This topic describes how to create a custom policy. Custom policies provide more fine-grained access control than system policies.

Background information

You can define permissions to allow or deny operations on resources in specific conditions. Permissions are defined in Resource Access Management (RAM) policies. You can define custom permissions by creating custom policies.

For information about how to create a custom policy, see Methods to create a custom policy. This topic describes how to create a custom policy by editing a script on the JSON tab of the RAM console.

Procedure

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Policy page, click the JSON tab.
  5. Enter the policy document and click Next: Edit Basic Information.
    For more information about the syntax and structure of RAM policies, see Policy structure and syntax.
    Configure the policy in the JSON format. The following elements are required:
    • Action: the actions that you want to authorize. IoT Platform actions start with iot:. For more information about actions and examples, see the "Define actions" section of this topic.
    • Effect: the authorization type. Valid values: Allow and Deny.
    • Resource: the resources that you want to authorize RAM users to access.

      If you want to authorize a RAM user to access all resources of your IoT Platform service, set this parameter to *.

    • Condition: the condition. For more information, see the "Define conditions" section of this topic.
    For more information about policy elements, see Policy elements.
  6. Configure the Name and Note parameters.
  7. Check and optimize the document of the custom policy.
    • Basic optimization

      The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:

      • Deletes unnecessary conditions.
      • Deletes unnecessary arrays.
    • Optional:Advanced optimization

      You can move the pointer over Optional: Advanced Optimize and click Perform. The system performs the following operations during advanced optimization:

      • Splits resources or conditions that are incompatible with actions.
      • Narrows down resources.
      • Deduplicates or merges policy statements.
  8. Click OK.

Define actions

To define actions for a policy, you must specify API operations in the Action element. When you create a policy to grant permissions on IoT Platform, specify IoT Platform actions in the Action element. Each IoT Platform action must start with iot:. Multiple actions must be separated by commas (,). You can set the value of the Action element to an asterisk (*), which indicates a wildcard. For information about the API operations of IoT Platform, see Mapping between IoT Platform API operations and RAM policies.

The following examples show how to define actions.

  • Specify a single API operation to define an action.
    "Action": "iot:CreateProduct"
  • Specify multiple API operations to define actions.
    "Action": [
    "iot:UpdateProduct",
    "iot:QueryProduct"
    ]
  • Specify all read-only API operations to define actions, including the actions that are performed when the rules engine forwards the data of a product.
    {
      "Version": "1", 
      "Statement": [
        {
          "Action": [
            "iot:Query*", 
            "iot:List*", 
            "iot:Get*", 
            "iot:BatchGet*", 
            "iot:Check*"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "rds:DescribeDBInstances", 
            "rds:DescribeDatabases", 
            "rds:DescribeAccounts", 
            "rds:DescribeDBInstanceNetInfo"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": "ram:ListRoles", 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "mns:ListTopic", 
            "mns:GetTopicRef"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "ots:ListInstance", 
            "ots:GetInstance", 
            "ots:ListTable", 
            "ots:DescribeTable"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "fc:ListServices", 
            "fc:GetService", 
            "fc:GetFunction", 
            "fc:ListFunctions"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "log:ListShards", 
            "log:ListLogStores", 
            "log:ListProject"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "cms:QueryMetricList"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }
      ]
    }
  • Specify all read/write API operations to define actions, including the actions that are performed when the rules engine forwards data of a product.
    {
      "Version": "1", 
      "Statement": [
        {
          "Action": "iot:*", 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "rds:DescribeDBInstances", 
            "rds:DescribeDatabases", 
            "rds:DescribeAccounts", 
            "rds:DescribeDBInstanceNetInfo", 
            "rds:ModifySecurityIps"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": "ram:ListRoles", 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "mns:ListTopic", 
            "mns:GetTopicRef"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "ots:ListInstance", 
            "ots:ListTable", 
            "ots:DescribeTable", 
            "ots:GetInstance"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "fc:ListServices", 
            "fc:GetService", 
            "fc:GetFunction", 
            "fc:ListFunctions"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "log:ListShards", 
            "log:ListLogStores", 
            "log:ListProject"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": "ram:PassRole", 
          "Resource": "*", 
          "Effect": "Allow", 
          "Condition": {
            "StringEquals": {
              "acs:Service": "iot.aliyuncs.com"
            }
          }
        }, 
        {
          "Action": [
            "cms:QueryMetricList"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }
      ]
    }

Define conditions

RAM policies support multiple conditions. For example, you can set limits on the access IP addresses and access time. You can also specify whether HTTPS-based access is allowed, and whether multi-factor authentication (MFA) is required. All API operations of IoT Platform support these conditions.

