This topic describes examples of custom access control policies.

Overview

Policy 1: You are not allowed to modify or delete RAM users, RAM user groups, or RAM roles

Document:

{
    "Statement": [
        {
            "Action": [
                "ram:Attach*",
                "ram:Detach*",
                "ram:BindMFADevice",
                "ram:CreateAccessKey",
                "ram:CreateLoginProfile",
                "ram:CreatePolicyVersion",
                "ram:DeleteAccessKey",
                "ram:DeleteGroup",
                "ram:DeleteLoginProfile",
                "ram:DeletePolicy",
                "ram:DeletePolicyVersion",
                "ram:DeleteRole",
                "ram:DeleteUser",
                "ram:DisableVirtualMFA",
                "ram:AddUserToGroup",
                "ram:RemoveUserFromGroup",
                "ram:SetDefaultPolicyVersion",
                "ram:UnbindMFADevice",
                "ram:UpdateAccessKey",
                "ram:UpdateGroup",
                "ram:UpdateLoginProfile",
                "ram:UpdateRole",
                "ram:UpdateUser"
            ],
            "Resource": "*",
            "Effect": "Deny",         
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN":"acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
               }
           }
        }
    ],
    "Version": "1"
}

The preceding policy defines that you are not allowed to modify or delete RAM users, RAM user groups, or RAM roles, including their permissions.

Note In this policy, only ResourceDirectoryAccountAccessRole, which is the default role used to access members in a resource directory, can be used to perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot be used to perform these operations. You can also specify RAM users or RAM roles that can be used to perform the operations by changing the value of PrincipalARN.

Policy 2: You are not allowed to modify the role ResourceDirectoryAccountAccessRole or change its permissions

Document:

{
   "Version": "1",
   "Statement": [
       {
           "Effect": "Deny",
           "Action": [
               "ram:UpdateRole",
               "ram:DeleteRole",
               "ram:AttachPolicyToRole",
               "ram:DetachPolicyFromRole"
           ],
           "Resource": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
       }
   ]
}

Policy 3: You are not allowed to modify or delete the specified RAM users

Document:

{
    "Version": "1",
    "Statement": [{
        "Action": [
            "ram:AttachPolicyToUser",
            "ram:DetachPolicyFromUser",
            "ram:AddUserToGroup",
            "ram:RemoveUserFromGroup",
            "ram:UpdateUser",
            "ram:DeleteUser",
            "ram:CreateLoginProfile",
            "ram:UpdateLoginProfile",
            "ram:DeleteLoginProfile",
            "ram:CreateAccessKey",
            "ram:DeleteAccessKey",
            "ram:UpdateAccessKey",
            "ram:BindMFADevice",
            "ram:UnbindMFADevice",
            "ram:DisableVirtualMFA"
        ],
        "Resource": [
            "acs:ram:*:*:user/Alice"
        ],
        "Effect": "Deny",
        "Condition": {
            "StringNotLike": {
                "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
            }
        }
    }]
}

The preceding policy defines that you are not allowed to modify or delete the specified RAM users, including their permissions. For example, if a RAM user Alice exists, you cannot perform the preceding operations on Alice. You can specify the Alibaba Cloud account to which Alice belongs, such as acs:ram:*:18299873****:user/Alice.

Note In this policy, only ResourceDirectoryAccountAccessRole, which is the default role used to access members in a resource directory, can be used to perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot be used to perform these operations. You can also specify RAM users or RAM roles that can be used to perform the operations by changing the value of PrincipalARN.

Policy 4: You are not allowed to enable logon to the Alibaba Cloud Management Console for an existing RAM user

Document:

{
    "Statement": [
        {
            "Action": [
                "ram:CreateLoginProfile",
                "ram:UpdateLoginProfile"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ],
    "Version": "1"
}

The preceding policy defines that you are not allowed to enable logon to the Alibaba Cloud Management Console for an existing RAM user. You can still enable logon to the Alibaba Cloud Management Console for a new RAM user.

