Configure an instance policy to protect a Tablestore instance by restricting access based on conditions such as source IP address, source network, and TLS version.
How it works
An instance policy is a resource-based authorization policy attached to an instance. It defines which principals can perform which actions on which resources, and under which conditions. For policy syntax and elements, see Authorization policy syntax and elements.
When Tablestore evaluates the attached policies, explicit deny takes precedence: any matching Deny rule blocks the request, regardless of any Allow rules.
Configuration methods
Console
Log on to the Tablestore console, then switch the region at the top of the page.
Click the target instance name or Instance Management, then click the Security Policy tab.
-
Click Authorize. On the Visualized Policy tab, set Effect to Allow or Deny and configure the Condition for the policy.
NoteTo view the policy as a JSON script, switch to the Script-based Policy tab.
Parameter
Description
Condition Key
The condition key. Valid values:
-
acs:SourceVpc: Restricts client access by the source VPC. -
ots:TLSVersion: Restricts client access by the TLS version used by the source. -
acs:SourceIp: Restricts client access by the source IP address. -
ots:AccessId: Restricts client access by the AccessKey ID (AK) of the requesting user. -
acs:SecureTransport: Restricts client access by whether the request uses HTTPS.
ImportantThe
acs:SourceIpcondition key matches only the source IP address of the request, without distinguishing between public and VPC-internal traffic. If you use onlyacs:SourceIpto restrict access, requests from other VPCs that happen to use the same IP range are also allowed, which creates an unauthorized-access risk. Always pairacs:SourceIpwithacs:SourceVpcto make the network origin explicit.Operator
The operator applied to the condition key. For more information, see Condition operators.
Condition Value
The value for the selected Condition Key.
-
acs:SourceVpc: Enter a valid VPC ID. To allow only internet access, entervpc-*with theStringNotLikeoperator.To enter multiple values, place one VPC ID per line.
-
ots:TLSVersion: Select a TLS version. Valid values are TLSv1, TLSv1.1, TLSv1.2, and TLSv1.3. -
acs:SourceIp: Enter an IP address or a CIDR block.To enter multiple values, place one IP address or CIDR block per line.
-
ots:AccessId: Enter the AccessKey ID (AK) of the user.To enter multiple values, place one AccessKey ID per line.
-
acs:SecureTransport: Set the value totrueto allow only HTTPS access, orfalseto allow only HTTP access.
-
Click Yes.
After the policy is attached, view the complete policy on the Script-based Policy tab.
API
Use the UpdateInstancePolicy, DeleteInstancePolicy, and CheckInstancePolicy operations to manage the instance policy.
Common scenarios and policy examples
The following examples show the condition combinations and JSON policies for typical access control scenarios.
Allow access only from specific public IP addresses
Restrict access to specific public IP addresses by pairing acs:SourceIp with acs:SourceVpc so that the network origin is unambiguous. To match public-internet traffic, set acs:SourceVpc to vpc-* with the StringNotLike operator.
Set Effect to Allow and add the following two conditions:
|
Condition Key |
Operator |
Condition Value |
|
|
|
The public IP address or CIDR block allowed to access the instance. |
|
|
|
|
The following example allows only the public IP address 203.0.113.5 to access the myinstance instance.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": ["ots:*"],
"Resource": ["acs:ots:*:13791xxxxxxxxxxx:instance/myinstance*"],
"Principal": ["*"],
"Condition": {
"IpAddress": {
"acs:SourceIp": ["203.0.113.5"]
},
"StringNotLike": {
"acs:SourceVpc": ["vpc-*"]
}
}
}
]
}
Allow access only from a specific VPC
Use this configuration to limit the instance to traffic that originates from one named VPC.
Set Effect to Allow and add the following condition:
|
Condition Key |
Operator |
Condition Value |
|
|
|
The ID of the VPC allowed to access the instance. |
The following example allows access to the myinstance instance only from the VPC whose ID is vpc-bp1xxxxxxxxxxxxxxxx.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": ["ots:*"],
"Resource": ["acs:ots:*:13791xxxxxxxxxxx:instance/myinstance*"],
"Principal": ["*"],
"Condition": {
"StringEquals": {
"acs:SourceVpc": ["vpc-bp1xxxxxxxxxxxxxxxx"]
}
}
}
]
}
Allow access only from a specific IP range in a specific VPC
Combine VPC and IP-range conditions to allow only the chosen CIDR block inside the chosen VPC to reach the instance.
Set Effect to Allow and add the following two conditions:
|
Condition Key |
Operator |
Condition Value |
|
|
|
The CIDR block allowed to access the instance. |
|
|
|
The ID of the VPC, which restricts the request source to that VPC. |
The following example allows access to the myinstance instance only from the CIDR block 192.168.0.0/16 within the VPC whose ID is vpc-bp1xxxxxxxxxxxxxxxx.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": ["ots:*"],
"Resource": ["acs:ots:*:13791xxxxxxxxxxx:instance/myinstance*"],
"Principal": ["*"],
"Condition": {
"IpAddress": {
"acs:SourceIp": ["192.168.0.0/16"]
},
"StringEquals": {
"acs:SourceVpc": ["vpc-bp1xxxxxxxxxxxxxxxx"]
}
}
}
]
}
Restrict the TLS version for instance access
Require clients to negotiate one of the listed TLS versions before they can reach the instance.
Set Effect to Allow and add the following condition:
|
Condition Key |
Operator |
Condition Value |
|
|
|
|
The following example allows only requests that negotiate TLSv1.2 or TLSv1.3 to reach the myinstance instance.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": ["ots:*"],
"Resource": ["acs:ots:*:13791xxxxxxxxxxx:instance/myinstance*"],
"Principal": ["*"],
"Condition": {
"StringEquals": {
"ots:TLSVersion": ["TLSv1.2", "TLSv1.3"]
}
}
}
]
}
Limitations
The total size of all condition entries added to a single instance cannot exceed 4 KB.