If system policies do not meet your requirements, you can create custom policies to enforce the principle of least privilege. Custom policies provide fine-grained access control, which is an effective way to improve resource security. This topic describes use cases and provides policy examples of using custom policies with Virtual Private Cloud (VPC).
What is a custom policy
Resource Access Management (RAM) policies come in two types: system policies (managed by Alibaba Cloud) and custom policies (managed by you). Custom policies give you precise control over permissions when system policies do not meet your requirements.
After creating a custom policy, attach it to a RAM user, a user group, or a RAM role to grant the specified permissions to that principal. The policy takes effect only after it is attached.
Manage custom policies
| Operation | Behavior |
|---|---|
| Create and attach | Create a custom policy, then attach it to the target principal. |
| Delete (unattached) | Delete any custom policy that is not currently attached to a principal. |
| Delete (attached) | Detach the policy from all principals first, then delete it. |
| Version management | Custom policies support version control. Use the version management mechanism in RAM to manage policy versions. |
References
VPC policy examples
-
Example 1: Grant full management access to VPCs
This policy grants a RAM user permissions to manage all VPCs in account 1234567.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*" ], "Resource": [ "acs:vpc:*:1234567:*/*" ] }, { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "*" ] } ] } -
Example 2: Grant management access to vSwitches in a specific region
This policy grants a RAM user permissions to manage vSwitches in the China (Qingdao) region. The user can create and delete vSwitches, and associate and disassociate subnet routes. This policy does not grant permissions for vSwitches in other regions.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*Describe*", "vpc:*vSwitch*", "vpc:*RouteTable*" ], "Resource": [ "acs:vpc:cn-qingdao:*:*/*" ] }, { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "acs:ecs:cn-qingdao:*:*/*" ] } ] } -
Example 3: Grant permissions to manage route tables and route entries in a specific region
This policy grants a RAM user permissions to manage VPCs in the China (Hangzhou) region. The permissions are limited to adding and deleting route entries, and creating subnet routes and associating them with a vSwitch. This policy also grants read-only permissions for all ECS, SLB, and RDS resources.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "*" ], "Condition": { } }, { "Effect": "Allow", "Action": [ "slb:*Describe*" ], "Resource": [ "*" ], "Condition": { } }, { "Effect": "Allow", "Action": [ "rds:*Describe*" ], "Resource": [ "*" ], "Condition": { } }, { "Effect": "Allow", "Action": [ "vpc:*Describe*", "vpc:*RouteEntry*", "vpc:*RouteTable*" ], "Resource": [ "acs:vpc:cn-hangzhou:11111111:*/*" ], "Condition": { } } ] } -
Example 4: Grant permissions to modify route entries in a specific route table
This policy grants a RAM user permissions to add and delete route entries only in a specific route table.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*RouteEntry*" ], "Resource": [ "acs:vpc:cn-qingdao:*:routetable/vtb-m5e64ujkb7xn5zlq0xxxx" ] }, { "Effect": "Allow", "Action": [ "vpc:*Describe*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "*" ] } ] }