Note In this policy, only ResourceDirectoryAccountAccessRole, which is the default role used to access members in a resource directory, can be used to perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot be used to perform these operations. You can also specify RAM users or RAM roles that can be used to perform the operations by changing the value of PrincipalARN.

Policy 5: You must complete MFA when you use a RAM user or RAM role to delete some resources

Document:

{
  "Statement": [
    {
      "Action": "ecs:DeleteInstance",
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "acs:MFAPresent": "false"
        }
      }
    }
  ],
  "Version": "1"
}

The preceding policy defines that you must complete multi-factor authentication (MFA) when you use a RAM user or RAM role to delete Elastic Compute Service (ECS) instances. If you want to delete other resources, change the value of Action to the action for the resources.

Policy 6: You are not allowed to modify user-based SSO settings

Document:

{
    "Statement": [
        {
            "Action": [
                "ram:SetSamlSsoSettings"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ],
    "Version": "1"
}
Note In this policy, only ResourceDirectoryAccountAccessRole, which is the default role used to access members in a resource directory, can be used to perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot be used to perform these operations. You can also specify RAM users or RAM roles that can be used to perform the operations by changing the value of PrincipalARN.

Policy 7: You are not allowed to modify role-based SSO settings

Document:

{
    "Statement": [
        {
            "Action": [
                "ram:CreateSAMLProvider",
                "ram:DeleteSAMLProvider",
                "ram:UpdateSAMLProvider"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ],
    "Version": "1"
}
Note In this policy, only ResourceDirectoryAccountAccessRole, which is the default role used to access members in a resource directory, can be used to perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot be used to perform these operations. You can also specify RAM users or RAM roles that can be used to perform the operations by changing the value of PrincipalARN.

Policy 8: You are not allowed to disable the Delivery feature of ActionTrail or change the destination to which ActionTrail delivers events

Document:

{
    "Statement": [
        {
            "Action": [
                "actiontrail:UpdateTrail",
                "actiontrail:DeleteTrail",
                "actiontrail:StopLogging"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ],
    "Version": "1"
}
Note In this policy, only ResourceDirectoryAccountAccessRole, which is the default role used to access members in a resource directory, can be used to perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot be used to perform these operations. You can also specify RAM users or RAM roles that can be used to perform the operations by changing the value of PrincipalARN.

Policy 9: You are not allowed to access some network services

Document:

{
    "Statement": [
        {
            "Action": [
                "vpc:*HaVip*",
                "vpc:*RouteTable*",
                "vpc:*VRouter*",
                "vpc:*RouteEntry*",
                "vpc:*VSwitch*",
                "vpc:*Vpc*",
                "vpc:*Cen*",           
                "vpc:*NetworkAcl*"
            ],
            "Resource": "*",
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        },
        {
            "Action": [
                "vpc:*VpnGateway*",
                "vpc:*VpnConnection*",
                "vpc:*CustomerGateway*",
                "vpc:*SslVpnServer*",
                "vpc:*SslVpnClientCert*",
                "vpc:*VpnRoute*",
                "vpc:*VpnPbrRoute*"
            ],
            "Resource": "*",
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ],
    "Version": "1"
}

The preceding policy defines that you are not allowed to access Virtual Private Cloud (VPC) and VPN Gateway. If you want to deny access to other network services, change the value of Action to the action for these network services.

Note In this policy, only ResourceDirectoryAccountAccessRole, which is the default role used to access members in a resource directory, can be used to perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot be used to perform these operations. You can also specify RAM users or RAM roles that can be used to perform the operations by changing the value of PrincipalARN.

Policy 10: You are not allowed to create network resources (EIPs and NAT gateways) that can be used to access the Internet

Document:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "vpc:AllocateEipAddress",
                "vpc:AllocateEipAddressPro",
                "vpc:AllocateEipSegmentAddress",
                "vpc:CreateNatGateway"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ]
}
Note In this policy, only ResourceDirectoryAccountAccessRole, which is the default role used to access members in a resource directory, can be used to perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot be used to perform these operations. You can also specify RAM users or RAM roles that can be used to perform the operations by changing the value of PrincipalARN.

