Use RAM to restrict access to your Alibaba Cloud resources from specific IP addresses to enhance access security.
Use cases
An enterprise uses various Alibaba Cloud resources to run its business, such as ECS instances, ApsaraDB RDS instances, Server Load Balancer (SLB) instances, and OSS buckets. To protect its services and data, the enterprise wants to allow access to its Alibaba Cloud resources only from specific IP addresses.
To do this, create a custom policy and a RAM user, and then attach the policy to the user. The RAM user can then access your Alibaba Cloud resources only from the specified IP addresses.
Procedure
This example shows how to allow a RAM user to access ECS instances only from the IP addresses 192.0.2.0/24 and 203.0.113.2.
-
Create a custom policy.
Log on to the RAM console. In the left-side navigation pane, choose . On the Policies page, click Create Policy. You can create a custom policy in the visual editor or on the JSON tab. For more information, see Create a custom policy.
The following code provides an example permission policy:
{ "Statement": [ { "Action": "ecs:*", "Effect": "Allow", "Resource": "*", "Condition": { "IpAddress": { "acs:SourceIp":[ "192.0.2.0/24", "203.0.113.2" ] } } } ], "Version": "1" }NoteWhen you use this policy, replace the value of
acs:SourceIpwith your actual IP addresses. -
Create a RAM user.
In the left-side navigation pane, choose and click Create User. For security, we recommend that you select only one access mode for the RAM user and separate human users from application users. For more information, see Create a RAM user.
In the Logon Name and Display Name fields, enter
Bob. For Access Mode, select Console Access. -
Grant permissions to the RAM user.
On the Users page, find the RAM user and attach the custom policy. For more information, see Grant permissions to a RAM user.
On the Add Permissions page, select Account Level for Resource Scope. Find and select the custom policy that you created, such as ECS-test1, and then click OK.
-
Log on as the RAM user and access an ECS instance to verify the policy.
If the RAM user accesses an ECS instance from an allowed IP address, such as one in the
192.0.2.0/24range or203.0.113.2, the access is successful. If the RAM user attempts to access the instance from any other IP address, the access is denied.
FAQ
Policy does not take effect
If a permission policy does not take effect after you grant it to a RAM user, the IP addresses in the policy might be incorrect. For Alibaba Cloud services that are integrated with ActionTrail, you can view the related events in the ActionTrail console. In the event details, you can find the source IP address of the request. Then, you can modify the IP addresses in the policy and verify the policy again.
In the left-side navigation pane, choose Event Query. Filter events by Cloud Service Name. In the event list, find the relevant event and click View Details in the Actions column.
Related documentation
-
This topic focuses on using the
Allowstatement with theIpAddresscondition key. You can also use theDenystatement with theNotIpAddresscondition key to specify allowed IP addresses. For more policy examples, see Control access based on IP addresses. -
For more information about policy elements such as
Effect,Action,Resource, andCondition, see Basic elements of a permission policy. -
For more information about how to view events in ActionTrail, see Query events.
-
With Terraform Explorer, you can run this tutorial's template to deploy the environment directly. Terraform Explorer.