This topic provides some sample custom Resource Access Management (RAM) policies for Application Load Balancer (ALB).
Background Information
RAM policies are classified into system policies and custom policies. We recommend that you read the information about system policies for ALB before you manage ALB permissions.
If the system policies cannot meet your business requirements, you can create a custom policy on the JSON tab.
We recommend that you read the ALB permission definitions before you use RAM to manage ALB permissions.
Sample custom policies
Example 1: The following policy prohibits a RAM user from creating HTTP listeners or HTTP server groups.
{ "Version": "1", "Statement": [ { "Effect":"Deny", "Action":"alb:CreateListener", "Resource":"*", "Condition": { "StringLike": { "alb:ListenerProtocol": [ "HTTP" ] } } }, { "Effect":"Deny", "Action":"alb:CreateServerGroup", "Resource":"*", "Condition": { "StringLike": { "alb:ServerGroupProtocol": [ "HTTP" ] } } } ] }Example 2: The following policy authorizes a RAM user to manage two specified ALB instances.
In this example, you have multiple ALB instances and you want to allow a RAM user to manage only two of the ALB instances. The IDs of the ALB instances are alb-001 and alb-002.
{ "Version": "1", "Statement": [ { "Effect":"Allow", "Action": [ "alb:*"], "Resource": [ "acs:alb:*:*:loadbalancer/alb-001", "acs:alb:*:*:loadbalancer/alb-002" ], "Condition": { } }, { "Effect":"Allow", "Action": [ "alb:Get*"], "Resource": [ "*"], "Condition": { } } ] }Example 3: The following policy authorizes a RAM user to add an Elastic Compute Service (ECS) instance to a server group. The ID of the server group is sgp-001 and the ID of the ECS instance is i-001.
{ "Version": "1", "Statement": [ { "Effect":"Allow", "Action": [ "alb:AddServersToServerGroup"], "Resource": [ "acs:alb:*:*:servergroup/sgp-001"], "Condition": { } }, { "Effect":"Allow", "Action": [ "alb:AddServersToServerGroup"], "Resource": [ "acs:ecs:*:*:instance/i-001"], "Condition": { } }, { "Effect":"Allow", "Action": [ "alb:ListServerGroups"], "Resource": [ "acs:alb:*:*:servergroup/*"], "Condition": { } } ] }Example 4: The following policy authorizes a RAM user to manage ECS instances in specified server groups of an ALB instance. The IDs of the ALB server groups are sgp-001 and sgp-002.
{ "Version": "1", "Statement": [ { "Effect":"Allow", "Action": [ "alb:*"], "Resource": [ "acs:alb:*:*:servergroup/sgp-001", "acs:alb:*:*:servergroup/sgp-002" ], "Condition": { } }, { "Effect":"Allow", "Action": [ "alb:List*"], "Resource": [ "*"], "Condition": { } }, { "Effect": "Allow", "Action": [ "ecs:DescribeInstances"], "Resource": [ "*"], "Condition": { } }, { "Effect":"Allow", "Action": [ "alb:*"], "Resource": [ "acs:ecs:*:*:instance/i-instance001", "acs:ecs:*:*:instance/i-instance002" ], "Condition": { } } ] }Example 5: The following policy prohibits a RAM user from specifying TLS v1.0 and TLS v1.1 and authorizes them to specify TLS v1.2 or later when creating or modifying an HTTPS listener:
{ "Version": "1", "Statement": [ { "Effect": "Deny", "Action": [ "alb:CreateListener", "alb:UpdateListenerAttribute" ], "Resource": "*", "Condition": { "StringLike": { "alb:TLSVersion": [ "TLSv1.0", "TLSv1.1" ] } } } ] }