Policy 11: You are not allowed to access network services that are connected to on-premises resources

Document:

{
    "Statement": [
       {
            "Action": [
                "vpc:*PhysicalConnection*",
                "vpc:*VirtualBorderRouter*",
                "cen:*",
                "vpc:*VpnGateway*",
                "vpc:*VpnConnection*",
                "vpc:*CustomerGateway*",
                "vpc:*SslVpnServer*",
                "vpc:*SslVpnClientCert*",
                "vpc:*VpnRoute*",
                "vpc:*VpnPbrRoute*",
                "smartag:*"
            ],
            "Resource": "*",
            "Effect": "Deny"         
        }
    ],
    "Version": "1"
}

The preceding policy defines that you are not allowed to access network services that are connected to on-premises resources. These network services include Express Connect, Cloud Enterprise Network, VPN Gateway, and Smart Access Gateway.

Policy 12: You are not allowed to use some features provided by Billing Management

Document:

{
    "Statement": [
       {
            "Action": [
                "bss:DescribeOrderList",
                "bss:DescribeOrderDetail",
                "bss:PayOrder",
                "bss:CancelOrder"
            ],
            "Resource": "*",
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ],
    "Version": "1"
}

The preceding policy defines that you are not allowed to use the Orders feature provided by Billing Management. If you want to prohibit the use of other features, change the value of Action to the action for these features.

Note In this policy, only ResourceDirectoryAccountAccessRole, which is the default role used to access members in a resource directory, can be used to perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot be used to perform these operations. You can also specify RAM users or RAM roles that can be used to perform the operations by changing the value of PrincipalARN.

Policy 13: You are not allowed to modify the settings of CloudMonitor

Document:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "cms:Put*",
                "cms:Update*",
                "cms:Create*",
                "cms:Modify*",
                "cms:Disable*",
                "cms:Enable*",
                "cms:Delete*",
                "cms:Send*",
                "cms:Subscribe*",
                "cms:Unsubscribe*",
                "cms:Remove*",
                "cms:CreateAction",
                "cms:Pause*",
                "cms:Stop*",
                "cms:Start*",
                "cms:BatchCreate*",
                "cms:ProfileSet",
                "cms:ApplyMonitoringTemplate"
            ],
            "Resource": "*",
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ]
}
Note In this policy, only ResourceDirectoryAccountAccessRole, which is the default role used to access members in a resource directory, can be used to perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot be used to perform these operations. You can also specify RAM users or RAM roles that can be used to perform the operations by changing the value of PrincipalARN.

Policy 14: You are not allowed to purchase reserved instances

Document:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:PurchaseReservedInstancesOffering"
            ],
            "Resource": "*",
            "Effect": "Deny"
        }
    ]
}

Policy 15: You are not allowed to create ECS instances in an unspecified VPC

Document:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:CreateInstance",
                "ecs:RunInstances"
            ],
            "Resource": "*",
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "vpc:VPC": "acs:vpc:cn-shenzhen:*:vpc/vpc-wz95ya85js0avrkabc****"
                }
            }
        }
    ]
}

In the preceding policy, acs:vpc:cn-shenzhen:*:vpc/vpc-wz95ya85js0avrkabc**** is used as a specified VPC. You can replace it based on your business requirements.

Policy 16: You are not allowed to purchase domain names

Document:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "domain:CreateOrderActivate"
            ],
            "Resource": "*",
            "Effect": "Deny"
        }
    ]
}

Policy 17: You are not allowed to access the Support and Services console

Document:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "support:*",
                "workorder:*"
            ],
            "Resource": "*",
            "Effect": "Deny"
        }
    ]
}

Policy 18: You are not allowed to access ECS in a specific region

Document:

{
    "Version": "1",
    "Statement": [{
        "Effect": "Deny",
        "Action": [
            "ecs:*"
        ],
        "Resource": "acs:ecs:us-east-1:*:*"
    }]
}

The preceding policy defines that you are not allowed to access ECS in the US (Virginia) region.