Manage permissions with common RAM policies - ApsaraDB RDS

Use Resource Access Management (RAM) policies to control what RAM users can do on ApsaraDB RDS instances. This page walks you through the full workflow: create a custom RAM policy from a pre-built JSON template, then attach it to a RAM user.

The policies in the reference section below use "Effect": "Deny" with a Condition block to enforce compliance guardrails—for example, blocking instance creation without disk encryption, or preventing users from disabling SSL encryption. An explicit Deny overrides any Allow granted elsewhere, so these policies take effect even if broader permissions exist.

Prerequisites

Before you begin, ensure that you have:

A RAM user to whom you want to grant or restrict permissions
Access to the RAM console

Create and attach a RAM policy

Log on to the RAM console.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.
On the JSON tab, paste the policy document and click OK. Find the policy JSON in the RAM policies for ApsaraDB RDS section below. For policy syntax and structure, see Policy structure and syntax.
In the Create Policy dialog box, set Name and Description, then click OK. The policy name must meet these requirements:
- 1 to 128 characters
- Letters, digits, and hyphens (-) only
In the left-side navigation pane, choose Permissions > Grants, then click Grant Permission. Configure the following settings:
1. Resource Scope: Select Account to apply permissions to all resources in your Alibaba Cloud account, or ResourceGroup to limit the scope to a specific resource group.
2. Principal: Enter part of a RAM username to search by fuzzy match, then select the target RAM user.
3. In the Policy section, select Custom Policy from the drop-down list.
4. Search for and select the policy you created in step 4, then click OK.
To use ResourceGroup, ApsaraDB RDS must support resource groups. See Services that work with Resource Group.
Enter part of the policy name in the search box to find it by fuzzy match.

RAM policies for ApsaraDB RDS

Each policy uses "Effect": "Deny" with a Condition to block a specific non-compliant action. Apply the policies that match your security requirements.

Item	Policy	Description
Instance creation	`CreateRdsWithNonDiskEncryptionForbidden`	Prevents users from creating RDS instances without encrypted disks. Applies to primary instances only—not to read-only instances or instances created from a data restore.
Instance creation	`CreateRdsWithNonVPCNetworkTypeForbidden`	Prevents users from creating RDS instances with a network type other than Virtual Private Cloud (VPC). Applies to primary instances only—not to read-only instances or instances created from a data restore.
Network configurations	`DatabaseConnectionNonVPCNetworkTypeForbidden`	Prevents users from switching the network type of RDS instances to classic network.
Security configurations	`DataSecuritySSLDisabledForbidden`	Prevents users from disabling SSL encryption on RDS instances.
Security configurations	`DataSecurityTDEDisabledForbidden`	Prevents users from disabling Transparent Data Encryption (TDE) on RDS instances.
Database proxy configurations	`DatabaseProxyWithNonVPCNetworkTypeForbidden`	Prevents users from specifying public endpoints when enabling the database proxy feature for RDS instances.
Database proxy configurations	`DatabaseProxyCreateEndpointAddressWithNonVPCNetworkTypeForbidden`	Prevents users from specifying public endpoints when creating endpoints to connect to the database proxies of RDS instances.
Database proxy configurations	`DatabaseProxyModifyEndpointAddressWithNonVPCNetworkTypeForbidden`	Prevents users from specifying public endpoints when modifying the endpoints used to connect to the database proxies of RDS instances.
Database proxy configurations	`DatabaseProxyDbProxyInstanceSslDisabledForbidden`	Prevents users from disabling SSL encryption for specific endpoints of the database proxies of RDS instances.
Backup-related configurations	`BackupAndRestorationCrossBackupDisabledForbidden`	Prevents users from disabling the cross-region backup feature for RDS instances.
Backup-related configurations	`BackupAndRestorationBackupPolicyDisabledForbidden`	Prevents users from disabling the log backup feature for RDS instances.
Event history	`EventCenterActionEventEnableEventLogForbidden`	Prevents users from enabling the event history feature for RDS instances.

Policy code

CreateRdsWithNonDiskEncryptionForbidden

Blocks instance creation when disk encryption is not enabled (rds:DiskEncryptionRequired: false).

{
  "Statement": [
    {
      "Action": [
        "rds:CreateDBInstance",
        "rds:PreCheckCreateOrder",
        "rds:CreateOrder"
      ],
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "rds:DiskEncryptionRequired": "false"
        }
      }
    }
  ],
  "Version": "1"
}

CreateRdsWithNonVPCNetworkTypeForbidden

Blocks instance creation when the network type is not VPC (rds:InstanceNetworkType is not VPC).

