If system policies do not meet your business requirements, you can create custom policies based on the principle of least privilege. Custom policies help you manage permissions in a fine-grained manner and improve resource access security. This topic describes the use scenarios of custom policies for Tag and provides examples on how to use the custom policies.
What is a custom policy?
Resource Access Management (RAM) policies are classified into system policies and custom policies. You can manage custom policies based on your business requirements.
After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.
You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, before you can delete the RAM policy you must detach the RAM policy from the principal.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.
References
Use scenarios and examples
Scenario | Example |
Tag-based authentication for Elastic Compute Service (ECS) | |
Tag-based authentication for Elastic Container Instance (ECI) | |
Tag-based authentication for Auto Scaling | |
Tag-based authentication for Server Migration Center (SMC) | |
Tag-based authentication for ApsaraDB RDS | |
Tag-based authentication for WUYING Workspace | Implement fine-grained access control on cloud computers by using tags |
Tag-based authentication for Container Service for Kubernetes (ACK) |
Authorization information
To use custom policies, make sure that you understand the access control requirements of your business and the authorization information about Tag. For more information, see Authorization information.