  • IP address-based access control

    RAM allows you to specify the source IP addresses from which requests are allowed. You can also use Classless Inter-Domain Routing (CIDR) blocks to specify source IP addresses. The following examples show how to set limits on access IP addresses.

    • Allow access only from one IP address or CIDR block. In this example, only requests from the IP address 192.0.2.1 or CIDR block 198.51.100.0/24 are allowed.
      {
        "Statement": [
          {
            "Effect": "Allow", 
            "Action": "iot:*", 
            "Resource": "*", 
            "Condition": {
              "IpAddress": {
                "acs:SourceIp": [
                  "192.0.2.1", 
                  "198.51.100.0/24"
                ]
              }
            }
          }
        ], 
        "Version": "1"
      }
    • Allow access from multiple IP addresses. In this example, only requests from IP addresses 192.0.2.1 and 198.51.100.1 are allowed.
      {
        "Statement": [
          {
            "Effect": "Allow", 
            "Action": "iot:*", 
            "Resource": "*", 
            "Condition": {
              "IpAddress": {
                "acs:SourceIp": [
                  "192.0.2.1", 
                  "198.51.100.1"
                ]
              }
            }
          }
        ], 
        "Version": "1"
      }
  • HTTPS-based access control

    RAM allows you to specify whether requests must be sent over HTTPS to access resources.

    In this example, only requests over HTTPS are allowed.

    {
      "Statement": [
        {
          "Effect": "Allow", 
          "Action": "iot:*", 
          "Resource": "*", 
          "Condition": {
            "Bool": {
              "acs:SecureTransport": "true"
            }
          }
        }
      ], 
      "Version": "1"
    }
  • MFA-based access control

    RAM allows you to specify whether requests must pass MFA to access resources. MFA applies to console logon and is not required for API requests.

    In this example, only requests that pass MFA are allowed.

    {
      "Statement": [
        {
          "Effect": "Allow", 
          "Action": "iot:*", 
          "Resource": "*", 
          "Condition": {
            "Bool": {
              "acs:MFAPresent ": "true"
            }
          }
        }
      ], 
      "Version": "1"
    }
  • Time-based access control

    RAM allows you to specify the access time of requests. Access requests earlier than the specified time are allowed or denied.

    In this example, only requests that are sent earlier than 00:00:00 on January 1, 2019 (UTC+8) are allowed.

    {
      "Statement": [
        {
          "Effect": "Allow", 
          "Action": "iot:*", 
          "Resource": "*", 
          "Condition": {
            "DateLessThan": {
              "acs:CurrentTime": "2019-01-01T00:00:00+08:00"
            }
          }
        }
      ], 
      "Version": "1"
    }

Scenarios

This section describes the typical scenarios of creating and applying custom policies.

  • A custom policy that allows specific requests

    Scenario: Only requests that are sent over HTTPS, from the CIDR block 192.0.2.1/24, and earlier than 00:00:00 on January 1, 2019 (UTC+8) are allowed.

    {
      "Statement": [
        {
          "Effect": "Allow", 
          "Action": "iot:*", 
          "Resource": "*", 
          "Condition": {
            "IpAddress": {
              "acs:SourceIp": [
                "192.0.2.1/24"
              ]
            }, 
            "DateLessThan": {
              "acs:CurrentTime": "2019-01-01T00:00:00+08:00"
            }, 
            "Bool": {
              "acs:SecureTransport": "true"
            }
          }
        }
      ], 
      "Version": "1"
    }
  • A custom policy that denies specific requests

    Scenario: Read requests from the IP address 198.51.100.1 are denied.

    {
      "Statement": [
        {
          "Effect": "Deny", 
          "Action": [
            "iot:Query*", 
            "iot:List*", 
            "iot:Get*", 
            "iot:BatchGet*"
          ], 
          "Resource": "*", 
          "Condition": {
            "IpAddress": {
              "acs:SourceIp": [
                "198.51.100.1"
              ]
            }
          }
        }
      ], 
      "Version": "1"
    }

After a policy is created, you can attach the policy to RAM users. Then, the RAM users can perform the operations that are defined in the policy. For more information about how to create and authorize RAM users, see Access IoT Platform by using a RAM user.