All Products
Search
Document Center

Elastic Compute Service:Prohibit RAM users from creating high-risk security group rules

Last Updated:Jul 15, 2026

Attach custom RAM policies with condition keys to restrict RAM users from creating high-risk security group rules or using default security groups.

Background

Security groups are the primary defense layer and isolation boundary in the cloud. Misconfigured rules, such as opening sensitive ports (22, 3389, 80, 8080, 443) or using 0.0.0.0/0 as an authorization object, expose associated resources such as ECS instances and ApsaraDB RDS instances to attacks.

To enforce consistent security baselines across RAM users, configure RAM policies that prohibit creating or referencing high-risk security group rules.

RAM custom policies describe resources, operations, and conditions precisely. Use condition keys to deny high-risk rules or allow only approved ones. See the Condition section of the "Policy elements" topic.

How it works

RAM condition keys restrict high-risk security group rules in two ways:

  • Deny security group rules that contain specific IP addresses or protocols, and allow only approved rules.

  • Prevent default security groups from being used when creating ECS instances.

Note

Default security groups contain sensitive rules. See Default security groups.

The following table lists the available RAM condition keys.

Condition key

Data type

Description

ecs:SecurityGroupIpProtocols

String

The transport layer protocol, such as TCP and ICMP.

ecs:SecurityGroupSourceCidrIps

String

The source IPv4 CIDR block or IPv4 address.

ecs:NotSpecifySecurityGroupId

Boolean

Whether a security group ID is specified.

Note
  • If a condition key is an array, the condition is met when a security group rule matches any value in the array.

  • If two condition keys are specified in the same condition, the condition is met when a security group rule matches both condition keys.

Procedure

  1. Create a custom policy with RAM condition keys. See Create a custom policy.

    This section and the "Verify the result" section use the custom policy from Example 2: Custom policy that prohibits RAM users from creating security group rules that contain 0.0.0.0/0 as an authorization object as an example.

    Note

    For sample custom policies, see the Sample custom policies section.

  2. Attach the custom policy to a RAM user. See Grant permissions to a RAM user.

Verify the result

  1. Log on to the ECS console as the RAM user.

  2. Verify that the custom policy takes effect:

    1. Ensure no custom security groups exist in the target region, then create an ECS instance with the default security group. See Create an instance on the Custom Launch tab.

      Note

      If no custom security groups exist in the selected region, a default security group is automatically created.

      If the following error appears on the ECS instance buy page, the RAM user is prohibited from using default security groups.

      The error dialog title is Creation Failed, indicating that you do not have permission to create instances. Contact the Alibaba Cloud account owner to grant RAM authorization. Required actions: creating pay-as-you-go instances requires ecs:RunInstances, creating subscription instances requires ecs:CreateInstance, and paying orders requires bss:PayOrder.

    2. Select a security group and create a rule with Authorization Object (source) set to 0.0.0.0/0. See Add a security group rule.

      If the rule creation fails and the following error appears, the RAM user is prohibited from creating rules with Authorization Object set to 0.0.0.0/0.

      The error message reads The current operation is not authorized. Contact the Alibaba Cloud account owner to grant RAM authorization before you perform this operation.

Sample custom policies

Example 1: Custom policy that allows RAM users to create only security group rules that contain specific authorization objects

  • Custom policy that allows RAM users to create only security group rules with 140.205.XX.XX/27 or 140.205.XX.XX/28 as the authorization object (source), and prohibits using default security groups when creating ECS instances:

    Note

    Replace XX with actual values based on your requirements.

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Deny",
          "Action": [
            "ecs:AuthorizeSecurityGroup",
            "ecs:ConfigureSecurityGroupPermissions",
            "ecs:ModifySecurityGroupRule"
          ],
          "Resource": "*",
          "Condition": {
            "ForAnyValue:StringNotLike": {
              "ecs:SecurityGroupSourceCidrIps": [
                "140.205.XX.XX/27",
                "140.205.XX.XX/28"
              ]
            }
          }
        },
        {
          "Effect": "Deny",
          "Action": [
            "ecs:CreateInstance",
            "ecs:RunInstances"
          ],
          "Resource": "*",
          "Condition": {
            "Bool": {
              "ecs:NotSpecifySecurityGroupId": [
                "true"
              ]
            }
          }
        }
      ]
    }
  • Custom policy that allows RAM users to create only security group rules with 140.205.XX.XX/27 as the authorization object (source) for TCP, and prohibits using default security groups when creating ECS instances:

    Note

    Replace XX with actual values based on your requirements.

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Deny",
          "Action": [
            "ecs:AuthorizeSecurityGroup",
            "ecs:ConfigureSecurityGroupPermissions",
            "ecs:ModifySecurityGroupRule"
          ],
          "Resource": "*",
          "Condition": {
            "ForAnyValue:StringNotLike": {
              "ecs:SecurityGroupSourceCidrIps": [
                "140.205.XX.XX/27"
              ]
            }
          }
        },
        {
           "Effect": "Deny",
           "Action": [
             "ecs:AuthorizeSecurityGroup",
             "ecs:ConfigureSecurityGroupPermissions",
             "ecs:ModifySecurityGroupRule"
            ],
            "Resource": "*",
            "Condition": {
              "ForAnyValue:StringNotLike": {
                "ecs:SecurityGroupIpProtocols": [
                  "TCP"
                ]
              }
            }
          },
          {
            "Effect": "Deny",
            "Action": [
              "ecs:CreateInstance",
              "ecs:RunInstances"
            ],
            "Resource": "*",
            "Condition": {
              "Bool": {
                "ecs:NotSpecifySecurityGroupId": [
                  "true"
                ]
              }
            }
          }
       ]
    }

Example 2: Custom policy that prohibits RAM users from creating security group rules that contain 0.0.0.0/0 as an authorization object

Custom policy that prohibits RAM users from creating security group rules with 0.0.0.0/0 as the authorization object (source), and prohibits using default security groups when creating ECS instances:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "ecs:AuthorizeSecurityGroup",
        "ecs:ConfigureSecurityGroupPermissions",
        "ecs:ModifySecurityGroupRule"
      ],
      "Resource": "*",
      "Condition": {
        "ForAnyValue:StringLike": {
          "ecs:SecurityGroupSourceCidrIps": [
            "0.0.0.0/0"
          ]
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": [
        "ecs:CreateInstance",
        "ecs:RunInstances"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "ecs:NotSpecifySecurityGroupId": [
            "true"
          ]
        }
      }
    }
  ]
}

References