What is a system policy?
A policy defines a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. Alibaba Cloud Resource Access Management (RAM) provides system policies and custom policies. All system policies are created and updated by Alibaba Cloud. You can use system policies, but you cannot modify them. You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. During service iteration, RDS adds new permissions to system policies to support new features and capabilities. The update of a system policy affects all RAM identities to which the policy is attached, including RAM users, RAM user groups, and RAM roles. For more information about RAM policies, see Policy overview.
System policies are designed for new users to quickly get started with Alibaba Cloud products on the management console, though they also enable the use of more advanced methods like API operations or CLI commands. If you are familiar with the advanced methods, we recommend that you use custom policies to implement finer-grained control on who is permitted to call what API operations, thereby improving security.
System policies can be classified into service system policies, service role policies, and service-linked role policies. Some cloud services provide only one or two of the three types of policies. For more information, see the policy types that are described in the following section.
Service system policies
AliyunRDSFullAccess
The AliyunRDSFullAccess policy: Provides full access to ApsaraDB for RDS via Management Console. It can be attached to RAM identities.
AliyunRDSReadOnlyAccess
The AliyunRDSReadOnlyAccess policy: Provides read-only access to ApsaraDB for RDS via Management Console. It can be attached to RAM identities.
AliyunRDSReadOnlyWithSQLLogArchiveAccess
The AliyunRDSReadOnlyWithSQLLogArchiveAccess policy: Provides read-only and sql log archive access to ApsaraDB for RDS via Management Console. It can be attached to RAM identities.
Service role policies
AliyunMyBaseCPaaSDefaultRolePolicy
The AliyunMyBaseCPaaSDefaultRolePolicy policy is the dedicated authorization policy of the AliyunMyBaseCPaaSDefaultRole service role. By default, MyBase CPaaS version uses this role to access your resources in other cloud products. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunMyBaseCPaaSDefaultRolePolicy
AliyunMyBaseCPaaSMyBaseOperatorRolePolicy
The AliyunMyBaseCPaaSMyBaseOperatorRolePolicy policy is the dedicated authorization policy of the AliyunMyBaseCPaaSMyBaseOperatorRole service role. By default, MyBase CPaaS version uses this role to manage resources related to the MyBase Operator. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunMyBaseCPaaSMyBaseOperatorRolePolicy
AliyunMyBaseCPaaSPolarDBXOperatorRolePolicy
The AliyunMyBaseCPaaSPolarDBXOperatorRolePolicy policy is the dedicated authorization policy of the AliyunMyBaseCPaaSPolarDBXOperatorRole service role. By default, MyBase CPaaS version uses this role to manage resources related to the PolarDB-X Operator. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunMyBaseCPaaSPolarDBXOperatorRolePolicy
AliyunPostgreSQLInstanceEncryptionRolePolicy
The AliyunPostgreSQLInstanceEncryptionRolePolicy policy is the dedicated authorization policy of the AliyunPostgreSQLInstanceEncryptionRole service role. By default, The policy for AliyunPostgreSQLInstanceEncryptionRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunPostgreSQLInstanceEncryptionRolePolicy
AliyunPostgreSQLRolePolicy
The AliyunPostgreSQLRolePolicy policy is the dedicated authorization policy of the AliyunPostgreSQLDefaultRole service role. By default, The policy for AliyunPostgreSQLDefaultRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunRDSDedicatedHostGroupRolePolicy
The AliyunRDSDedicatedHostGroupRolePolicy policy is the dedicated authorization policy of the AliyunRDSDedicatedHostGroupRole service role. By default, The policy for AliyunRDSDedicatedHostGroupRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunRDSDedicatedHostGroupRolePolicy
AliyunRDSImportRolePolicy
The AliyunRDSImportRolePolicy policy is the dedicated authorization policy of the AliyunRDSImportRole service role. By default, The policy for AliyunRDSImportRole, including the readonly permission for OSS. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunRDSInstanceEncryptionRolePolicy
The AliyunRDSInstanceEncryptionRolePolicy policy is the dedicated authorization policy of the AliyunRDSInstanceEncryptionDefaultRole service role. By default, The policy for AliyunRDSInstanceEncryptionDefaultRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunRDSInstanceEncryptionRolePolicy
AliyunRDSNotificationRolePolicy
The AliyunRDSNotificationRolePolicy policy is the dedicated authorization policy of the AliyunRDSNotificationRole service role. By default, The policy for AliyunRDSNotificationRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunRDSNotificationRolePolicy
AliyunRDSSqlExplorerRolePolicy
The AliyunRDSSqlExplorerRolePolicy policy is the dedicated authorization policy of the AliyunRDSSqlExplorerRole service role. By default, The policy for AliyunRDSSqlExplorerRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
Service-linked role policies
AliyunServiceRolePolicyForRDSBlueGreen
RDS assumes the AliyunServiceRolePolicyForRDSBlueGreen service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForRDSBlueGreen policy is the dedicated authorization policy of the AliyunServiceRoleForRDSBlueGreen service-linked role. This policy is defined and used by RDS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForRDSBlueGreen
AliyunServiceRolePolicyForRDSGAD
RDS assumes the AliyunServiceRolePolicyForRDSGAD service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForRDSGAD policy is the dedicated authorization policy of the AliyunServiceRoleForRDSGAD service-linked role. This policy is defined and used by RDS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForRDSGAD
AliyunServiceRolePolicyForRDSProxyOnEcs
RDS assumes the AliyunServiceRolePolicyForRDSProxyOnEcs service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForRDSProxyOnEcs policy is the dedicated authorization policy of the AliyunServiceRoleForRDSProxyOnEcs service-linked role. This policy is defined and used by RDS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForRDSProxyOnEcs
AliyunServiceRolePolicyForRds
RDS assumes the AliyunServiceRolePolicyForRds service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForRds policy is the dedicated authorization policy of the AliyunServiceRoleForRds service-linked role. This policy is defined and used by RDS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForRdsBackupEncryption
RDS assumes the AliyunServiceRolePolicyForRdsBackupEncryption service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForRdsBackupEncryption policy is the dedicated authorization policy of the AliyunServiceRoleForRdsBackupEncryption service-linked role. This policy is defined and used by RDS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForRdsBackupEncryption
AliyunServiceRolePolicyForRdsImport
RDS assumes the AliyunServiceRolePolicyForRdsImport service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForRdsImport policy is the dedicated authorization policy of the AliyunServiceRoleForRdsImport service-linked role. This policy is defined and used by RDS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForRdsImport
AliyunServiceRolePolicyForRdsMyBaseProprietary
RDS assumes the AliyunServiceRolePolicyForRdsMyBaseProprietary service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForRdsMyBaseProprietary policy is the dedicated authorization policy of the AliyunServiceRoleForRdsMyBaseProprietary service-linked role. This policy is defined and used by RDS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForRdsMyBaseProprietary
AliyunServiceRolePolicyForRdsPgsqlOnEcs
RDS assumes the AliyunServiceRolePolicyForRdsPgsqlOnEcs service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForRdsPgsqlOnEcs policy is the dedicated authorization policy of the AliyunServiceRoleForRdsPgsqlOnEcs service-linked role. This policy is defined and used by RDS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
References
By default, RAM identities do not have any permissions. RAM identities can access cloud resources within an Alibaba Cloud account only after an account administrator grants the required permissions to the RAM identities. To ensure resource security, we recommend that you grant only the required permissions to the RAM identities based on the principle of least privilege. For more information, see the following topics: