All Products
Search
Document Center

Security Center:Best practices to manage permissions of RAM users

Last Updated:May 29, 2024

If you want to implement fine-grained access control for the features of Security Center on Resource Access Management (RAM) users, you can attach system policies or custom policies to the RAM users. This topic describes how to attach system policies and custom policies to RAM users to implement fine-grained access control.

Background information

RAM provides the following types of policies for cloud services: system policies and custom policies. System policies are created by Alibaba Cloud. You cannot modify system policies. To implement fine-grained access control on Security Center, you can use custom policies.

Note

Alibaba Cloud provides the AliyunYundunSASFullAccess and AliyunYundunSASReadOnlyAccess system policies that grant permissions on Security Center. If you attach the AliyunYundunSASFullAccess policy to a RAM user, the RAM user is granted full permissions on Security Center. If you attach the AliyunYundunSASReadOnlyAccess policy to a RAM user, the RAM user is granted read-only permissions on Security Center.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.

Attach a system policy to the RAM user

Alibaba Cloud provides both system policies that are related to Billing Management and system policies that grant access or management permissions on Security Center. When a RAM user purchases, renews, or unsubscribes from Security Center, the system may display a message, which indicates that the RAM user does not have the required permissions. When a RAM user accesses Security Center, the system may display a message, which indicates that the RAM user does not have the required permissions and must check the permissions. In these cases, perform the following steps to attach the required system policies to the RAM user.

Important

The system policies that are related to Billing Management take effect on all cloud services. If you attach the system policies that are related to Billing Management to a RAM user, the RAM user can purchase, renew, and unsubscribe from the resources of all cloud services.

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, find the required RAM user, and click Add Permissions in the Actions column.

    image

    You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.

  4. In the Add Permissions panel, grant permissions to the RAM user.

    1. Configure the Resource Scope parameter.

    2. Configure the Principal parameter.

      The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.

    3. Select a system policy based on the following scenarios and click Grant permissions.

      Scenario

      System policy

      Purchase, renew, or unsubscribe from Security Center

      AliyunBSSOrderAccess and AliyunBSSRefundAccess

      Access Security Center in read-only mode

      AliyunYundunSASReadOnlyAccess

      Manage Security Center

      AliyunYundunSASFullAccess

  5. Click Close.

Attach a custom policy to the RAM user

To implement fine-grained access control on Security Center, you can perform the following steps to attach a custom policy to the RAM user:

Step 1: Create a custom policy that grants permissions on Security Center

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Permissions > Policies.

  3. On the Policies page, click Create Policy.

  4. On the Create Policy page, click the JSON tab.

    Configure a policy based on your business requirements.

    Note

    The policy that specifies the permissions on O&M operations allows a RAM user to use the vulnerability detection, vulnerability fixing, and baseline check features, and perform operations in the Assets module. For more information about the operations that are allowed by the policy, see the actions and descriptions in the Operations that are supported by custom policies table.

    Scenario

    Script

    Permissions to query the auto-renewal price (bssapi:QueryAvailableInstances) and configure auto-renewal settings (bssapi:SetRenewal)

    {
        "Version": "1",
        "Statement": [
            {
               "Action": [
                         "bssapi:QueryAvailableInstances",
                         "bssapi:SetRenewal",
                         "bss:ModifyPrepaidInstanceAutoRenew",
                         "bss:PayOrder",
                         "bss:QueryPrice",
                         "bss:RefundBatchRemainRefund"
                         ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }

    Permissions to modify auto-renewal settings (bss:ModifyPrepaidInstanceAutoRenew)

    Permissions to pay for a renewal and configuration change order (bss:PayOrder)

    Permissions to query the discounted price (bss:QueryPrice)

    Permissions to request a refund (bss:RefundBatchRemainRefund)

    Read-only permissions in the Assets module

    {
        "Version": "1",
        "Statement": [
            {
               "Action": [
                         "yundun-sas:DescribeCloudCenterInstances",
                         "yundun-sas:DescribeFieldStatistics",
                         "yundun-sas:DescribeCriteria"
                         ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }

