAM user the permissions to create only encrypted disks for ECS instances.
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ecs:IsDiskEncrypted": "*false*"
}
},
"Effect": "Deny"
},
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ecs:IsSystemDiskEncrypted": "false"
}
},
"Effect": "Deny"
},
{
"Action": "ecs:CreateDisk",
"Resource": "*",
"Condition": {
"StringLike": {
"ecs:IsDiskEncrypted": "*false*"
}
},
"Effect": "Deny"
}
]
}Custom policy that grants a RAM user the permissions to create only disks that are encrypted by using CMKs
When you purchase an ECS instance or create data disks, you can configure the following custom policy to grant a RAM user the permissions to create only encrypted disks that use customer master keys (CMKs). After you attach the custom policy to your RAM user, you can only select CMKs to encrypt your disks.
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ecs:IsDiskByokEncrypted": "*false*"
}
},
"Effect": "Deny"
},
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ecs:IsSystemDiskByokEncrypted": "false"
}
},
"Effect": "Deny"
},
{
"Action": "ecs:CreateDisk",
"Resource": "*",
"Condition": {
"StringLike": {
"ecs:IsDiskByokEncrypted": "*false*"
}
},
"Effect": "Deny"
}
]
}Custom policy that grants a RAM user the permissions to create ECS instances by using only custom images
When you purchase ECS instances, you can create the following custom policy to grant a RAM user the permissions to use only custom images to create ECS instances.
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Effect": "Deny",
"Resource": "acs:ecs:<Region ID>:*:instance/*",
"Condition": {
"StringNotEquals": {
"ecs:ImageSource": "Custom"
}
}
}
]
}Custom policy that prohibits a RAM user from logging on to ECS instances as the root user
When you purchase an ECS instance, replace a system disk of an ECS instance, attach a system disk to an ECS instance, or reset the password of an ECS instance online, you can create the following custom policy that prohibits a RAM user from logging on to ECS instances as the root user. After you attach the custom policy to your RAM user, you cannot log on to ECS instances as the root user.
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance",
"ecs:CreateOrder",
"ecs:ReplaceSystemDisk",
"ecs:AttachDisk",
"ecs:InvokeCommand"
],
"Resource": "*",
"Condition": {
"Bool": {
"ecs:LoginAsNonRoot": [
"false"
]
}
},
"Effect": "Deny"
}
]
}Custom policy that prohibits a RAM user from using usernames and passwords to log on to ECS instances
When you purchase an ECS instance, replace a system disk of an ECS instance, attach a system disk to an ECS instance, or reset the password of an ECS instance online or offline, you can create the following custom policy that prohibits a RAM user from using usernames and passwords to log on to ECS instances. After you attach the custom policy to your RAM user, you can only use key pairs or Session Manager to log on to ECS instances without providing a username and password.
You can configure the ecs:ImagePlatform parameter in the Condition element of a policy statement to limit the scope of the instances to which you can log on by entering a username and password. For example, if you set the ecs:ImagePlatform parameter to linux, you can enter a username and password to log on to Windows instances, but not Linux instances.
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance",
"ecs:CreateOrder",
"ecs:ReplaceSystemDisk"
],
"Resource": "*",
"Condition": {
"Bool": {
"ecs:PasswordCustomized": [
"true"
]
},
"StringEquals": {
"ecs:ImagePlatform": "linux"
}
},
"Effect": "Deny"
},
{
"Action": [
"ecs:ModifyInstanceAttribute",
"ecs:InvokeCommand",
"ecs:AttachDisk"
],
"Resource": "*",
"Condition": {
"Bool": {
"ecs:PasswordCustomized": [
"true"
]
}
},
"Effect": "Deny"
}
]
}Custom policy that prohibits a RAM user from using the password preset in the image of an ECS instance to log on to the instance
When you purchase an ECS instance or replace the system disk of an ECS instance, you can configure the following custom policy to prohibit a RAM user from using the password preset in the image of the instance to log on to the instance. After you attach the custom policy to your RAM user, you cannot use the password preset in the image of an ECS instance to connect to the instance.
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance",
"ecs:CreateOrder",
"ecs:ReplaceSystemDisk"
],
"Resource": "*",
"Condition": {
"Bool": {
"ecs:PasswordInherit": [
"true"
]
}
},
"Effect": "Deny"
}
]
}Custom policy that prohibits a RAM user from creating security group rules that contain 0.0.0.0/0 as an authorization object
If an inbound rule in a security group allows 0.0.0.0/0, all external IP addresses can access the ECS instances in the security group. This may increase security risks. We recommend that you configure a custom policy that prohibits a RAM user from creating security group rules that contain 0.0.0.0/0 as an authorization object and from using the default security group for ECS instance creation.
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ecs:AuthorizeSecurityGroup",
"ecs:ConfigureSecurityGroupPermissions",
"ecs:ModifySecurityGroupRule"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ecs:SecurityGroupIpProtocols": [
"TCP"
]
},
"CIDRInRange": {
"ecs:SecurityGroupSourceCidrIps": [
"0.0.0.0/0"
]
}
}
},
{
"Effect": "Deny",
"Action": [
"ecs:CreateInstance",
"ecs:RunInstances"
],
"Resource": "*",
"Condition": {
"Bool": {
"ecs:NotSpecifySecureGroupId": [
"true"
]
}
}
}
]
}Custom policy that allows RAM users to use only the security hardening mode to access instance metadata
You can use a permissions policy to allow all RAM users under your Alibaba Cloud account to access instance metadata only in security hardening mode when the RAM users call the RunInstances or CreateInstance operation to create ECS instances or the ModifyInstanceMetadataOptions operation to modify the metadata of existing ECS instances. The following sample code provides an example of the content of the policy:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance",
"ecs:ModifyInstanceMetadataOptions"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ecs:SecurityHardeningMode": ["false"]
}
}
}
]
}