RAM authorization - Cloud Firewall

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. Using RAM helps you avoid sharing your Alibaba Cloud account keys with other users and allows you to grant users the least privilege access. RAM uses permission policies to define authorizations. This topic describes the general structure of a RAM policy, and the policy statement elements (Action, Resource, and Condition) defined by Cloud Firewall for RAM permission policies. The RAM code (RamCode) for Cloud Firewall is yundun-cloudfirewall , and the supported authorization granularity is RESOURCE .

General structure of a policy

Permission policies support JSON format with the following general structure:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

The following list describes the fields in the policy:

Version: Specifies the policy version number. It is fixed at 1.
Statement:
- Effect: Specifies the authorization result. Valid values: Allow and Deny.
- Action: Specifies one or more operations that are allowed or denied.
- Resource: Specifies the specific objects affected by the operations. You can use Alibaba Cloud Resource Names (ARNs) to describe specific resources.
- Condition: Specifies the conditions for the authorization to take effect. This field is optional.
  - Condition operator: Specifies the conditional operators. Different types of conditions support different conditional operators.
  - Condition_key: Specifies the condition keys.
  - Condition_value: Specifies the condition values.

Action

The following table lists the actions defined by Cloud Firewall. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that support authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding ARN in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys that are applicable across all RAM-integrated services. For more information, see Common condition keys.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action	API	Access level	Resource type	Condition key	Dependent action
yundun-cloudfirewall:ModifyTrFirewallV2Configuration	ModifyTrFirewallV2Configuration	update	*VpcCenTrFirewall `acs:cloudfirewall::{#accountId}:vpccentrfirewall/{#FirewallId}`	None	None
yundun-cloudfirewall:DescribePolicyPriorUsed	DescribePolicyPriorUsed	list	All Resource ``	None	None
yundun-cloudfirewall:DescribeOutgoingDestinationIP	DescribeOutgoingDestinationIP	get	All Resource ``	None	None
yundun-cloudfirewall:DeletePrivateDnsEndpoint	DeletePrivateDnsEndpoint	delete	*PrivateDNS `acs:cloudfirewall::{#accountId}:privatedns/{#AccessInstanceId}`	None	None
yundun-cloudfirewall:DescribeRiskEventTopAttackType	DescribeRiskEventTopAttackType	list	All Resource ``	None	None
yundun-cloudfirewall:DescribeNatFirewallPolicyPriorUsed	DescribeNatFirewallPolicyPriorUsed	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeSecurityProxy	DescribeSecurityProxy	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeInstanceRiskLevels	DescribeInstanceRiskLevels	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeAssetStatistic	DescribeAssetStatistic	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeSdlEventSdList	DescribeSdlEventSdList	none	All Resource ``	None	None
yundun-cloudfirewall:DescribeRiskEventPayload	DescribeRiskEventPayload	get	All Resource ``	None	None
yundun-cloudfirewall:AddControlPolicy	AddControlPolicy	create	ControlPolicy `acs:cloudfirewall::{#accountId}:controlpolicy/`	None	None
yundun-cloudfirewall:ModifyObjectGroupOperation	ModifyObjectGroupOperation	update	All Resource ``	None	None
yundun-cloudfirewall:ModifyPolicyAdvancedConfig	ModifyPolicyAdvancedConfig	update	*PolicyAdvancedConfig `acs:yundun-cloudfirewall::{#accountId}:policyadvancedconfig`	None	None
