If you want to implement fine-grained access control for the features of Security Center on Resource Access Management (RAM) users, you can attach system policies or custom policies to the RAM users. This topic describes how to attach system policies and custom policies to RAM users to implement fine-grained access control.
Background information
RAM provides the following types of policies for cloud services: system policies and custom policies. System policies are created by Alibaba Cloud. You cannot modify system policies. To implement fine-grained access control on Security Center, you can use custom policies.
Alibaba Cloud provides the AliyunYundunSASFullAccess
and AliyunYundunSASReadOnlyAccess
system policies that grant permissions on Security Center. If you attach the AliyunYundunSASFullAccess policy to a RAM user, the RAM user is granted full permissions on Security Center. If you attach the AliyunYundunSASReadOnlyAccess policy to a RAM user, the RAM user is granted read-only permissions on Security Center.
Prerequisites
A RAM user is created. For more information, see Create a RAM user.
Attach a system policy to the RAM user
Alibaba Cloud provides both system policies that are related to Billing Management and system policies that grant access or management permissions on Security Center. When a RAM user purchases, renews, or unsubscribes from Security Center, the system may display a message, which indicates that the RAM user does not have the required permissions. When a RAM user accesses Security Center, the system may display a message, which indicates that the RAM user does not have the required permissions and must check the permissions. In these cases, perform the following steps to attach the required system policies to the RAM user.
The system policies that are related to Billing Management take effect on all cloud services. If you attach the system policies that are related to Billing Management to a RAM user, the RAM user can purchase, renew, and unsubscribe from the resources of all cloud services.
Log on to the RAM console with an Alibaba Cloud account or a RAM user who has administrative rights.
In the left-side navigation pane, choose .
On the Users page, find the required RAM user and click Add Permissions in the Actions column.
In the Add Permissions panel, grant permissions to the RAM user.
Select the authorization scope.
Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
Specific Resource Group: The authorization takes effect on a specific resource group.
NoteIf you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
The system automatically sets the Principal parameter to the current RAM user. You do not need to manually specify the Principal parameter.
Select a system policy based on the following scenarios and click OK.
Scenario
System policy
Purchase, renew, or unsubscribe from Security Center
AliyunBSSOrderAccess and AliyunBSSRefundAccess
Access Security Center in read-only mode
AliyunYundunSASReadOnlyAccess
Manage Security Center
AliyunYundunSASFullAccess
Click Complete.
Attach a custom policy to the RAM user
To implement fine-grained access control on Security Center, you can perform the following steps to attach a custom policy to the RAM user:
Step 1: Create a custom policy that grants permissions on Security Center
Log on to the RAM console with an Alibaba Cloud account or a RAM user who has administrative rights.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.
Configure a policy based on your business requirements.
NoteThe policy that specifies the permissions on O&M operations allows a RAM user to use the vulnerability scan, vulnerability fixing, and baseline check features, and perform operations in the Assets module. For more information about the operations that are allowed by the policy, see the actions and descriptions in the Operations that are supported by custom policies table.
Scenario
Script
Read-only permissions in the Assets module
{ "Version": "1", "Statement": [ { "Action": [ "yundun-sas:DescribeCloudCenterInstances", "yundun-sas:DescribeFieldStatistics", "yundun-sas:DescribeCriteria" ], "Resource": "*", "Effect": "Allow" } ] }
Permissions to perform security checks in the Assets module
{ "Version": "1", "Statement": [ { "Action": "yundun-sas:ModifyPushAllTask", "Resource": "*", "Effect": "Allow" } ] }
Read-only permissions on the vulnerability management feature
{ "Version": "1", "Statement": [ { "Action": [ "yundun-aegis:DescribeVulList", "yundun-sas:DescribeVulWhitelist" ], "Resource": "*", "Effect": "Allow" } ] }
Permissions on the vulnerability management feature
{ "Version": "1", "Statement": [ { "Action": "yundun-aegis:OperateVul", "Resource": "*", "Effect": "Allow" } ] }
Permissions on O&M operations
{ "Version": "1", "Statement": [{ "Action": [ "yundun-aegis:OperateVul", "yundun-aegis:ModifyStartVulScan" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "yundun-aegis:FixCheckWarnings", "yundun-aegis:IgnoreHcCheckWarnings", "yundun-aegis:ValidateHcWarnings" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ecs:RebootInstance", "Effect": "Allow", "Resource": "*", "Condition": { "Bool": { "acs:MFAPresent": "true" } } }, { "Action": "ecs:*", "Effect": "Allow", "Resource": [ "acs:ecs:*:*:*" ] }, { "Action": "ecs:CreateSnapshot", "Effect": "Allow", "Resource": [ "acs:ecs:*:*:*", "acs:ecs:*:*:snapshot/*" ] }, { "Action": [ "ecs:Describe*" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "yundun-sas:ModifyPushAllTask", "yundun-sas:DeleteTagWithUuid", "yundun-sas:ModifyTagWithUuid", "yundun-sas:CreateOrUpdateAssetGroup", "yundun-sas:DeleteGroup", "yundun-sas:ModifyAssetImportant", "yundun-sas:RefreshAssets" ], "Resource": "*", "Effect": "Allow" } ] }
Click Next to edit policy information. On the page that appears, configure the Name and Description parameters for the policy.
Click OK.
Step 2: Attach the custom policy to the RAM user
Log on to the RAM console with an Alibaba Cloud account or a RAM user who has administrative rights.
In the left-side navigation pane, choose .
On the Permission page, click Grant Permission.
In the Grant Permission panel, grant permissions to the RAM user.
By default, a newly created RAM user does not have any permissions.
Select the authorization scope.
Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
Specific Resource Group: The authorization takes effect on a specific resource group.
NoteIf you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
Specify the principal.
The principal is the RAM user to which you want to grant permissions.
In the System Policy tab, search for and click the AliyunYundunSASReadOnlyAccess policy.
This system policy grants the RAM user read-only permissions on Security Center.
Click the Custom Policy tab and select the custom policy that is created in Step 1: Create a custom policy that grants permissions on Security Center.
Click OK.
Operations that are supported by custom policies
References
Use RAM to manage permissions of O&M engineers
Use RAM to limit the IP addresses that are allowed to access Alibaba Cloud resources
Use RAM to limit the period of time in which users are allowed to access Alibaba Cloud resources