If the system policies of Resource Access Management (RAM) cannot meet your requirements, you can create custom policies to implement the principle of least privilege. You can use custom policies to manage permissions in a fine-grained manner and improve resource access security. This topic describes the scenarios in which custom policies for VPN Gateway are used.
What is a custom policy?
RAM policies are classified into system policies and custom policies. You can create, update, and delete custom policies. You must manage the version updates of custom policies.
After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.
You can directly delete a RAM policy that is not attached to a principal. If a RAM policy is attached to a principal, you must detach the RAM policy from the principal before you can delete the RAM policy.
Custom policies support version control. You can manage the versions of custom policies based on the version management mechanism provided by RAM.
References
Authorization information
Before you use custom policies, you must understand the permission management requirements of your business and the authorization information about VPN Gateway. For more information, see RAM authorization.