yundun-cloudfirewall:CreateAckClusterConnector	CreateAckClusterConnector	create	All Resource ``	None	None
yundun-cloudfirewall:DescribeAclRuleCount	DescribeAclRuleCount	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeSlrGrant	DescribeSlrGrant	get	All Resource ``	None	None
yundun-cloudfirewall:DeleteAckClusterConnector	DeleteAckClusterConnector	delete	All Resource ``	None	None
yundun-cloudfirewall:PutDisableAllFwSwitch	PutDisableAllFwSwitch	update	All Resource ``	None	None
yundun-cloudfirewall:DeleteControlPolicy	DeleteControlPolicy	delete	*ControlPolicy `acs:yundun-cloudfirewall::{#accountId}:controlpolicy/{#AclUuid}`	None	None
yundun-cloudfirewall:CreateTrFirewallV2	CreateTrFirewallV2	create	VpcCenTrFirewall `acs:yundun-cloudfirewall::{#accountId}:vpccentrfirewall/`	None	None
yundun-cloudfirewall:CreateVpcFirewallControlPolicy	CreateVpcFirewallControlPolicy	create	VpcFirewallControlPolicy `acs:cloudfirewall::{#accountId}:vpcfirewallcontrolpolicy/`	None	None
yundun-cloudfirewall:DescribeTrFirewallsV2RouteList	DescribeTrFirewallsV2RouteList	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeAckClusterConnector	DescribeAckClusterConnector	get	All Resource ``	None	None
yundun-cloudfirewall:ModifyVpcFirewallDefaultIPSConfig	ModifyVpcFirewallDefaultIPSConfig	update	*VpcFirewallIpsConfig `acs:cloudfirewall::{#accountId}:vpcfirewallipsconfig/{#VpcFirewallId}`	None	None
yundun-cloudfirewall:UpdatePostpayUserVpcStatus	UpdatePostpayUserVpcStatus	update	All Resource ``	None	None
yundun-cloudfirewall:DescribeInternetTrafficTrend	DescribeInternetTrafficTrend	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeAccessInstanceTask	DescribeAccessInstanceTask	none	All Resource ``	None	None
yundun-cloudfirewall:DescribeCfwRiskLevelSummary	DescribeCfwRiskLevelSummary	get	All Resource ``	None	None
yundun-cloudfirewall:ReleaseExpiredInstance	ReleaseExpiredInstance	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeUserBuyVersion	DescribeUserBuyVersion	get	All Resource ``	None	None
yundun-cloudfirewall:ModifyControlPolicyPosition	ModifyControlPolicyPosition	update	All Resource ``	None	None
yundun-cloudfirewall:DescribeOutgoingDomain	DescribeOutgoingDomain	get	All Resource ``	None	None
yundun-cloudfirewall:CreatePrivateDnsEndpoint	CreatePrivateDnsEndpoint	create	PrivateDNS `acs:yundun-cloudfirewall::{#accountId}:privatedns/`	None	None
yundun-cloudfirewall:CreateSlsLogDispatch	CreateSlsLogDispatch	create	Instance `acs:yundun-cloudfirewall::{#accountId}:instance/{#InstanceId}`	None	None
yundun-cloudfirewall:DescribeOutgoingDestination	DescribeOutgoingDestination	get	All Resource ``	None	None
yundun-cloudfirewall:DeleteIpsPrivateAssoc	DeleteIpsPrivateAssoc	delete	All Resource ``	None	None
yundun-cloudfirewall:BatchDeleteVpcFirewallControlPolicy	BatchDeleteVpcFirewallControlPolicy	none	All Resource ``	None	None
yundun-cloudfirewall:DescribeInternetOpenDetail	DescribeInternetOpenDetail	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeVpcFirewallCenDetail	DescribeVpcFirewallCenDetail	get	*VpcFirewallCen `acs:cloudfirewall::{#accountId}:vpcfirewallcen/{#VpcFirewallId}`	None	None
yundun-cloudfirewall:DescribeNatAclPageStatus	DescribeNatAclPageStatus	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeOutgoingStatistic	DescribeOutgoingStatistic	get	All Resource ``	None	None
yundun-cloudfirewall:ResetVpcFirewallRuleHitCount	ResetVpcFirewallRuleHitCount	update	*VpcFirewallControlPolicy `acs:yundun-cloudfirewall::{#accountId}:vpcfirewallcontrolpolicy/{#AclUuid}`	None	None
