All Products
Search

This Product

    Elastic Compute Service:Use RAM policies to constrain cloud operations

    Document Center

    Elastic Compute Service:Use RAM policies to constrain cloud operations

    Last Updated:Nov 18, 2025

    You can use the Condition and Deny mechanisms in Resource Access Management (RAM) policies to convert security standards and compliance requirements into an enforceable security baseline on the cloud platform. This approach prevents the creation and configuration of insecure cloud resources at the source. For example, you can prohibit assigning public IP addresses to ECS instances, enforce the use of key pairs for logon, and restrict security groups from opening vulnerable ports. This helps you build a secure-by-default cloud environment.

    Security risks

    Standard RAM access policies typically use an Allow mode, which grants permissions that specify the operations a user can perform. For example, a policy can allow the creation of ECS instances with ecs:RunInstances:

    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",  #Allow
      "Resource": "acs:ecs:*:*:instance/*", #Resource scope
      "Action": [   #OpenAPI operation
        "ecs:RunInstances"
        ]
    }
}

    Although this mode is straightforward, it poses a hidden threat by granting excessive freedom within the scope of the permission. This can lead to the creation of resources that do not meet security standards. For example:

    • Exposed attack surface: A database server intended for internal services only is incorrectly assigned an elastic IP address (EIP).

    • Weak credentials: A password-based logon method is used when creating an ECS instance, which makes the instance vulnerable to brute-force attacks.

    • Compliance violations: Resources are created without using standard company images that have undergone security hardening.

    Best practices

    Core principle

    The core principle is to add a layer of conditional Deny policies on top of the Allow policies.

    1. Deny has priority: When RAM evaluates an operation request, it checks all relevant policies. If a Deny policy rule is matched, the operation is immediately denied, regardless of whether an Allow policy also exists.

    2. Precise conditional constraints: A Deny policy can include a Condition block. The Deny effect is triggered only when the operation matches the specified Action, Resource, and Condition.

    For example, when a user creates an instance (ecs:RunInstances) for any instance resource (acs:ecs:*:*:instance/*), the operation is denied ("Effect": "Deny") if a public IP address is attached ("ecs:AssociatePublicIpAddress": "true").

    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",  #Deny
      "Resource": "acs:ecs:*:*:instance/*", #Resource scope
      "Action": [   #OpenAPI operation
        "ecs:RunInstances"
      ],
      "Condition": {  #Conditional rule
        "Bool": {
            "ecs:AssociatePublicIpAddress": "true"   #Condition key assertion
        }
      }
    }
}

    This "Allow + Deny with Condition" combination first grants a broad Allow permission for an operation. Then, it acts as a safeguard by precisely denying specific operations that do not comply with the security baseline. For example, "Allow the creation of ECS instances, but deny the operation if an attempt is made to attach a public IP address." This makes the security policy an enforceable rule on the platform, rather than just a guideline.

    Procedure

    The entity that you want to constrain must have two policies attached: an Allow policy, such as AliyunECSFullAccess, that permits the operation, and the Deny policy that you create. When the user performs an operation, the Allow policy grants the permission, while the Deny policy acts as a security auditor that rejects any non-compliant attempts. The following steps guide you through creating and implementing a security baseline based on RAM policies.

    1. Identify key operations and conditions to constrain

      First, identify the security rules you want to enforce and find the corresponding RAM Action and condition key. A condition key is a parameter that an Alibaba Cloud service API provides to RAM for evaluation. You can find these keys in the API documentation for the specific service. For example, for the ecs:RunInstances action, you can find all supported condition keys in the "Authorization Information" section of the RunInstances documentation.

    2. Write a conditional Deny access policy

      1. Log on to the Resource Access Management (RAM) console. In the navigation pane on the left, choose Permissions > Policies.

      2. On the Access Policy page, click Create Policy.

      3. On the Create Policy page, click the JSON tab, enter the following policy document, and click OK.

        The following examples show common and verified access policies:

        Example 1: Prohibit attaching a public IP address when creating an ECS instance 

        {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "ecs:RunInstances",
      "Resource": "acs:ecs:*:*:instance/*",
      "Condition": {
        "Bool": {
          "ecs:AssociatePublicIpAddress": "true"
        }
      }
    }
  ]
}

        Example 2: Enforce the use of an SSH key pair for logon when creating an ECS instance

        The expression "Null": {"ecs:KeyPairName": "true"} means that if the ecs:KeyPairName parameter is empty (the user did not select a key pair), the condition is met, and the Deny action takes effect.

        {
    "Version": "1",
    "Statement": [
        {
            "Action": "ecs:RunInstances",
            "Effect": "Deny",
            "Resource": "acs:ecs:*:*:instance/*",
            "Condition": {
                "Null": {
                    "ecs:KeyPairName": "true"
                }
            }
        }
    ]
}

        Example 3: Prohibit security group rules from opening vulnerable ports to the Internet (0.0.0.0/0)

        {
    "Version": "1",
    "Statement": [
        {
            "Action": "ecs:AuthorizeSecurityGroup",
            "Effect": "Deny",
            "Resource": "acs:ecs:*:*:securitygroup/*",
            "Condition": {
                "StringEquals": {
                    "ecs:SourceCidrIp": "0.0.0.0/0"
                },
                "ForAnyValue:StringEquals": {
                    "ecs:PortRange": [
                        "22/22",
                        "3389/3389",
                        "3306/3306",
                        "6379/6379",
                        "27017/27017"
                    ]
                }
            }
        }
    ]
}

        Note: ForAnyValue:StringEquals means the condition is met if the port range that the user attempts to open matches any of the ranges in the list.

      4. Enter a Policy Name and a Description, click OK, and then complete the security authentication.

    3. Attach the access policy

      After you create the policy, attach it to the RAM user, user group, or role that you want to constrain.

      1. Log on to the RAM console. In the navigation pane on the left, choose Identities > Users.

      2. On the Users page, find the target RAM user and click Add Permissions in the Actions column.

      3. In the Grant Permission panel, select the access policy and click Grant Permissions.