You can grant system or custom policies to a Resource Access Management (RAM) user for fine-grained control over their permissions to use Security Center features. This topic describes how to grant these policies to a RAM user.
Background information
Alibaba Cloud Resource Access Management (RAM) provides default system policies for cloud services and lets you create custom policies. System policies are created by Alibaba Cloud and cannot be modified. You can use custom policies to precisely restrict a RAM user's access to and operations in Security Center.
The default policies supported by Security Center are AliyunYundunSASFullAccess, which allows RAM users to perform operations on all features of Security Center, and AliyunYundunSASReadOnlyAccess, which allows RAM users to have read-only access to all data in Security Center.
Create a RAM user
A RAM user is created. For more information, see Create a RAM user.
Grant a system policy to a RAM user
Alibaba Cloud provides system policies for User Center and for accessing or managing Security Center. If a RAM user receives a No Permission message when purchasing, renewing, or unsubscribing from Security Center instances, or a You Do Not Have The Required Permissions. Check Your Permissions. message when accessing Security Center, you must grant the required system policies to the RAM user by following these steps.
The system policies for User Center apply to all Alibaba Cloud services. After you grant these policies to a RAM user, the user has permissions to purchase, renew, and unsubscribe from all Alibaba Cloud services.
Log on to the RAM console as a RAM administrator.
In the navigation pane on the left, choose .
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Add Permissions panel, grant permissions to the RAM user.
Configure the Resource Scope parameter.
Account: The authorization takes effect on the current Alibaba Cloud account.
ResourceGroup: The authorization takes effect on a specific resource group.
ImportantIf you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
Configure the Principal parameter.
The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.
Select a system policy based on your scenario and click OK.
Scenario
System policy
Purchase, renew, or unsubscribe from Security Center instances
AliyunBSSOrderAccess, AliyunBSSRefundAccess
Read-only access to Security Center
AliyunYundunSASReadOnlyAccess
Manage Security Center
AliyunYundunSASFullAccess
Click Close.
Grant a custom policy to a RAM user
Follow these steps to use custom policies to precisely restrict a RAM user's access to and operations in Security Center.
Step 1: Create a custom policy for Security Center
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the Script tab. The following list provides common script examples:
Renewals and refunds
Scenario
Script configuration
Query available instances for auto-renewal (
bssapi:QueryAvailableInstances) and configure auto-renewal (bssapi:SetRenewal){ "Version": "1", "Statement": [ { "Action": [ "bssapi:QueryAvailableInstances", "bssapi:SetRenewal", "bss:ModifyPrepaidInstanceAutoRenew", "bss:PayOrder", "bss:QueryPrice", "bss:RefundBatchRemainRefund" ], "Resource": "*", "Effect": "Allow" } ] }Modify auto-renewal settings (
bss:ModifyPrepaidInstanceAutoRenew)Pay for renewal and upgrade/downgrade orders (
bss:PayOrder)Display discounted prices (
bss:QueryPrice)Request a refund (
bss:RefundBatchRemainRefund)Read-only access to Asset Center
{ "Version": "1", "Statement": [ { "Action": [ "yundun-sas:DescribeCloudCenterInstances", "yundun-sas:DescribeFieldStatistics", "yundun-sas:DescribeCriteria" ], "Resource": "*", "Effect": "Allow" } ] }Security checks in Asset Center
{ "Version": "1", "Statement": [ { "Action": "yundun-sas:ModifyPushAllTask", "Resource": "*", "Effect": "Allow" } ] }Read-only access to vulnerability management
{ "Version": "1", "Statement": [ { "Action": [ "yundun-sas:DescribeVulFixStatistics", "yundun-sas:DescribeVulDefendCountStatistics", "yundun-sas:DescribeVulMetaCountStatistics", "yundun-sas:DescribeVulListPage", "yundun-sas:DescribeVulNumStatistics", "yundun-sas:DescribeVulConfig", "yundun-sas:DescribeGroupedVul", "yundun-sas:DescribeVulDetails", "yundun-sas:DescribeVulList", "yundun-sas:DescribeVulWhitelist", "yundun-sas:DescribeAppVulScanCycle", "yundun-sas:ListVulAutoRepairConfig", "yundun-sas:DescribeEmgUserAgreement", "yundun-sas:DescribeEmgVulItem", "yundun-sas:DescribeUuidsByVulNames", "yundun-sas:DescribeTarget", "yundun-sas:DescribeVulTargetStatistics", "yundun-sas:DescribeConcernNecessity", "yundun-sas:DescribeOnceTask", "yundun-sas:GetOnceTaskResultInfo", "yundun-sas:DescribeCycleTaskList", "yundun-sas:DescribeVulExportInfo", "yundun-sas:DescribeInstanceRebootStatus", "yundun-sas:DescribeMachineCanReboot" ], "Resource": "*", "Effect": "Allow" } ] }Vulnerability management
