If you want to implement fine-grained access control for the features of Security Center on Resource Access Management (RAM) users, you can attach system policies or custom policies to the RAM users. This topic describes how to attach system policies and custom policies to RAM users to implement fine-grained access control.

Background information

RAM provides the following types of policies for cloud services: system policies and custom policies. System policies are created by Alibaba Cloud. You cannot modify system policies. To implement fine-grained access control on Security Center, you can use custom policies.

Note Alibaba Cloud provides the AliyunYundunSASFullAccess and AliyunYundunSASReadOnlyAccess system policies that grant permissions on Security Center. If you attach the AliyunYundunSASFullAccess policy to a RAM user, the RAM user is granted full permissions on Security Center. If you attach the AliyunYundunSASReadOnlyAccess policy to a RAM user, the RAM user is granted read-only permissions on Security Center.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.

Attach system policies to the RAM user

Alibaba Cloud provides system policies that are related to Billing Management. To grant the RAM user the permissions that are required to purchase, renew, and unsubscribe from Security Center, perform the following steps to attach the system policies that are related to Billing Management to the RAM user.
Important The system policies that are related to Billing Management take effect on all cloud services. If you attach the system policies that are related to Billing Management to a RAM user, the RAM user can purchase, renew, and unsubscribe from the resources of all cloud services.
  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, grant permissions to the RAM user.
    1. Select the authorization scope.
      • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
      • Specific Resource Group: The authorization takes effect in a specific resource group.
        Note If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
    2. The system automatically sets the Principal parameter to the current RAM user. You do not need to manually specify the Principal parameter.
    3. Select the AliyunBSSOrderAccess and AliyunBSSRefundAccess system policies in the Select Policy section.
  5. Click OK.
  6. Click Complete.

Attach a custom policy to the RAM user

To implement fine-grained access control on Security Center, you can perform the following steps to attach a custom policy to the RAM user:

Step 1: Create a custom policy that grants permissions on Security Center

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Policy page, click the JSON tab.
    Configure a policy based on your business requirements.
    Note The following policy allows a RAM user to use the vulnerability scan, vulnerability fixing, and baseline check features, and perform operations in the Assets module. After you attach the policy to the RAM user, the RAM user can perform the operations allowed by the policy. For more information about the operations that are allowed by the policy, see Operations that are supported by custom policies.

    {
        "Version": "1",
        "Statement": [
            {
               "Action": [
                         "yundun-sas:DescribeCloudCenterInstances",
                         "yundun-sas:DescribeFieldStatistics",
                         "yundun-sas:DescribeCriteria"
                         ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "yundun-sas:ModifyPushAllTask",
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
    {
        "Version": "1",
        "Statement": [
            {
               "Action": [
                         "yundun-aegis:DescribeVulList",
                         "yundun-sas:DescribeVulWhitelist"
                         ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
    {
        "Version": "1",
        "Statement": [
            {
               "Action": "yundun-aegis:OperateVul",
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
    {
        "Version": "1",
        "Statement": [{
                "Action": [
                    "yundun-aegis:OperateVul",
                    "yundun-aegis:ModifyStartVulScan"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "yundun-aegis:FixCheckWarnings",
                    "yundun-aegis:IgnoreHcCheckWarnings",
                    "yundun-aegis:ValidateHcWarnings"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "ecs:RebootInstance",
                "Effect": "Allow",
                "Resource": "*",
                "Condition": {
                    "Bool": {
                        "acs:MFAPresent": "true"
                    }
                }
            },
            {
                "Action": "ecs:*",
                "Effect": "Allow",
                "Resource": [
                    "acs:ecs:*:*:*"
                ]
            },
            {
                "Action": "ecs:CreateSnapshot",
                "Effect": "Allow",
                "Resource": [
                    "acs:ecs:*:*:*",
                    "acs:ecs:*:*:snapshot/*"
                ]
            },
            {
                "Action": [
                    "ecs:Describe*"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }, {
                "Action": [
                    "yundun-sas:ModifyPushAllTask",
                    "yundun-sas:DeleteTagWithUuid",
                    "yundun-sas:ModifyTagWithUuid",
                    "yundun-sas:CreateOrUpdateAssetGroup",
                    "yundun-sas:DeleteGroup",
                    "yundun-sas:ModifyAssetImportant",
                    "yundun-sas:RefreshAssets"
    
                ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
  5. Click Next to edit policy information. On the page that appears, configure the Name and Description parameters for the policy.
  6. Click OK.

Step 2: Attach the custom policy to the RAM user

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Grants.
  3. On the Grants page, click Grant Permission.
  4. In the Grant Permission panel, grant permissions to the RAM user.
    By default, a newly created RAM user does not have any permissions.
    1. Select the authorization scope.
      • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
      • Specific Resource Group: The authorization takes effect in a specific resource group.
        Note If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
    2. Specify the principal.
      The principal is the RAM user to which permissions are to be granted.
    3. Click the System Policy tab, enter AliyunYundunSASReadOnlyAccess in the search box, and then click the search result.
      This system policy grants the RAM user read-only permissions on Security Center.
    4. Click the Custom Policy tab and click the custom policy that you created in Step 1: Create a custom policy that grants permissions on Security Center.
  5. Click OK.

Operations that are supported by custom policies

The following tables describe the operations supported by custom policies that grant permissions on Security Center.
Note In most cases, each action supported by a custom policy corresponds to one API operation of a cloud service.

Assets

Action in a policy Description Operation
yundun-sas:DescribeCloudCenterInstances Queries asset information. The information includes asset types, alerts, and the status of the Security Center agent. DescribeCloudCenterInstances
yundun-sas:DescribeFieldStatistics Queries the statistics of servers. DescribeFieldStatistics
yundun-sas:DescribeCriteria Queries the search conditions when you query an asset. You can specify a keyword for fuzzy search. DescribeCriteria
yundun-sas:ModifyPushAllTask Performs security checks on servers. ModifyPushAllTask
yundun-sas:DescribeDomainCount Queries the number of domain assets. ModifyPushAllTask
yundun-sas:DeleteGroup Deletes a server group. DeleteGroup
yundun-sas:DescribeSearchCondition Queries the filter conditions that are used to search for specific assets. DescribeSearchCondition
yundun-sas:DescribeImageStatistics Queries the risk statistics of container images. DescribeImageStatistics
yundun-sas:DescribeGroupedTags Queries the statistics of asset tags. DescribeGroupedTags
yundun-sas:DescribeDomainCount Queries the number of domain assets. DescribeDomainCount
yundun-sas:DescribeCloudProductFieldStatistics Queries the statistics of cloud services. DescribeCloudProductFieldStatistics
yundun-sas:DescribeCloudCenterInstances Queries asset information. DescribeCloudCenterInstances
yundun-sas:DescribeAllGroups Queries grouping information about all servers. DescribeAllGroups
yundun-sas:DeleteGroup Deletes a server group. DeleteGroup
yundun-sas:CreateOrUpdateAssetGroup Creates a server group, adds servers to a server group, or removes servers from a server group. CreateOrUpdateAssetGroup
yundun-sas:DescribeInstanceStatistics Queries the risk statistics of an asset. DescribeInstanceStatistics
yundun-sas:PauseClient Enables or disables the Security Center agent. PauseClient
yundun-sas:ModifyTagWithUuid Changes the names of the tags that are added to assets, or modifies the tags for assets. ModifyTagWithUuid
yundun-sas:RefreshAssets Updates the information about all assets. RefreshAssets
yundun-sas:ExportRecord Exports the check results of the Assets module, and the check results on the Cloud Platform Configuration Assessment, Image Security, Attack Awareness, and AK leak detection pages to Excel files. ExportRecord
yundun-sas:DescribeExportInfo Queries the process of the task that exports the list of assets. DescribeExportInfo
yundun-sas:DescribeDomainList Queries domain assets. DescribeDomainList
yundun-sas:DescribeDomainDetail Queries the details of a domain asset. DescribeDomainDetail
yundun-aegis:DescribeAssetDetailByUuid Queries the details of a server by using the UUID of the server. DescribeAssetDetailByUuid

Vulnerability fixing

Action in a policy Description Operation
yundun-sas:DescribeVulWhitelist Queries the whitelist of vulnerabilities by page. DescribeVulWhitelist
yundun-sas:ModifyOperateVul Handles detected vulnerabilities. You can fix or ignore vulnerabilities. You can also verify the vulnerability fixes. ModifyOperateVul
yundun-sas:ModifyVulTargetConfig Configures vulnerability scan for a server. ModifyVulTargetConfig
yundun-aegis:DescribeConcernNecessity Queries the priorities based on which vulnerabilities are fixed. DescribeConcernNecessity
yundun-aegis:DescribeVulList Queries vulnerabilities by type. DescribeVulList
yundun-aegis:ModifyOperateVul Handles detected vulnerabilities. You can fix or ignore vulnerabilities. You can also verify the vulnerability fixes. ModifyOperateVul
yundun-aegis:DescribeImageVulList Queries the details of vulnerabilities that are detected by using container image scan and the information about the affected images. DescribeImageVulList
yundun-aegis:ExportVul Exports the list of vulnerabilities. ExportVul
yundun-aegis:DescribeVulExportInfo Queries the process of the task that exports the list of vulnerabilities. DescribeVulExportInfo

Baseline check

Action in a policy Description Operation
yundun-aegis:FixCheckWarnings Fixes a baseline risk item. FixCheckWarnings
yundun-aegis:IgnoreHcCheckWarnings Ignores or cancels ignoring baseline risks. IgnoreHcCheckWarnings
yundun-aegis:ValidateHcWarnings Verifies whether baseline risk items are fixed. ValidateHcWarnings

References

Policy elements

Policy structure and syntax

Use RAM to manage permissions of O&M engineers

Use RAM to limit the IP addresses that are allowed to access Alibaba Cloud resources

Use RAM to limit the period of time in which users are allowed to access Alibaba Cloud resources