This topic describes how to create a custom policy. Custom policies provide more fine-grained access control than system policies.
Background information
For information about how to create a custom policy, see Methods to create a custom policy. This topic describes how to create a custom policy by editing a script on the JSON tab of the RAM console.
Procedure
Define actions
To define actions for a policy, you must specify API operations in the Action element. When you create a policy to grant permissions on IoT Platform, specify IoT
Platform actions in the Action element. Each IoT Platform action must start with iot:
. Multiple actions must be separated by commas (,). You can set the value of the Action
element to an asterisk (*), which indicates a wildcard. For information about the
API operations of IoT Platform, see Mapping between IoT Platform API operations and RAM policies.
The following examples show how to define actions.
- Specify a single API operation to define an action.
"Action": "iot:CreateProduct"
- Specify multiple API operations to define actions.
"Action": [ "iot:UpdateProduct", "iot:QueryProduct" ]
- Specify all read-only API operations to define actions, including the actions that
are performed when the rules engine forwards the data of a product.
{ "Version": "1", "Statement": [ { "Action": [ "iot:Query*", "iot:List*", "iot:Get*", "iot:BatchGet*", "iot:Check*" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "rds:DescribeDBInstances", "rds:DescribeDatabases", "rds:DescribeAccounts", "rds:DescribeDBInstanceNetInfo" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:ListRoles", "Resource": "*", "Effect": "Allow" }, { "Action": [ "mns:ListTopic", "mns:GetTopicRef" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ots:ListInstance", "ots:GetInstance", "ots:ListTable", "ots:DescribeTable" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "fc:ListServices", "fc:GetService", "fc:GetFunction", "fc:ListFunctions" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "log:ListShards", "log:ListLogStores", "log:ListProject" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "cms:QueryMetricList" ], "Resource": "*", "Effect": "Allow" } ] }
- Specify all read/write API operations to define actions, including the actions that
are performed when the rules engine forwards data of a product.
{ "Version": "1", "Statement": [ { "Action": "iot:*", "Resource": "*", "Effect": "Allow" }, { "Action": [ "rds:DescribeDBInstances", "rds:DescribeDatabases", "rds:DescribeAccounts", "rds:DescribeDBInstanceNetInfo", "rds:ModifySecurityIps" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:ListRoles", "Resource": "*", "Effect": "Allow" }, { "Action": [ "mns:ListTopic", "mns:GetTopicRef" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ots:ListInstance", "ots:ListTable", "ots:DescribeTable", "ots:GetInstance" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "fc:ListServices", "fc:GetService", "fc:GetFunction", "fc:ListFunctions" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "log:ListShards", "log:ListLogStores", "log:ListProject" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:PassRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "acs:Service": "iot.aliyuncs.com" } } }, { "Action": [ "cms:QueryMetricList" ], "Resource": "*", "Effect": "Allow" } ] }
Define conditions
RAM policies support multiple conditions. For example, you can set limits on the access IP addresses and access time. You can also specify whether HTTPS-based access is allowed, and whether multi-factor authentication (MFA) is required. All API operations of IoT Platform support these conditions.
- IP address-based access control
RAM allows you to specify the source IP addresses from which requests are allowed. You can also use Classless Inter-Domain Routing (CIDR) blocks to specify source IP addresses. The following examples show how to set limits on access IP addresses.
- Allow access only from one IP address or CIDR block. In this example, only requests
from the IP address 192.0.2.1 or CIDR block 198.51.100.0/24 are allowed.
{ "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "*", "Condition": { "IpAddress": { "acs:SourceIp": [ "192.0.2.1", "198.51.100.0/24" ] } } } ], "Version": "1" }
- Allow access from multiple IP addresses. In this example, only requests from IP addresses
192.0.2.1 and 198.51.100.1 are allowed.
{ "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "*", "Condition": { "IpAddress": { "acs:SourceIp": [ "192.0.2.1", "198.51.100.1" ] } } } ], "Version": "1" }
- Allow access only from one IP address or CIDR block. In this example, only requests
from the IP address 192.0.2.1 or CIDR block 198.51.100.0/24 are allowed.
- HTTPS-based access control
RAM allows you to specify whether requests must be sent over HTTPS to access resources.
In this example, only requests over HTTPS are allowed.
{ "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "*", "Condition": { "Bool": { "acs:SecureTransport": "true" } } } ], "Version": "1" }
- MFA-based access control
RAM allows you to specify whether requests must pass MFA to access resources. MFA applies to console logon and is not required for API requests.
In this example, only requests that pass MFA are allowed.
{ "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "*", "Condition": { "Bool": { "acs:MFAPresent ": "true" } } } ], "Version": "1" }
- Time-based access control
RAM allows you to specify the access time of requests. Access requests earlier than the specified time are allowed or denied.
In this example, only requests that are sent earlier than 00:00:00 on January 1, 2019 (UTC+8) are allowed.
{ "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "*", "Condition": { "DateLessThan": { "acs:CurrentTime": "2019-01-01T00:00:00+08:00" } } } ], "Version": "1" }
Scenarios
This section describes the typical scenarios of creating and applying custom policies.
- A custom policy that allows specific requests
Scenario: Only requests that are sent over HTTPS, from the CIDR block 192.0.2.1/24, and earlier than 00:00:00 on January 1, 2019 (UTC+8) are allowed.
{ "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "*", "Condition": { "IpAddress": { "acs:SourceIp": [ "192.0.2.1/24" ] }, "DateLessThan": { "acs:CurrentTime": "2019-01-01T00:00:00+08:00" }, "Bool": { "acs:SecureTransport": "true" } } } ], "Version": "1" }
- A custom policy that denies specific requests
Scenario: Read requests from the IP address 198.51.100.1 are denied.
{ "Statement": [ { "Effect": "Deny", "Action": [ "iot:Query*", "iot:List*", "iot:Get*", "iot:BatchGet*" ], "Resource": "*", "Condition": { "IpAddress": { "acs:SourceIp": [ "198.51.100.1" ] } } } ], "Version": "1" }
After a policy is created, you can attach the policy to RAM users. Then, the RAM users can perform the operations that are defined in the policy. For more information about how to create and authorize RAM users, see Access IoT Platform by using a RAM user.