Alibaba Cloud Resource Access Management (RAM) provides two types of policies: system policies and custom policies. System policies are created and maintained by Alibaba Cloud — you can attach them to RAM identities but cannot modify them. Custom policies are fully managed by you and support create, update, and delete operations.
As Security Center evolves, new permissions are added to its system policies to support new features. Any update to a system policy takes effect for all RAM users, RAM user groups, and RAM roles that the policy is attached to.
System policies let you get started quickly from the management console and also support advanced access methods such as API operations and CLI commands. For finer-grained control over which API operations specific RAM identities can call, use custom policies instead.
For more information about RAM policies, see Policy overview.
System policies
Security Center provides the following system policies:
| Policy | Description |
|---|---|
AliyunYundunSASFullAccess | Grants full management permissions for Security Center. See AliyunYundunSASFullAccess for the complete permission list. |
AliyunYundunSASReadOnlyAccess | Grants read-only permissions for Security Center. See AliyunYundunSASReadOnlyAccess for the complete permission list. |
Service-linked role policies
Security Center uses service-linked roles to access resources in other Alibaba Cloud services on your behalf. Each service-linked role has a dedicated authorization policy that is defined and managed by Security Center.
Do not attach these policies to RAM identities other than their associated service-linked roles. Do not modify or delete them.
| Policy | Associated service-linked role |
|---|---|
AliyunServiceRolePolicyForSas | AliyunServiceRoleForSas |
AliyunServiceRolePolicyForSasCloudSiem | AliyunServiceRoleForSasCloudSiem |
AliyunServiceRolePolicyForSasCspm | AliyunServiceRoleForSasCspm |
AliyunServiceRolePolicyForSasRd | AliyunServiceRoleForSasRd |
AliyunServiceRolePolicyForAntiRansomwareMssp | AliyunServiceRoleForAntiRansomwareMssp |
AliyunServiceRolePolicyForSasSecurityLake | AliyunServiceRoleForSasSecurityLake |
What's next
By default, RAM identities have no permissions. To ensure resource security, we recommend that you grant only the required permissions to the RAM identities based on the principle of least privilege. To grant permissions, see: