All Products
Search
Document Center

Elastic Compute Service:Enforce a security baseline with RAM Deny policies

Last Updated:Apr 27, 2026

Add Deny statements with condition elements to RAM policies to block insecure ECS operations, such as public IP assignment, password-based logon, or high-risk port exposure.

Security risks of Allow-only policies

Standard RAM policy statements use an Allow effect to grant permissions. For example, the following policy allows a user to create an ECS instance with the ecs:RunInstances action:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Resource": "acs:ecs:*:*:instance/*",
      "Action": [
        "ecs:RunInstances"
        ]
    }
}

This approach grants broad permissions that can lead to non-compliant resources. For example:

  • Exposed attack surface: A database server intended for internal use is assigned an Elastic IP Address (EIP).

  • Weak credentials: An ECS instance with password-based logon is vulnerable to brute-force attacks.

  • Compliance violations: A resource is created without a hardened, company-approved image.

Best practices

Core principle

Add a Deny statement with a condition to an Allow policy:

  1. Deny takes precedence: RAM checks all applicable policies. If any statement results in a Deny, the request is denied, even if another statement results in an Allow.

  2. Precise constraints with conditions: A Deny statement can include a condition block. The Deny takes effect only when the request matches the Action, Resource, and condition in the policy.

For example, the following policy denies ("Effect": "Deny") ecs:RunInstances on any instance resource (acs:ecs:*:*:instance/*) when a public IP address is associated ("ecs:AssociatePublicIpAddress": "true").

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Resource": "acs:ecs:*:*:instance/*",
      "Action": [
        "ecs:RunInstances"
      ],
      "Condition": {
        "Bool": {
            "ecs:AssociatePublicIpAddress": "true"
        }
      }
    }
  ]
}

This "Allow + Deny with Condition" strategy grants broad permissions and adds a conditional Deny as a guardrail to block actions that violate your security baseline. This turns security guidelines into platform-enforced rules.

Procedure

Attach two policies to the target principal (RAM user, user group, or role): an Allow policy such as AliyunECSFullAccess, and a custom Deny policy. The Allow policy grants permissions, while the Deny policy rejects non-compliant requests.

  1. Identify the operations and conditions to constrain

    Identify the security rule to enforce and find the corresponding RAM Action and Condition Key. A Condition Key is a parameter that a cloud service API exposes to RAM for evaluation. For example, see the "Authorization Information" section of RunInstances for all Condition Keys supported by ecs:RunInstances.

  2. Create a conditional Deny policy

    1. Log on to the RAM console. In the left-side navigation pane, choose Permissions > Policies.

    2. On the Policies page, click Create Policy.

    3. On the Create Policy page, click the JSON Editor tab. Enter the policy document and click OK.

      The following examples show common Deny policies:

      Example 1: Prohibit public IPs for ECS instances

      {
        "Version": "1",
        "Statement": [
          {
            "Effect": "Deny",
            "Action": "ecs:RunInstances",
            "Resource": "acs:ecs:*:*:instance/*",
            "Condition": {
              "Bool": {
                "ecs:AssociatePublicIpAddress": "true"
              }
            }
          }
        ]
      }

      Example 2: Enforce key pair logon for ECS instances

      "Null": {"ecs:KeyPairName": "true"} means that if ecs:KeyPairName is null (no key pair is specified), the Deny takes effect.

      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "ecs:RunInstances",
                  "Effect": "Deny",
                  "Resource": "acs:ecs:*:*:instance/*",
                  "Condition": {
                      "Null": {
                          "ecs:KeyPairName": "true"
                      }
                  }
              }
          ]
      }

      Example 3: Prohibit opening high-risk ports to the internet

      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "ecs:AuthorizeSecurityGroup",
                  "Effect": "Deny",
                  "Resource": "acs:ecs:*:*:securitygroup/*",
                  "Condition": {
                      "StringEquals": {
                          "ecs:SourceCidrIp": "0.0.0.0/0"
                      },
                      "ForAnyValue:StringEquals": {
                          "ecs:PortRange": [
                              "22/22",
                              "3389/3389",
                              "3306/3306",
                              "6379/6379",
                              "27017/27017"
                          ]
                      }
                  }
              }
          ]
      }

      Note: ForAnyValue:StringEquals checks if any port range in the request matches a value in the policy. If matched, the condition evaluates to true.

    4. Enter a Policy Name and Description, then click OK. Complete the security verification.

  3. Attach the Deny policy

    Attach the policy to the target RAM user, user group, or role.

    1. Log on to the RAM console. In the left-side navigation pane, choose Identities > Users.

    2. On the Users page, find the target RAM user and click Attach Policy in the Actions column.

    3. In the Attach Policy panel, select the Deny policy and click OK.