If you want to control the access of Security Center O&M engineers, you can create custom policies in the Resource Access Management (RAM) console and attach the policies to the RAM users of the O&M engineers. For example, you can limit the engineers to use only the vulnerability detection, vulnerability fixing, and baseline check features of Security Center. This facilitates fine-grained access control. This topic describes how to create custom policies for the O&M engineers of Security Center.

Background information

RAM provides two types of policies for cloud services: system policies and custom policies. To implement fine-grained access control on Security Center, you can use custom policies. This topic describes how to create custom policies only for the O&M engineers. You can follow this topic to limit the engineers to use only the vulnerability detection, vulnerability fixing, and baseline check features of Security Center, and to perform operations only on the Assets page. If you require fine-grained access control on other personnel, you can create custom policies. For more information, see Create a custom policy and attach the policy to a RAM user.

Prerequisites

RAM users are created for the O&M engineers. For more information, see Create a RAM user.

Step 1: Create custom policies for the O&M engineers

  1. https://ram.console.aliyun.com/
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Policy page, click the JSON tab.
    Enter the following code in the code editor:
    {
        "Version": "1",
        "Statement": [{
                "Action": [
                    "yundun-aegis:OperateVul",
                    "yundun-aegis:ModifyStartVulScan"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "yundun-aegis:FixCheckWarnings",
                    "yundun-aegis:IgnoreHcCheckWarnings",
                    "yundun-aegis:ValidateHcWarnings"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "ecs:RebootInstance",
                "Effect": "Allow",
                "Resource": "*",
                "Condition": {
                    "Bool": {
                        "acs:MFAPresent": "true"
                    }
                }
            },
            {
                "Action": "ecs:*",
                "Effect": "Allow",
                "Resource": [
                    "acs:ecs:*:*:*"
                ]
            },
            {
                "Action": "ecs:CreateSnapshot",
                "Effect": "Allow",
                "Resource": [
                    "acs:ecs:*:*:*",
                    "acs:ecs:*:*:snapshot/*"
                ]
            },
            {
                "Action": [
                    "ecs:Describe*"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }, {
                "Action": [
                    "yundun-sas:ModifyPushAllTask",
                    "yundun-sas:DeleteTagWithUuid",
                    "yundun-sas:ModifyTagWithUuid",
                    "yundun-sas:CreateOrUpdateAssetGroup",
                    "yundun-sas:DeleteGroup",
                    "yundun-sas:ModifyAssetImportant",
                    "yundun-sas:RefreshAssets"
    
                ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
    Note The preceding policy allows a RAM user to use the vulnerability detection, vulnerability fixing, and baseline check features, and perform operations on the Assets page. After you create the policy, the RAM user can perform the operations allowed by the policy. For more information about the operations that are allowed by the policy, see Action parameter in a policy.
  5. Click Next: Edit Basic Information. On the page that appears, configure the Name and Note parameters for the policy.
  6. Click OK.

Step 2: Grant permissions to the RAM users of the O&M engineers

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Grants.

  3. In the Principal column, select a RAM user to which you want to attach a policy.
    By default, a newly created RAM user does not have any permissions.
  4. In the Select Policy section, select the permissions that you want to grant to the RAM user.
    You must perform the following operations to select the permissions:
    1. Click the System Policy tab, enter AliyunYundunSASReadOnlyAccess in the search box, and then click the search result.
      This system policy grants the RAM user the read-only permissions on Security Center.
    2. Click the Custom Policy tab and select the custom policy that you created in Step 1.
      The custom policy grants the RAM user the permissions such as performing operations on the Assets page and using the vulnerability detection, vulnerability fixing, and baseline check features of Security Center. This way, the RAM user can perform the following operations, such as performing security checks on servers, scanning servers for vulnerabilities with a few clicks, and fixing vulnerabilities.
  5. Click OK.

Action parameter in a policy

Feature Action Description
Vulnerability fixing yundun-aegis:OperateVul Handle vulnerabilities. For example, you can ignore or fix vulnerabilities. You can also verify whether vulnerabilities are fixed.
yundun-aegis:ModifyStartVulScan Scan for vulnerabilities with a few clicks.
ecs:RebootInstance Restart a server after the vulnerabilities on the server are fixed.
ecs:CreateSnapshot Create snapshots before vulnerability fixing.
Baseline check yundun-aegis:FixCheckWarnings Fix baseline risks.
yundun-aegis:IgnoreHcCheckWarnings Ignore or cancel ignoring baseline risks.
yundun-aegis:ValidateHcWarnings Verify whether baseline risks are fixed.
Assets yundun-sas:ModifyPushAllTask Perform security checks on servers.
yundun-sas:DeleteTagWithUuid Delete a custom tag.
yundun-sas:ModifyTagWithUuid Modify the relationship between a tag and an asset.
yundun-sas:CreateOrUpdateAssetGroup Modify the relationship between a server and a server group.
yundun-sas:DeleteGroup Delete one or more asset groups.
yundun-sas:ModifyAssetImportant Modify asset importance tags.
yundun-sas:RefreshAssets Update the information about all assets.

References

Create a custom policy and attach the policy to a RAM user

Use RAM to manage permissions of O&M engineers

Policy elements

Policy structure and syntax