{ "Version": "1", "Statement": [ { "Action": [ "yundun-sas:OperateVuls", "yundun-sas:ModifyCreateVulWhitelist", "yundun-sas:DeleteVulWhitelist", "yundun-sas:ModifyVulWhitelistTarget", "yundun-sas:ModifyOperateVul", "yundun-sas:ModifyStartVulScan", "yundun-sas:ModifyVulConfig", "yundun-sas:ModifyEmgVulSubmit", "yundun-sas:ModifyVulTarget", "yundun-sas:ModifyCycleTask", "yundun-sas:ModifyAppVulScanCycle", "yundun-sas:ModifyAutoDelConfig", "yundun-sas:ModifyConcernNecessity", "yundun-sas:DeleteVulAutoRepairConfig", "yundun-sas:CreateVulAutoRepairConfig", "yundun-sas:ExportVul", "yundun-sas:RebootMachine", "yundun-sas:DescribeVulFixStatistics", "yundun-sas:DescribeVulDefendCountStatistics", "yundun-sas:DescribeVulMetaCountStatistics", "yundun-sas:DescribeVulListPage", "yundun-sas:DescribeVulNumStatistics", "yundun-sas:DescribeVulConfig", "yundun-sas:DescribeGroupedVul", "yundun-sas:DescribeVulDetails", "yundun-sas:DescribeVulList", "yundun-sas:DescribeVulWhitelist", "yundun-sas:DescribeAppVulScanCycle", "yundun-sas:ListVulAutoRepairConfig", "yundun-sas:DescribeEmgUserAgreement", "yundun-sas:DescribeEmgVulItem", "yundun-sas:DescribeUuidsByVulNames", "yundun-sas:DescribeTarget", "yundun-sas:DescribeVulTargetStatistics", "yundun-sas:DescribeConcernNecessity", "yundun-sas:DescribeOnceTask", "yundun-sas:GetOnceTaskResultInfo", "yundun-sas:DescribeCycleTaskList", "yundun-sas:DescribeVulExportInfo", "yundun-sas:DescribeInstanceRebootStatus", "yundun-sas:DescribeMachineCanReboot" ], "Resource": "*", "Effect": "Allow" } ] }O&M engineer permissions
NoteIn the O&M engineer permissions scenario, this policy script allows a RAM user to use the vulnerability scan, vulnerability fixing, baseline check, and Asset Center features, and perform related operations. After you add this policy, refer to the actions and their descriptions in the Appendix: Common custom policies for specific features table in this topic for the specific operations that the RAM user can perform.
{ "Version": "1", "Statement": [{ "Action": [ "yundun-sas:OperateVul", "yundun-sas:ModifyStartVulScan" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "yundun-sas:FixCheckWarnings", "yundun-sas:IgnoreHcCheckWarnings", "yundun-sas:ValidateHcWarnings" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ecs:RebootInstance", "Effect": "Allow", "Resource": "*", "Condition": { "Bool": { "acs:MFAPresent": "true" } } }, { "Action": "ecs:*", "Effect": "Allow", "Resource": [ "acs:ecs:*:*:*" ] }, { "Action": "ecs:CreateSnapshot", "Effect": "Allow", "Resource": [ "acs:ecs:*:*:*", "acs:ecs:*:*:snapshot/*" ] }, { "Action": [ "ecs:Describe*" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "yundun-sas:ModifyPushAllTask", "yundun-sas:DeleteTagWithUuid", "yundun-sas:ModifyTagWithUuid", "yundun-sas:CreateOrUpdateAssetGroup", "yundun-sas:DeleteGroup", "yundun-sas:ModifyAssetImportant", "yundun-sas:RefreshAssets" ], "Resource": "*", "Effect": "Allow" } ] }
Click Next To Edit Policy Information, and then enter a Name and Note for the policy.
Click OK.
Step 2: Grant permissions to the RAM user
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose .
On the Permission page, click Grant Permission.
In the Grant Permission panel, grant permissions to the RAM user.
By default, a newly created RAM user does not have any permissions.
Configure the Resource Scope parameter.
Account: The authorization takes effect on the current Alibaba Cloud account.
Resource Group: The authorization takes effect on a specific resource group.
ImportantIf you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
Configure the Principal parameter.
The principal is the RAM user to which you want to grant permissions. You can select multiple RAM users at a time.
Select policies.
Search for and select the AliyunYundunSASReadOnlyAccess policy. This system policy grants an O&M engineer read-only access to Security Center.
Search for and select the custom policy that you created in Step 1: Create a custom policy for Security Center.
Click OK.
Appendix: Common custom policies for specific features
When a RAM user uses specific features of Security Center, you must grant the corresponding custom permissions to the RAM user. The following sections describe the custom policy scripts for common features of Security Center.
In most cases, an action in a RAM custom policy corresponds to an API operation of the Alibaba Cloud service.