{
  "Statement": [
    {
      "Action": [
        "rds:CreateDBInstance",
        "rds:PreCheckCreateOrder",
        "rds:CreateOrder"
      ],
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "rds:InstanceNetworkType": "VPC"
        }
      }
    }
  ],
  "Version": "1"
}

DatabaseConnectionNonVPCNetworkTypeForbidden

Blocks switching an instance's network type to classic network (rds:InstanceNetworkType is not VPC).

{
  "Statement": [
    {
      "Action": "rds:ModifyDBInstanceNetworkType",
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "rds:InstanceNetworkType": "VPC"
        }
      }
    }
  ],
  "Version": "1"
}

DataSecuritySSLDisabledForbidden

Blocks disabling SSL encryption on an instance (rds:SSLEnabled: 0).

{
  "Statement": [
    {
      "Action": "rds:ModifyDBInstanceSSL",
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "rds:SSLEnabled": "0"
        }
      }
    }
  ],
  "Version": "1"
}

DataSecurityTDEDisabledForbidden

Blocks disabling TDE on an instance (rds:TDEStatus is not Enabled).

{
  "Statement": [
    {
      "Action": "rds:ModifyDBInstanceTDE",
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "rds:TDEStatus": "Enabled"
        }
      }
    }
  ],
  "Version": "1"
}

DatabaseProxyWithNonVPCNetworkTypeForbidden

Blocks enabling the database proxy feature with a non-VPC network type (rds:InstanceNetworkType is not VPC).

{
  "Statement": [
    {
      "Action": "rds:ModifyDBProxy",
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "rds:InstanceNetworkType": "VPC"
        }
      }
    }
  ],
  "Version": "1"
}

DatabaseProxyCreateEndpointAddressWithNonVPCNetworkTypeForbidden

Blocks creating a database proxy endpoint with a non-VPC network type (rds:InstanceNetworkType is not VPC).

{
  "Statement": [
    {
      "Action": "rds:ModifyDBProxy",
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "rds:InstanceNetworkType": "VPC"
        }
      }
    }
  ],
  "Version": "1"
}

DatabaseProxyModifyEndpointAddressWithNonVPCNetworkTypeForbidden

Blocks modifying a database proxy endpoint to use a non-VPC connection string (rds:DBProxyConnectStringNetType is not VPC).

{
  "Statement": [
    {
      "Action": "rds:ModifyDBProxyEndpointAddress",
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "rds:DBProxyConnectStringNetType": "VPC"
        }
      }
    }
  ],
  "Version": "1"
}

DatabaseProxyDbProxyInstanceSslDisabledForbidden

Blocks disabling SSL encryption on database proxy endpoints (rds:DbProxySslEnabled: 0).

{
  "Statement": [
    {
      "Action": "rds:ModifyDbProxyInstanceSsl",
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "rds:DbProxySslEnabled": "0"
        }
      }
    }
  ],
  "Version": "1"
}

BackupAndRestorationCrossBackupDisabledForbidden

Blocks disabling the cross-region backup feature. The policy contains two statements: one checks that rds:BackupEnabled is 1, the other checks that rds:LogBackupEnabled is 1.

{
  "Statement": [
    {
      "Action": "rds:ModifyInstanceCrossBackupPolicy",
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "rds:BackupEnabled": "1"
        }
      }
    },
    {
      "Action": "rds:ModifyInstanceCrossBackupPolicy",
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "rds:LogBackupEnabled": "1"
        }
      }
    }
  ],
  "Version": "1"
}

BackupAndRestorationBackupPolicyDisabledForbidden

Blocks disabling the log backup feature. The policy contains two statements: one denies when rds:EnableBackupLog equals 0, the other denies when rds:BackupLog equals Disabled.

{
  "Statement": [
    {
      "Action": "rds:ModifyBackupPolicy",
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "rds:EnableBackupLog": "0"
        }
      }
    },
    {
      "Action": "rds:ModifyBackupPolicy",
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "rds:BackupLog": "Disabled"
        }
      }
    }
  ],
  "Version": "1"
}

EventCenterActionEventEnableEventLogForbidden

Blocks enabling the event history feature (rds:EnableEventLog is not False).

{
  "Statement": [
    {
      "Action": "rds:ModifyActionEventPolicy",
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "rds:EnableEventLog": "False"
        }
      }
    }
  ],
  "Version": "1"
}

What's next

Policy overview — Learn how RAM policies work, including policy evaluation order and the Deny-override-Allow rule.
Policy structure and syntax — Understand the JSON structure of RAM policies so you can write custom conditions.