What is a system policy?
A policy defines a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. Alibaba Cloud Resource Access Management (RAM) provides system policies and custom policies. All system policies are created and updated by Alibaba Cloud. You can use system policies, but you cannot modify them. You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. During service iteration, NAS adds new permissions to system policies to support new features and capabilities. The update of a system policy affects all RAM identities to which the policy is attached, including RAM users, RAM user groups, and RAM roles. For more information about RAM policies, see Policy overview.
System policies are designed for new users to quickly get started with Alibaba Cloud products on the management console, though they also enable the use of more advanced methods like API operations or CLI commands. If you are familiar with the advanced methods, we recommend that you use custom policies to implement finer-grained control on who is permitted to call what API operations, thereby improving security.
System policies can be classified into service system policies, service role policies, and service-linked role policies. Some cloud services provide only one or two of the three types of policies. For more information, see the policy types that are described in the following section.
Service system policies
AliyunNASFullAccess
The AliyunNASFullAccess policy: Provides full access to Network Attached Storage via Management Console. It can be attached to RAM identities.
AliyunNASReadOnlyAccess
The AliyunNASReadOnlyAccess policy: Provides read-only access to Network Attached Storage via Management Console. It can be attached to RAM identities.
Service role policies
AliyunNASLogArchiveRolePolicy
The AliyunNASLogArchiveRolePolicy policy is the dedicated authorization policy of the AliyunNASLogArchiveRole service role. By default, The policy for AliyunNASLogArchiveRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunNASManageENIRolePolicy
The AliyunNASManageENIRolePolicy policy is the dedicated authorization policy of the AliyunNASManageENIRole service role. By default, The policy for AliyunNASManageENIRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunNASRolePolicy
The AliyunNASRolePolicy policy is the dedicated authorization policy of the AliyunNASDefaultRole service role. By default, The authorization policy for Alibaba Cloud NAS roles and access permissions for ECS. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunNASTieringRolePolicy
The AliyunNASTieringRolePolicy policy is the dedicated authorization policy of the AliyunNASTieringRole service role. By default, The policy for AliyunNASTieringRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunNasCrossAccountDataFlowDefaultRolePolicy
The AliyunNasCrossAccountDataFlowDefaultRolePolicy policy is the dedicated authorization policy of the AliyunNasCrossAccountDataFlowDefaultRole service role. By default, NAS will use this role to access your resources in other services. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunNasCrossAccountDataFlowDefaultRolePolicy
AliyunNasEncryptDefaultRolePolicy
The AliyunNasEncryptDefaultRolePolicy policy is the dedicated authorization policy of the AliyunNasEncryptDefaultRole service role. By default, The policy for AliyunNasEncryptDefaultRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
Service-linked role policies
AliyunServiceRolePolicyForNasBackup
NAS assumes the AliyunServiceRolePolicyForNasBackup service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForNasBackup policy is the dedicated authorization policy of the AliyunServiceRoleForNasBackup service-linked role. This policy is defined and used by NAS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForNasBackup
AliyunServiceRolePolicyForNasCpfsClient
NAS assumes the AliyunServiceRolePolicyForNasCpfsClient service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForNasCpfsClient policy is the dedicated authorization policy of the AliyunServiceRoleForNasCpfsClient service-linked role. This policy is defined and used by NAS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForNasCpfsClient
AliyunServiceRolePolicyForNasCpfsNetwork
NAS assumes the AliyunServiceRolePolicyForNasCpfsNetwork service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForNasCpfsNetwork policy is the dedicated authorization policy of the AliyunServiceRoleForNasCpfsNetwork service-linked role. This policy is defined and used by NAS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForNasCpfsNetwork
AliyunServiceRolePolicyForNasEcsHandler
NAS assumes the AliyunServiceRolePolicyForNasEcsHandler service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForNasEcsHandler policy is the dedicated authorization policy of the AliyunServiceRoleForNasEcsHandler service-linked role. This policy is defined and used by NAS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForNasEcsHandler
AliyunServiceRolePolicyForNasEncryption
NAS assumes the AliyunServiceRolePolicyForNasEncryption service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForNasEncryption policy is the dedicated authorization policy of the AliyunServiceRoleForNasEncryption service-linked role. This policy is defined and used by NAS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForNasEncryption
AliyunServiceRolePolicyForNasEventNotification
NAS assumes the AliyunServiceRolePolicyForNasEventNotification service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForNasEventNotification policy is the dedicated authorization policy of the AliyunServiceRoleForNasEventNotification service-linked role. This policy is defined and used by NAS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForNasEventNotification
AliyunServiceRolePolicyForNasExtreme
NAS assumes the AliyunServiceRolePolicyForNasExtreme service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForNasExtreme policy is the dedicated authorization policy of the AliyunServiceRoleForNasExtreme service-linked role. This policy is defined and used by NAS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForNasExtreme
AliyunServiceRolePolicyForNasLogDelivery
NAS assumes the AliyunServiceRolePolicyForNasLogDelivery service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForNasLogDelivery policy is the dedicated authorization policy of the AliyunServiceRoleForNasLogDelivery service-linked role. This policy is defined and used by NAS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForNasLogDelivery
AliyunServiceRolePolicyForNasMnsDataFlow
NAS assumes the AliyunServiceRolePolicyForNasMnsDataFlow service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForNasMnsDataFlow policy is the dedicated authorization policy of the AliyunServiceRoleForNasMnsDataFlow service-linked role. This policy is defined and used by NAS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForNasMnsDataFlow
AliyunServiceRolePolicyForNasOssDataFlow
NAS assumes the AliyunServiceRolePolicyForNasOssDataFlow service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForNasOssDataFlow policy is the dedicated authorization policy of the AliyunServiceRoleForNasOssDataFlow service-linked role. This policy is defined and used by NAS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForNasOssDataFlow
AliyunServiceRolePolicyForNasStandard
NAS assumes the AliyunServiceRolePolicyForNasStandard service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForNasStandard policy is the dedicated authorization policy of the AliyunServiceRoleForNasStandard service-linked role. This policy is defined and used by NAS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
References
By default, RAM identities do not have any permissions. RAM identities can access cloud resources within an Alibaba Cloud account only after an account administrator grants the required permissions to the RAM identities. To ensure resource security, we recommend that you grant only the required permissions to the RAM identities based on the principle of least privilege. For more information, see the following topics: