This topic describes examples of custom access control policies.
Overview
- Policy 1: You are not allowed to modify or delete RAM users, RAM user groups, or RAM roles
- Policy 2: You are not allowed to modify the role ResourceDirectoryAccountAccessRole or change its permissions
- Policy 3: You are not allowed to modify or delete the specified RAM users
- Policy 4: You are not allowed to enable logon to the Alibaba Cloud Management Console for an existing RAM user
- Policy 5: You must complete MFA when you use a RAM user or RAM role to delete some resources
- Policy 6: You are not allowed to modify user-based SSO settings
- Policy 7: You are not allowed to modify role-based SSO settings
- Policy 8: You are not allowed to disable the Delivery feature of ActionTrail or change the destination to which ActionTrail delivers events
- Policy 9: You are not allowed to access some network services
- Policy 10: You are not allowed to create network resources (EIPs and NAT gateways) that can be used to access the Internet
- Policy 11: You are not allowed to access network services that are connected to on-premises resources
- Policy 12: You are not allowed to use some features provided by Billing Management
- Policy 13: You are not allowed to modify the settings of CloudMonitor
- Policy 14: You are not allowed to purchase reserved instances
- Policy 15: You are not allowed to create ECS instances in an unspecified VPC
- Policy 16: You are not allowed to purchase domain names
- Policy 17: You are not allowed to access the Support and Services console
- Policy 18: You are not allowed to access ECS in a specific region
Policy 1: You are not allowed to modify or delete RAM users, RAM user groups, or RAM roles
Document:
{
"Statement": [
{
"Action": [
"ram:Attach*",
"ram:Detach*",
"ram:BindMFADevice",
"ram:CreateAccessKey",
"ram:CreateLoginProfile",
"ram:CreatePolicyVersion",
"ram:DeleteAccessKey",
"ram:DeleteGroup",
"ram:DeleteLoginProfile",
"ram:DeletePolicy",
"ram:DeletePolicyVersion",
"ram:DeleteRole",
"ram:DeleteUser",
"ram:DisableVirtualMFA",
"ram:AddUserToGroup",
"ram:RemoveUserFromGroup",
"ram:SetDefaultPolicyVersion",
"ram:UnbindMFADevice",
"ram:UpdateAccessKey",
"ram:UpdateGroup",
"ram:UpdateLoginProfile",
"ram:UpdateRole",
"ram:UpdateUser"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN":"acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}The preceding policy defines that you are not allowed to modify or delete RAM users, RAM user groups, or RAM roles, including their permissions.
Note In this policy, only ResourceDirectoryAccountAccessRole, which is the default role
used to access members in a resource directory, can be used to perform the preceding
operations. You can remove this condition to make sure that all RAM users and RAM
roles cannot be used to perform these operations. You can also specify RAM users or
RAM roles that can be used to perform the operations by changing the value of PrincipalARN.
Policy 2: You are not allowed to modify the role ResourceDirectoryAccountAccessRole or change its permissions
Document:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ram:UpdateRole",
"ram:DeleteRole",
"ram:AttachPolicyToRole",
"ram:DetachPolicyFromRole"
],
"Resource": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
]
}Policy 3: You are not allowed to modify or delete the specified RAM users
Document:
{
"Version": "1",
"Statement": [{
"Action": [
"ram:AttachPolicyToUser",
"ram:DetachPolicyFromUser",
"ram:AddUserToGroup",
"ram:RemoveUserFromGroup",
"ram:UpdateUser",
"ram:DeleteUser",
"ram:CreateLoginProfile",
"ram:UpdateLoginProfile",
"ram:DeleteLoginProfile",
"ram:CreateAccessKey",
"ram:DeleteAccessKey",
"ram:UpdateAccessKey",
"ram:BindMFADevice",
"ram:UnbindMFADevice",
"ram:DisableVirtualMFA"
],
"Resource": [
"acs:ram:*:*:user/Alice"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}]
}The preceding policy defines that you are not allowed to modify or delete the specified
RAM users, including their permissions. For example, if a RAM user Alice exists, you
cannot perform the preceding operations on Alice. You can specify the Alibaba Cloud
account to which Alice belongs, such as acs:ram:*:18299873****:user/Alice.
Note In this policy, only ResourceDirectoryAccountAccessRole, which is the default role
used to access members in a resource directory, can be used to perform the preceding
operations. You can remove this condition to make sure that all RAM users and RAM
roles cannot be used to perform these operations. You can also specify RAM users or
RAM roles that can be used to perform the operations by changing the value of PrincipalARN.
Policy 4: You are not allowed to enable logon to the Alibaba Cloud Management Console for an existing RAM user
Document:
{
"Statement": [
{
"Action": [
"ram:CreateLoginProfile",
"ram:UpdateLoginProfile"
],
"Resource": [
"*"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}The preceding policy defines that you are not allowed to enable logon to the Alibaba Cloud Management Console for an existing RAM user. You can still enable logon to the Alibaba Cloud Management Console for a new RAM user.
Note In this policy, only ResourceDirectoryAccountAccessRole, which is the default role
used to access members in a resource directory, can be used to perform the preceding
operations. You can remove this condition to make sure that all RAM users and RAM
roles cannot be used to perform these operations. You can also specify RAM users or
RAM roles that can be used to perform the operations by changing the value of PrincipalARN.
Policy 5: You must complete MFA when you use a RAM user or RAM role to delete some resources
Document:
{
"Statement": [
{
"Action": "ecs:DeleteInstance",
"Effect": "Deny",
"Resource": "*",
"Condition": {
"Bool": {
"acs:MFAPresent": "false"
}
}
}
],
"Version": "1"
}The preceding policy defines that you must complete multi-factor authentication (MFA) when you use a RAM user or RAM role to delete Elastic Compute Service (ECS) instances. If you want to delete other resources, change the value of Action to the action for the resources.
Policy 6: You are not allowed to modify user-based SSO settings
Document:
{
"Statement": [
{
"Action": [
"ram:SetSamlSsoSettings"
],
"Resource": [
"*"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}Note In this policy, only ResourceDirectoryAccountAccessRole, which is the default role
used to access members in a resource directory, can be used to perform the preceding
operations. You can remove this condition to make sure that all RAM users and RAM
roles cannot be used to perform these operations. You can also specify RAM users or
RAM roles that can be used to perform the operations by changing the value of PrincipalARN.
Policy 7: You are not allowed to modify role-based SSO settings
Document:
{
"Statement": [
{
"Action": [
"ram:CreateSAMLProvider",
"ram:DeleteSAMLProvider",
"ram:UpdateSAMLProvider"
],
"Resource": [
"*"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}Note In this policy, only ResourceDirectoryAccountAccessRole, which is the default role
used to access members in a resource directory, can be used to perform the preceding
operations. You can remove this condition to make sure that all RAM users and RAM
roles cannot be used to perform these operations. You can also specify RAM users or
RAM roles that can be used to perform the operations by changing the value of PrincipalARN.
Policy 8: You are not allowed to disable the Delivery feature of ActionTrail or change the destination to which ActionTrail delivers events
Document:
{
"Statement": [
{
"Action": [
"actiontrail:UpdateTrail",
"actiontrail:DeleteTrail",
"actiontrail:StopLogging"
],
"Resource": [
"*"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}Note In this policy, only ResourceDirectoryAccountAccessRole, which is the default role
used to access members in a resource directory, can be used to perform the preceding
operations. You can remove this condition to make sure that all RAM users and RAM
roles cannot be used to perform these operations. You can also specify RAM users or
RAM roles that can be used to perform the operations by changing the value of PrincipalARN.
Policy 9: You are not allowed to access some network services
Document:
{
"Statement": [
{
"Action": [
"vpc:*HaVip*",
"vpc:*RouteTable*",
"vpc:*VRouter*",
"vpc:*RouteEntry*",
"vpc:*VSwitch*",
"vpc:*Vpc*",
"vpc:*Cen*",
"vpc:*NetworkAcl*"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
},
{
"Action": [
"vpc:*VpnGateway*",
"vpc:*VpnConnection*",
"vpc:*CustomerGateway*",
"vpc:*SslVpnServer*",
"vpc:*SslVpnClientCert*",
"vpc:*VpnRoute*",
"vpc:*VpnPbrRoute*"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}The preceding policy defines that you are not allowed to access Virtual Private Cloud (VPC) and VPN Gateway. If you want to deny access to other network services, change the value of Action to the action for these network services.
Note In this policy, only ResourceDirectoryAccountAccessRole, which is the default role
used to access members in a resource directory, can be used to perform the preceding
operations. You can remove this condition to make sure that all RAM users and RAM
roles cannot be used to perform these operations. You can also specify RAM users or
RAM roles that can be used to perform the operations by changing the value of PrincipalARN.
