If the system policies of Resource Access Management (RAM) cannot meet your requirements, you can create custom policies to implement the principle of least privilege. Custom policies allow you to achieve fine-grained control over permissions and improve resource access security.
What is a custom policy?
Resource Access Management (RAM) policies are classified into system policies and custom policies. You need to maintain custom policies.
After you create a custom policy, you need to attach it to a RAM user, a user group, or a RAM role so that the permissions specified in the policy can be granted to the principal.
You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, you must detach the RAM policy from the principal before you can delete the RAM policy.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.
References
Examples
Example 1: Grant management permissions on IPv6 gateways
In this example, your account is 1234567 and you want to grant the management permissions on all IPv6 gateways within your account to a RAM user.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*Ipv6*" ], "Resource": [ "acs:vpc:*:1234567:*/*" ] }, { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "*" ] } ] }Example 2: Grant management permissions on IPv6 gateways in a virtual private cloud (VPC)
In this example, you want to grant the management permissions on a VPC in the China (Qingdao) region to a RAM user. This way, the RAM user can assign or delete IPv6 addresses of the VPC and enable or disable IPv6 Internet bandwidth for the VPC.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*" ], "Resource": [ "acs:vpc:cn-qingdao:*:ipv6address/*" ] }, "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*" ], "Resource": [ "acs:vpc:cn-qingdao:*:ipv6bandwidth/*" ] }, { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "acs:ecs:cn-qingdao:*:*/*" ] } ] }
RAM authorization
Before you use a custom policy, we recommend that you understand the permission management requirements of your services and the authorization details of IPv6 gateways. For more information, see RAM authorization.