Asset Center
Action in the RAM policy | Description | Supported API operation |
yundun-sas:DescribeCloudCenterInstances | Queries a list of assets. The information includes the asset type, security alert status, and the online status of the client. | |
yundun-sas:DescribeFieldStatistics | Queries the statistics of servers in your assets. | DescribeFieldStatistics - Query statistics of servers in assets |
yundun-sas:DescribeCriteria | Retrieves the query condition information that corresponds to the fuzzy match value that you enter when you query assets. | |
yundun-sas:ModifyPushAllTask | Runs a security check task on a server. | ModifyPushAllTask - Run a security check task with one click |
yundun-sas:DeleteGroup | Deletes an asset group. | |
yundun-sas:DescribeSearchCondition | Queries the filter conditions for assets. | DescribeSearchCondition - Query filter conditions for assets |
yundun-sas:DescribeImageStatistics | Queries the threat statistics of container image assets. | DescribeImageStatistics - Query threat statistics of container image assets |
yundun-sas:DescribeGroupedTags | Queries the statistics of asset tags. | |
yundun-sas:DescribeDomainCount | Retrieves the number of domain name assets. | DescribeDomainCount - Query the number of domain name assets |
yundun-sas:DescribeCloudProductFieldStatistics | Retrieves statistics of Alibaba Cloud services. | DescribeCloudProductFieldStatistics - Query statistics of Alibaba Cloud services |
yundun-sas:DescribeCloudCenterInstances | Queries asset information. | |
yundun-sas:DescribeAllGroups | Queries information about all server groups. | |
yundun-sas:CreateOrUpdateAssetGroup | Creates a server group or modifies the servers in a server group. | CreateOrUpdateAssetGroup - Modify the relationship between assets and asset groups |
yundun-sas:DescribeInstanceStatistics | Queries the threat statistics of an asset. | |
yundun-sas:PauseClient | Enables or pauses the client. | |
yundun-sas:ModifyTagWithUuid | Modifies the name of an asset tag or the assets that are included in a specified tag. | ModifyTagWithUuid - Modify an asset tag name or the assets in a tag |
yundun-sas:RefreshAssets | Synchronizes the latest assets. | |
yundun-sas:ExportRecord | Exports detection results from pages such as Asset Center, Cloud Security Posture Management, Container Image Scan, Attack Analysis, and AccessKey Pair Leakage Detection to an Excel file. | |
yundun-sas:DescribeExportInfo | Views the progress of an asset export task. | DescribeExportInfo - View the export progress of an asset list |
yundun-sas:DescribeDomainList | Queries a list of domain name assets. | |
yundun-sas:DescribeDomainDetail | Retrieves the details of a domain name asset. | |
yundun-sas:DescribeAssetDetailByUuid | Queries the details of an asset using the UUID of the asset. | DescribeAssetDetailByUuid - Query server asset details and extended information |
Vulnerability management
Action in the RAM policy | Description | Supported API operation |
yundun-sas:DescribeVulWhitelist | Queries the vulnerability whitelist by page. | DescribeVulWhitelist - Query the vulnerability whitelist by page |
yundun-sas:ModifyOperateVul | Processes detected vulnerabilities. You can fix, verify, or ignore vulnerabilities. | |
yundun-sas:ModifyVulTargetConfig | Configures vulnerability detection for a single server. | ModifyVulTargetConfig - Configure vulnerability detection for a single server |
yundun-sas:DescribeConcernNecessity | Queries information about whether it is necessary to fix vulnerabilities that you follow. | |
yundun-sas:DescribeVulList | Queries vulnerability information by vulnerability type. | DescribeVulList - Query vulnerability information by vulnerability type |
yundun-sas:ModifyOperateVul | Processes detected vulnerabilities. You can fix, verify, or ignore vulnerabilities. | |
yundun-sas:DescribeImageVulList | Views the details of vulnerabilities that are detected by a container image scan and a list of affected container images. | DescribeImageVulList - View the list of container image vulnerabilities |
yundun-sas:ExportVul | Exports a list of vulnerabilities. | |
yundun-sas:DescribeVulExportInfo | Views the progress of a vulnerability export task. | DescribeVulExportInfo - View the progress of a vulnerability export task |
Cloud Security Posture Management
Action in the RAM policy | Description | Supported API operation |
yundun-sas:FixCheckWarnings | Fixes baseline check threats. | |
yundun-sas:IgnoreHcCheckWarnings | Ignores or stops ignoring baseline check threats. | IgnoreHcCheckWarnings - Ignore or stop ignoring baseline threats in batches |
yundun-sas:ValidateHcWarnings | Verifies baseline check threats. | ValidateHcWarnings - Verify baseline check threats in batches |
References
Elements of a policy: A policy in RAM describes the specific content of an authorization and consists of basic elements such as Effect, Action, Resource, Condition, and Principal.
Policy structure and syntax: Learn about the syntax and structure of a policy to create or update the policy.
Manage permissions for multiple O&M engineers using RAM: If your enterprise has various O&M requirements, you can use RAM to control the permissions of each type of O&M engineer for easier management and control.
Control access to Alibaba Cloud resources based on IP addresses: You can use RAM to allow users to access your cloud resources only from specified IP addresses. This enhances access security.
Control access to Alibaba Cloud resources based on time: You can use RAM to allow users to access your cloud resources only within a specified period. This enhances access security.