Policy 10: You are not allowed to create network resources (EIPs and NAT gateways) that can be used to access the Internet
Document:
{
"Version": "1",
"Statement": [
{
"Action": [
"vpc:AllocateEipAddress",
"vpc:AllocateEipAddressPro",
"vpc:AllocateEipSegmentAddress",
"vpc:CreateNatGateway"
],
"Resource": [
"*"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
]
}Note In this policy, only ResourceDirectoryAccountAccessRole, which is the default role
used to access members in a resource directory, can be used to perform the preceding
operations. You can remove this condition to make sure that all RAM users and RAM
roles cannot be used to perform these operations. You can also specify RAM users or
RAM roles that can be used to perform the operations by changing the value of PrincipalARN.
Policy 11: You are not allowed to access network services that are connected to on-premises resources
Document:
{
"Statement": [
{
"Action": [
"vpc:*PhysicalConnection*",
"vpc:*VirtualBorderRouter*",
"cen:*",
"vpc:*VpnGateway*",
"vpc:*VpnConnection*",
"vpc:*CustomerGateway*",
"vpc:*SslVpnServer*",
"vpc:*SslVpnClientCert*",
"vpc:*VpnRoute*",
"vpc:*VpnPbrRoute*",
"smartag:*"
],
"Resource": "*",
"Effect": "Deny"
}
],
"Version": "1"
}The preceding policy defines that you are not allowed to access network services that are connected to on-premises resources. These network services include Express Connect, Cloud Enterprise Network, VPN Gateway, and Smart Access Gateway.
Policy 12: You are not allowed to use some features provided by Billing Management
Document:
{
"Statement": [
{
"Action": [
"bss:DescribeOrderList",
"bss:DescribeOrderDetail",
"bss:PayOrder",
"bss:CancelOrder"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}The preceding policy defines that you are not allowed to use the Orders feature provided by Billing Management. If you want to prohibit the use of other features, change the value of Action to the action for these features.
Note In this policy, only ResourceDirectoryAccountAccessRole, which is the default role
used to access members in a resource directory, can be used to perform the preceding
operations. You can remove this condition to make sure that all RAM users and RAM
roles cannot be used to perform these operations. You can also specify RAM users or
RAM roles that can be used to perform the operations by changing the value of PrincipalARN.
Policy 13: You are not allowed to modify the settings of CloudMonitor
Document:
{
"Version": "1",
"Statement": [
{
"Action": [
"cms:Put*",
"cms:Update*",
"cms:Create*",
"cms:Modify*",
"cms:Disable*",
"cms:Enable*",
"cms:Delete*",
"cms:Send*",
"cms:Subscribe*",
"cms:Unsubscribe*",
"cms:Remove*",
"cms:CreateAction",
"cms:Pause*",
"cms:Stop*",
"cms:Start*",
"cms:BatchCreate*",
"cms:ProfileSet",
"cms:ApplyMonitoringTemplate"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
]
}Note In this policy, only ResourceDirectoryAccountAccessRole, which is the default role
used to access members in a resource directory, can be used to perform the preceding
operations. You can remove this condition to make sure that all RAM users and RAM
roles cannot be used to perform these operations. You can also specify RAM users or
RAM roles that can be used to perform the operations by changing the value of PrincipalARN.
Policy 14: You are not allowed to purchase reserved instances
Document:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:PurchaseReservedInstancesOffering"
],
"Resource": "*",
"Effect": "Deny"
}
]
}Policy 15: You are not allowed to create ECS instances in an unspecified VPC
Document:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:CreateInstance",
"ecs:RunInstances"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"vpc:VPC": "acs:vpc:cn-shenzhen:*:vpc/vpc-wz95ya85js0avrkabc****"
}
}
}
]
}In the preceding policy, acs:vpc:cn-shenzhen:*:vpc/vpc-wz95ya85js0avrkabc**** is used as a specified VPC. You can replace it based on your business requirements.
Policy 16: You are not allowed to purchase domain names
Document:
{
"Version": "1",
"Statement": [
{
"Action": [
"domain:CreateOrderActivate"
],
"Resource": "*",
"Effect": "Deny"
}
]
}Policy 17: You are not allowed to access the Support and Services console
Document:
{
"Version": "1",
"Statement": [
{
"Action": [
"support:*",
"workorder:*"
],
"Resource": "*",
"Effect": "Deny"
}
]
}Policy 18: You are not allowed to access ECS in a specific region
Document:
{
"Version": "1",
"Statement": [{
"Effect": "Deny",
"Action": [
"ecs:*"
],
"Resource": "acs:ecs:us-east-1:*:*"
}]
}The preceding policy defines that you are not allowed to access ECS in the US (Virginia) region.