yundun-cloudfirewall:DescribePrivateDnsDomainNameList	DescribePrivateDnsDomainNameList	get	*PrivateDNS `acs:cloudfirewall::{#accountId}:privatedns/{#AccessInstanceId}`	None	None
yundun-cloudfirewall:DeleteAclBackupData	DeleteAclBackupData	delete	All Resource ``	None	None
yundun-cloudfirewall:ModifyControlPolicy	ModifyControlPolicy	update	*ControlPolicy `acs:cloudfirewall::{#accountId}:controlpolicy/{#AclUuid}`	None	None
yundun-cloudfirewall:PutEnableFwSwitch	PutEnableFwSwitch	update	All Resource ``	None	None
yundun-cloudfirewall:DescribeInternetTimeTop	DescribeInternetTimeTop	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeNatFirewallTimeTop	DescribeNatFirewallTimeTop	get	All Resource ``	None	None
yundun-cloudfirewall:UpdateSecurityProxy	UpdateSecurityProxy	update	All Resource ``	None	None
yundun-cloudfirewall:DescribeSlsAnalyzeOpenStatus	DescribeSlsAnalyzeOpenStatus	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeAccessInstanceVSwitchList	DescribeAccessInstanceVSwitchList	none	All Resource ``	None	None
yundun-cloudfirewall:DescribeInternetServiceNameList	DescribeInternetServiceNameList	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeSignatureLibVersion	DescribeSignatureLibVersion	get	All Resource ``	None	None
yundun-cloudfirewall:UpdateAclCheckDetailStatus	UpdateAclCheckDetailStatus	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeTrFirewallPolicyBackUpAssociationList	DescribeTrFirewallPolicyBackUpAssociationList	get	*VpcCenTrFirewallPolicy `acs:cloudfirewall::{#accountId}:vpccentrfirewall/{#FirewallId}/{#TrFirewallRoutePolicyId}`	None	None
yundun-cloudfirewall:DescribeFirewallVSwitch	DescribeFirewallVSwitch	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeRiskEventTopAttackApp	DescribeRiskEventTopAttackApp	get	All Resource ``	None	None
yundun-cloudfirewall:CreateInstanceSyncTask	CreateInstanceSyncTask	create	All Resource ``	None	None
yundun-cloudfirewall:DescribeConfiguredDestinationIP	DescribeConfiguredDestinationIP	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeSdlStatistic	DescribeSdlStatistic	none	All Resource ``	None	None
yundun-cloudfirewall:DescribeBatchSlsDispatchStatus	DescribeBatchSlsDispatchStatus	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeInvadeEcsTrend	DescribeInvadeEcsTrend	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeAclCheck	DescribeAclCheck	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeVpcFirewallPrecheckDetail	DescribeVpcFirewallPrecheckDetail	get	All Resource ``	None	None
yundun-cloudfirewall:DescribePostpayUserInternetStatus	DescribePostpayUserInternetStatus	get	All Resource ``	None	None
yundun-cloudfirewall:UpdateAITrafficAnalysisStatus	UpdateAITrafficAnalysisStatus	none	AiTrafficAnalysisStatus `acs:yundun-cloudfirewall::{#accountId}:aitrafficanalysisstatus/`	None	None
yundun-cloudfirewall:DescribeOutgoingRiskTrend	DescribeOutgoingRiskTrend	get	All Resource ``	None	None
yundun-cloudfirewall:ModifyNatFirewallControlPolicy	ModifyNatFirewallControlPolicy	update	*NatFirewallControlPolicy `acs:cloudfirewall::{#accountId}:natfirewallcontrolpolicy/{#AclUuid}`	None	None
yundun-cloudfirewall:DescribeVpcFirewallSummaryInfo	DescribeVpcFirewallSummaryInfo	get	All Resource ``	None	None
yundun-cloudfirewall:ModifySensitiveSwitch	ModifySensitiveSwitch	none	All Resource ``	None	None
yundun-cloudfirewall:DescribeVpcFirewallDetail	DescribeVpcFirewallDetail	get	*VpcFirewall `acs:cloudfirewall::{#accountId}:vpcfirewall/{#VpcFirewallId}`	None	None
yundun-cloudfirewall:DescribeAckClusterNamespaces	DescribeAckClusterNamespaces	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeInternetOpenIp	DescribeInternetOpenIp	get	All Resource ``	None	None
