Attach custom RAM policies with condition keys to restrict RAM users from creating high-risk security group rules or using default security groups.
Background
Security groups are the primary defense layer and isolation boundary in the cloud. Misconfigured rules, such as opening sensitive ports (22, 3389, 80, 8080, 443) or using 0.0.0.0/0 as an authorization object, expose associated resources such as ECS instances and ApsaraDB RDS instances to attacks.
To enforce consistent security baselines across RAM users, configure RAM policies that prohibit creating or referencing high-risk security group rules.
RAM custom policies describe resources, operations, and conditions precisely. Use condition keys to deny high-risk rules or allow only approved ones. See the Condition section of the "Policy elements" topic.
How it works
RAM condition keys restrict high-risk security group rules in two ways:
-
Deny security group rules that contain specific IP addresses or protocols, and allow only approved rules.
-
Prevent default security groups from being used when creating ECS instances.
Default security groups contain sensitive rules. See Default security groups.
The following table lists the available RAM condition keys.
|
Condition key |
Data type |
Description |
|
ecs:SecurityGroupIpProtocols |
String |
The transport layer protocol, such as TCP and ICMP. |
|
ecs:SecurityGroupSourceCidrIps |
String |
The source IPv4 CIDR block or IPv4 address. |
|
ecs:NotSpecifySecurityGroupId |
Boolean |
Whether a security group ID is specified. |
-
If a condition key is an array, the condition is met when a security group rule matches any value in the array.
-
If two condition keys are specified in the same condition, the condition is met when a security group rule matches both condition keys.
Procedure
-
Create a custom policy with RAM condition keys. See Create a custom policy.
This section and the "Verify the result" section use the custom policy from Example 2: Custom policy that prohibits RAM users from creating security group rules that contain 0.0.0.0/0 as an authorization object as an example.
NoteFor sample custom policies, see the Sample custom policies section.
-
Attach the custom policy to a RAM user. See Grant permissions to a RAM user.
Verify the result
-
Log on to the ECS console as the RAM user.
-
Verify that the custom policy takes effect:
-
Ensure no custom security groups exist in the target region, then create an ECS instance with the default security group. See Create an instance on the Custom Launch tab.
NoteIf no custom security groups exist in the selected region, a default security group is automatically created.
If the following error appears on the ECS instance buy page, the RAM user is prohibited from using default security groups.
The error dialog title is Creation Failed, indicating that you do not have permission to create instances. Contact the Alibaba Cloud account owner to grant RAM authorization. Required actions: creating pay-as-you-go instances requires
ecs:RunInstances, creating subscription instances requiresecs:CreateInstance, and paying orders requiresbss:PayOrder. -
Select a security group and create a rule with Authorization Object (source) set to
0.0.0.0/0. See Add a security group rule.If the rule creation fails and the following error appears, the RAM user is prohibited from creating rules with Authorization Object set to
0.0.0.0/0.The error message reads The current operation is not authorized. Contact the Alibaba Cloud account owner to grant RAM authorization before you perform this operation.
-
Sample custom policies
Example 1: Custom policy that allows RAM users to create only security group rules that contain specific authorization objects
-
Custom policy that allows RAM users to create only security group rules with
140.205.XX.XX/27or140.205.XX.XX/28as the authorization object (source), and prohibits using default security groups when creating ECS instances:NoteReplace
XXwith actual values based on your requirements.{ "Version": "1", "Statement": [ { "Effect": "Deny", "Action": [ "ecs:AuthorizeSecurityGroup", "ecs:ConfigureSecurityGroupPermissions", "ecs:ModifySecurityGroupRule" ], "Resource": "*", "Condition": { "ForAnyValue:StringNotLike": { "ecs:SecurityGroupSourceCidrIps": [ "140.205.XX.XX/27", "140.205.XX.XX/28" ] } } }, { "Effect": "Deny", "Action": [ "ecs:CreateInstance", "ecs:RunInstances" ], "Resource": "*", "Condition": { "Bool": { "ecs:NotSpecifySecurityGroupId": [ "true" ] } } } ] } -
Custom policy that allows RAM users to create only security group rules with
140.205.XX.XX/27as the authorization object (source) forTCP, and prohibits using default security groups when creating ECS instances:NoteReplace
XXwith actual values based on your requirements.{ "Version": "1", "Statement": [ { "Effect": "Deny", "Action": [ "ecs:AuthorizeSecurityGroup", "ecs:ConfigureSecurityGroupPermissions", "ecs:ModifySecurityGroupRule" ], "Resource": "*", "Condition": { "ForAnyValue:StringNotLike": { "ecs:SecurityGroupSourceCidrIps": [ "140.205.XX.XX/27" ] } } }, { "Effect": "Deny", "Action": [ "ecs:AuthorizeSecurityGroup", "ecs:ConfigureSecurityGroupPermissions", "ecs:ModifySecurityGroupRule" ], "Resource": "*", "Condition": { "ForAnyValue:StringNotLike": { "ecs:SecurityGroupIpProtocols": [ "TCP" ] } } }, { "Effect": "Deny", "Action": [ "ecs:CreateInstance", "ecs:RunInstances" ], "Resource": "*", "Condition": { "Bool": { "ecs:NotSpecifySecurityGroupId": [ "true" ] } } } ] }
Example 2: Custom policy that prohibits RAM users from creating security group rules that contain 0.0.0.0/0 as an authorization object
Custom policy that prohibits RAM users from creating security group rules with 0.0.0.0/0 as the authorization object (source), and prohibits using default security groups when creating ECS instances:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ecs:AuthorizeSecurityGroup",
"ecs:ConfigureSecurityGroupPermissions",
"ecs:ModifySecurityGroupRule"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringLike": {
"ecs:SecurityGroupSourceCidrIps": [
"0.0.0.0/0"
]
}
}
},
{
"Effect": "Deny",
"Action": [
"ecs:CreateInstance",
"ecs:RunInstances"
],
"Resource": "*",
"Condition": {
"Bool": {
"ecs:NotSpecifySecurityGroupId": [
"true"
]
}
}
}
]
}
References
-
Understand the syntax, structure, and evaluation process of RAM policies before creating or updating them. See Policy structure and syntax and Policy evaluation process.
-
For sample RAM policies, see Example policies.