Add Deny statements with condition elements to RAM policies to block insecure ECS operations, such as public IP assignment, password-based logon, or high-risk port exposure.
Security risks of Allow-only policies
Standard RAM policy statements use an Allow effect to grant permissions. For example, the following policy allows a user to create an ECS instance with the ecs:RunInstances action:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Resource": "acs:ecs:*:*:instance/*",
"Action": [
"ecs:RunInstances"
]
}
}
This approach grants broad permissions that can lead to non-compliant resources. For example:
-
Exposed attack surface: A database server intended for internal use is assigned an Elastic IP Address (EIP).
-
Weak credentials: An ECS instance with password-based logon is vulnerable to brute-force attacks.
-
Compliance violations: A resource is created without a hardened, company-approved image.
Best practices
Core principle
Add a Deny statement with a condition to an Allow policy:
-
Deny takes precedence: RAM checks all applicable policies. If any statement results in a
Deny, the request is denied, even if another statement results in anAllow. -
Precise constraints with conditions: A
Denystatement can include aconditionblock. TheDenytakes effect only when the request matches theAction,Resource, andconditionin the policy.
For example, the following policy denies ("Effect": "Deny") ecs:RunInstances on any instance resource (acs:ecs:*:*:instance/*) when a public IP address is associated ("ecs:AssociatePublicIpAddress": "true").
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Resource": "acs:ecs:*:*:instance/*",
"Action": [
"ecs:RunInstances"
],
"Condition": {
"Bool": {
"ecs:AssociatePublicIpAddress": "true"
}
}
}
]
}
This "Allow + Deny with Condition" strategy grants broad permissions and adds a conditional Deny as a guardrail to block actions that violate your security baseline. This turns security guidelines into platform-enforced rules.
Procedure
Attach two policies to the target principal (RAM user, user group, or role): an Allow policy such as AliyunECSFullAccess, and a custom Deny policy. The Allow policy grants permissions, while the Deny policy rejects non-compliant requests.
-
Identify the operations and conditions to constrain
Identify the security rule to enforce and find the corresponding RAM Action and Condition Key. A Condition Key is a parameter that a cloud service API exposes to RAM for evaluation. For example, see the "Authorization Information" section of RunInstances for all Condition Keys supported by
ecs:RunInstances. -
Create a conditional Deny policy
-
Log on to the RAM console. In the left-side navigation pane, choose .
-
On the Policies page, click Create Policy.
-
On the Create Policy page, click the JSON Editor tab. Enter the policy document and click OK.
The following examples show common Deny policies:
-
Enter a Policy Name and Description, then click OK. Complete the security verification.
-
-
Attach the Deny policy
Attach the policy to the target RAM user, user group, or role.
-
Log on to the RAM console. In the left-side navigation pane, choose .
-
On the Users page, find the target RAM user and click Attach Policy in the Actions column.
-
In the Attach Policy panel, select the Deny policy and click OK.
-