yundun-cloudfirewall:CreateNatFirewallSyncTask	CreateNatFirewallSyncTask	create	All Resource ``	None	None
yundun-cloudfirewall:CreateNatFirewallPreCheck	CreateNatFirewallPreCheck	create	All Resource ``	None	None
yundun-cloudfirewall:ModifyControlPolicyPriority	ModifyControlPolicyPriority	get	*ControlPolicyOrder `acs:cloudfirewall::{#accountId}:controlpolicy/{#AclUuid}`	None	None
yundun-cloudfirewall:DescribeUserAlarmConfig	DescribeUserAlarmConfig	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeSensitiveSwitch	DescribeSensitiveSwitch	none	All Resource ``	None	None
yundun-cloudfirewall:ModifyVpcFirewallSwitchStatus	ModifyVpcFirewallSwitchStatus	update	*VpcFirewall `acs:cloudfirewall::{#accountId}:vpcfirewall/{#VpcFirewallId}`	None	None
yundun-cloudfirewall:DescribeThreatIntelligenceSwitch	DescribeThreatIntelligenceSwitch	none	All Resource ``	None	None
yundun-cloudfirewall:DescribeAccessInstanceRegionList	DescribeAccessInstanceRegionList	none	All Resource ``	None	None
yundun-cloudfirewall:ModifyDnsFirewallPolicy	ModifyDnsFirewallPolicy	update	*DnsFirewallPolicy `acs:yundun-cloudfirewall::{#accountId}:dnsfirewallpolicy/{#AclUuid}`	None	None
yundun-cloudfirewall:DescribeVfwIPSConfigList	DescribeVfwIPSConfigList	list	All Resource ``	None	None
yundun-cloudfirewall:DescribePrivateDnsStatistics	DescribePrivateDnsStatistics	none	All Resource ``	None	None
yundun-cloudfirewall:DescribePrefixLists	DescribePrefixLists	list	All Resource ``	None	None
yundun-cloudfirewall:DescribePostpayEnabledProtection	DescribePostpayEnabledProtection	get	All Resource ``	None	None
yundun-cloudfirewall:SwitchSecurityProxy	SwitchSecurityProxy	none	*NatFirewall `acs:cloudfirewall::{#accountId}:natfirewall/{#ProxyId}`	None	None
yundun-cloudfirewall:CreateVpcFirewallCenManualConfigure	CreateVpcFirewallCenManualConfigure	create	VpcFirewallCen `acs:yundun-cloudfirewall::{#accountId}:vpcfirewallcen/`	None	None
yundun-cloudfirewall:DescribeFirewallTask	DescribeFirewallTask	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeRiskEventTopAttackAsset	DescribeRiskEventTopAttackAsset	get	All Resource ``	None	None
yundun-cloudfirewall:ModifyVpcFirewallAclEngineMode	ModifyVpcFirewallAclEngineMode	create	All Resource ``	None	None
yundun-cloudfirewall:DeletePrivateDnsAllDomainName	DeletePrivateDnsAllDomainName	delete	*PrivateDNS `acs:cloudfirewall::{#accountId}:privatedns/{#AccessInstanceId}`	None	None
yundun-cloudfirewall:DescribeVpcFirewallAssetRegionList	DescribeVpcFirewallAssetRegionList	none	All Resource ``	None	None
yundun-cloudfirewall:DeleteDnsFirewallPolicy	DeleteDnsFirewallPolicy	delete	*DnsFirewallPolicy `acs:yundun-cloudfirewall::{#accountId}:dnsfirewallpolicy/{#AclUuid}`	None	None
yundun-cloudfirewall:CreateDownloadTask	CreateDownloadTask	create	All Resource ``	None	None
yundun-cloudfirewall:DescribeOutgoingDestinationIPDetail	DescribeOutgoingDestinationIPDetail	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeAclCheckQuota	DescribeAclCheckQuota	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeNatFirewallControlPolicy	DescribeNatFirewallControlPolicy	list	*NatFirewallControlPolicy `acs:cloudfirewall::{#accountId}:natfirewallcontrolpolicy/{#AclUuid}`	None	None
yundun-cloudfirewall:ModifyThreatIntelligenceSwitch	ModifyThreatIntelligenceSwitch	none	*ThreatIntelligenceSwitch `acs:cloudfirewall::{#accountId}:threatintelligenceswitch/{#CategoryId}`	None	None
yundun-cloudfirewall:DescribeOutgoingRiskDomainAndIpCount	DescribeOutgoingRiskDomainAndIpCount	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeInvadeEventDetail	DescribeInvadeEventDetail	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeTrFirewallsV2List	DescribeTrFirewallsV2List	get	*VpcCenTrFirewall `acs:yundun-cloudfirewall::{#accountId}:vpccentrfirewall/{#FirewallId}`	None	None
