Examples of using an access control policy to limit resource sharing - Resource Management

This topic provides examples on how to use an access control policy to limit resource sharing.

Background information

To use an access control policy to limit resource sharing, perform the following steps:

Policy examples

Policy used to prohibit resource sharing outside a resource directory

Document:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "resourcesharing:CreateResourceShare",
                "resourcesharing:UpdateResourceShare"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "resourcesharing:RequestedAllowExternalTargets": "true"
                }
            }
        }
    ]
}

The preceding policy prohibits the creation of resource shares through which resources are shared to accounts outside the current resource directory.

Policy used to prohibit resource sharing with unexpected accounts

Document:

{
    "Version": "1",
    "Statement": [
      {
        "Effect": "Deny",
            "Action": [
                "resourcesharing:AssociateResourceShare",
                "resourcesharing:CreateResourceShare"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotLike": {
                    "resourcesharing:Target": [
                        "rd-3G****/r-Wm****/*",
                        "rd-3G****/r-Wm****",
                        "192796193830****"
                    ]
                }
            }
        }
    ]
}

The preceding policy allows resource sharing only with the account 192796193830**** and all members in the folder rd-3G****/r-Wm****. You can change the value of the resourcesharing:Target parameter based on your business requirements.

Policy used to prohibit the acceptance of resource sharing invitations from accounts outside a resource directory

Document:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "resourcesharing:AcceptResourceShareInvitation",
            "Resource": "*"
        }
    ]
}

The preceding policy prohibits the acceptance of resource sharing invitations from accounts outside the current resource directory. If principals and resource owners belong to the same resource directory, no resource sharing invitations are initiated. Therefore, this policy does not affect resource sharing within the same resource directory.

Policy used to allow sharing of resources of only specific types

Document:

{
  "Version":  "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "resourcesharing:CreateResourceShare",
        "resourcesharing:AssociateResourceShare"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "resourcesharing:RequestedResourceType": ["VSwitch","Image","Snapshot"]
        }
      }
    }
  ]
}

The preceding policy allows sharing of only vSwitches, images, and snapshots. For information about resource type codes, see the Resource type column in Services that work with Resource Sharing.

Policy used to allow sharing of only specific resources

Document:

{
  "Version":  "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "resourcesharing:CreateResourceShare",
        "resourcesharing:AssociateResourceShare"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "resourcesharing:ResourceArn": [
            "acs:vpc:cn-shanghai:131993166204****:vswitch/vsw-7xv4sfwo86u2etl64****",
            "acs:ecs:cn-shanghai:131993166204****:snapshot/s-7xviog7aq4tenbqj****"
          ]
        }
      }
    }
  ]
}

The preceding policy allows sharing of only the vSwitch vsw-7xv4sfwo86u2etl64**** and the snapshot s-7xviog7aq4tenbqj**** within the Alibaba Cloud account 131993166204****. For information about the Alibaba Cloud Resource Names (ARNs) of resources, see the Resource ARN column in Services that work with Resource Sharing.