    Permissions to perform security checks in the Assets module

    {
        "Version": "1",
        "Statement": [
            {
                "Action": "yundun-sas:ModifyPushAllTask",
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }

    Read-only permissions on the vulnerability management feature

    {
        "Version": "1",
        "Statement": [
            {
               "Action": [
                         "yundun-sas:DescribeVulList",
                         "yundun-sas:DescribeVulWhitelist"
                         ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }

    Permissions on the vulnerability management feature

    {
        "Version": "1",
        "Statement": [
            {
               "Action": "yundun-sas:OperateVul",
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }

    Permissions on O&M operations

    {
        "Version": "1",
        "Statement": [{
                "Action": [
                    "yundun-sas:OperateVul",
                    "yundun-sas:ModifyStartVulScan"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "yundun-sas:FixCheckWarnings",
                    "yundun-sas:IgnoreHcCheckWarnings",
                    "yundun-sas:ValidateHcWarnings"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "ecs:RebootInstance",
                "Effect": "Allow",
                "Resource": "*",
                "Condition": {
                    "Bool": {
                        "acs:MFAPresent": "true"
                    }
                }
            },
            {
                "Action": "ecs:*",
                "Effect": "Allow",
                "Resource": [
                    "acs:ecs:*:*:*"
                ]
            },
            {
                "Action": "ecs:CreateSnapshot",
                "Effect": "Allow",
                "Resource": [
                    "acs:ecs:*:*:*",
                    "acs:ecs:*:*:snapshot/*"
                ]
            },
            {
                "Action": [
                    "ecs:Describe*"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }, {
                "Action": [
                    "yundun-sas:ModifyPushAllTask",
                    "yundun-sas:DeleteTagWithUuid",
                    "yundun-sas:ModifyTagWithUuid",
                    "yundun-sas:CreateOrUpdateAssetGroup",
                    "yundun-sas:DeleteGroup",
                    "yundun-sas:ModifyAssetImportant",
                    "yundun-sas:RefreshAssets"
    
                ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
  5. Click Next to edit policy information. On the page that appears, configure the Name and Description parameters for the policy.

  6. Click OK.

Step 2: Grant permissions to the RAM user

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Permissions > Grants.

  3. On the Permission page, click Grant Permission.

    image

  4. In the Grant Permission panel, grant permissions to the RAM user.

    By default, a newly created RAM user does not have any permissions.

    1. Configure the Resource Scope parameter.

    2. Configure the Principal parameter.

      The principal is the RAM user to which you want to grant permissions. You can select multiple RAM users at a time.

    3. Select a policy.

  5. Click Grant permissions.

Operations that are supported by custom policies

The following tables describe the operations supported by custom policies that grant permissions on Security Center.

Note

In most cases, each action supported by a custom policy corresponds to one API operation of a cloud service.

Assets

Action in a policy

Description

Operation

yundun-sas:DescribeCloudCenterInstances

Queries asset information. The information includes asset types, alerts, and the status of the Security Center agent.

DescribeCloudCenterInstances

yundun-sas:DescribeFieldStatistics

Queries the statistics of servers.

DescribeFieldStatistics

yundun-sas:DescribeCriteria

Queries the search conditions when you query an asset. You can specify a keyword for fuzzy search.

DescribeCriteria

yundun-sas:ModifyPushAllTask

Performs security checks on servers.

ModifyPushAllTask

yundun-sas:DeleteGroup

Deletes a server group.

DeleteGroup

yundun-sas:DescribeSearchCondition

Queries the filter conditions that are used to search for specific assets.

DescribeSearchCondition

yundun-sas:DescribeImageStatistics

Queries the risk statistics of container images.

DescribeImageStatistics

yundun-sas:DescribeGroupedTags

Queries the statistics of asset tags.

DescribeGroupedTags

yundun-sas:DescribeDomainCount

Queries the number of domain assets.

DescribeDomainCount

yundun-sas:DescribeCloudProductFieldStatistics

Queries the statistics of cloud services.

DescribeCloudProductFieldStatistics

yundun-sas:DescribeCloudCenterInstances

Queries asset information.

DescribeCloudCenterInstances

yundun-sas:DescribeAllGroups

Queries grouping information about all servers.

DescribeAllGroups

yundun-sas:CreateOrUpdateAssetGroup

Creates a server group, adds servers to a server group, or removes servers from a server group.

CreateOrUpdateAssetGroup

yundun-sas:DescribeInstanceStatistics

Queries the risk statistics of an asset.

DescribeInstanceStatistics

yundun-sas:PauseClient

Enables or disables the Security Center agent.

PauseClient

yundun-sas:ModifyTagWithUuid

Changes the names of the tags that are added to assets, or modifies the tags for assets.

ModifyTagWithUuid

yundun-sas:RefreshAssets

Updates the information about all assets.

RefreshAssets

yundun-sas:ExportRecord

Exports the check results of the Assets module, and the check results on the Configuration Assessment, Image Security, Attack Analysis, and AccessKey Leak Detection pages to Excel files.

ExportRecord

yundun-sas:DescribeExportInfo

Queries the progress of the task that exports the list of assets.

DescribeExportInfo

yundun-sas:DescribeDomainList

Queries domain assets.

DescribeDomainList

yundun-sas:DescribeDomainDetail

Queries the details of a domain asset.

DescribeDomainDetail

yundun-sas:DescribeAssetDetailByUuid

Queries the details of a server by using the UUID of the server.

DescribeAssetDetailByUuid

Vulnerability fixing

Action in a policy

Description

Operation

yundun-sas:DescribeVulWhitelist

Queries the whitelist of vulnerabilities by page.

DescribeVulWhitelist

yundun-sas:ModifyOperateVul

Handles detected vulnerabilities. You can fix, check, or ignore the vulnerabilities.

ModifyOperateVul

yundun-sas:ModifyVulTargetConfig

Configures vulnerability detection for a server.

ModifyVulTargetConfig

yundun-sas:DescribeConcernNecessity

Queries the priorities based on which vulnerabilities are fixed.

DescribeConcernNecessity

yundun-sas:DescribeVulList

Queries vulnerabilities by type.

DescribeVulList

yundun-sas:ModifyOperateVul

Handles detected vulnerabilities. You can fix, check, or ignore the vulnerabilities.

ModifyOperateVul

yundun-sas:DescribeImageVulList

Queries the details of vulnerabilities that are detected by using container image scan and the information about the affected images.

DescribeImageVulList

yundun-sas:ExportVul

Exports the list of vulnerabilities.

ExportVul

yundun-sas:DescribeVulExportInfo

Queries the progress of the task that exports the list of vulnerabilities.

DescribeVulExportInfo

Baseline check

Action in a policy

Description

Operation

yundun-sas:FixCheckWarnings

Fixes a baseline risk item.

FixCheckWarnings

yundun-sas:IgnoreHcCheckWarnings

Ignores or cancels ignoring baseline risks.

IgnoreHcCheckWarnings

yundun-sas:ValidateHcWarnings

Verifies whether baseline risk items are fixed.

ValidateHcWarnings

References

Elements: You can refer to this topic to view the elements of policies that are used in RAM to define permissions. The elements are Effect, Action, Resource, Condition, and Principal.

Policy structure and syntax: You can refer to this topic to view the structure and syntax that are used to create or update policies in RAM.

Use RAM to manage permissions of O&M engineers: You can refer to this topic to grant permissions to O&M engineers and manage the permissions.

Use RAM to limit the IP addresses that are allowed to access Alibaba Cloud resources: You can refer to this topic to limit the IP addresses that are allowed to access Alibaba Cloud resources. This ensures a higher level of data security.

Use RAM to limit the period of time in which users are allowed to access Alibaba Cloud resources: You can refer to this topic to limit the period of time in which users are allowed to access Alibaba Cloud resources. This ensures a higher level of data security.