yundun-cloudfirewall:CreateVpcFirewallCenConfigure	CreateVpcFirewallCenConfigure	create	VpcFirewallCen `acs:yundun-cloudfirewall::{#accountId}:vpcfirewallcen/`	None	None
yundun-cloudfirewall:DescribePrivateDnsEndpointDetail	DescribePrivateDnsEndpointDetail	get	*PrivateDNS `acs:cloudfirewall::{#accountId}:privatedns/{#AccessInstanceId}`	None	None
yundun-cloudfirewall:AddPrivateDnsDomainName	AddPrivateDnsDomainName	create	*PrivateDNS `acs:yundun-cloudfirewall::{#accountId}:privatedns/{#AccessInstanceId}`	None	None
yundun-cloudfirewall:DescribeNatFirewallAclGroupList	DescribeNatFirewallAclGroupList	get	All Resource ``	None	None
yundun-cloudfirewall:CreateTrFirewallV2RoutePolicy	CreateTrFirewallV2RoutePolicy	create	All Resource ``	None	None
yundun-cloudfirewall:DescribeNatFirewallPrecheckDetail	DescribeNatFirewallPrecheckDetail	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeVpcFirewallDefaultIPSConfig	DescribeVpcFirewallDefaultIPSConfig	get	*VpcFirewallIpsConfig `acs:cloudfirewall::{#accountId}:vpcfirewallipsconfig/{#VpcFirewallId}`	None	None
yundun-cloudfirewall:DescribePageDocuments	DescribePageDocuments	get	All Resource ``	None	None
yundun-cloudfirewall:DeleteNatFirewallControlPolicy	DeleteNatFirewallControlPolicy	delete	*NatFirewallControlPolicy `acs:cloudfirewall::{#accountId}:natfirewallcontrolpolicy/{#AclUuid}`	None	None
yundun-cloudfirewall:DescribeClearAuthInfo	DescribeClearAuthInfo	get	All Resource ``	None	None
yundun-cloudfirewall:ReleasePostInstance	ReleasePostInstance	delete	All Resource ``	None	None
yundun-cloudfirewall:ModifyUserIPSWhitelist	ModifyUserIPSWhitelist	update	All Resource ``	None	None
yundun-cloudfirewall:PutEnableAllFwSwitch	PutEnableAllFwSwitch	update	All Resource ``	None	None
yundun-cloudfirewall:DescribeVpcFirewallList	DescribeVpcFirewallList	get	*VpcFirewall `acs:cloudfirewall::{#accountId}:vpcfirewall/{#VpcFirewallId}`	None	None
yundun-cloudfirewall:DescribeInstanceRdAccounts	DescribeInstanceRdAccounts	get	All Resource ``	None	None
yundun-cloudfirewall:CreateNatFirewallControlPolicy	CreateNatFirewallControlPolicy	create	NatFirewallControlPolicy `acs:yundun-cloudfirewall::{#accountId}:natfirewallcontrolpolicy/`	None	None
yundun-cloudfirewall:DescribeIpsPrivateAssoc	DescribeIpsPrivateAssoc	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeCtrlInstanceMemberAccounts	DescribeCtrlInstanceMemberAccounts	get	All Resource ``	None	None
yundun-cloudfirewall:CreateSecurityProxy	CreateSecurityProxy	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeAddressBook	DescribeAddressBook	get	*AddressBook `acs:cloudfirewall::{#accountId}:addressbook/{#GroupUuid}`	None	None
yundun-cloudfirewall:ResetRuleHitCount	ResetRuleHitCount	none	All Resource ``	None	None
yundun-cloudfirewall:ModifyInstanceMemberAttributes	ModifyInstanceMemberAttributes	update	*InstanceMember `acs:cloudfirewall::{#accountId}:instancemember/{#MemberUid}`	None	None
yundun-cloudfirewall:DescribeVpcFirewallManualVSwitchList	DescribeVpcFirewallManualVSwitchList	get	All Resource ``	None	None
yundun-cloudfirewall:AddAclBackupData	AddAclBackupData	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeOutgoingDestinationCategory	DescribeOutgoingDestinationCategory	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeDomainResolve	DescribeDomainResolve	get	*Domain `acs:yundun-cloudfirewall::{#accountId}:domain/{#Domain}`	None	None
yundun-cloudfirewall:DescribeInvadeEventNameList	DescribeInvadeEventNameList	get	All Resource ``	None	None
yundun-cloudfirewall:DeleteInstanceMembers	DeleteInstanceMembers	delete	*InstanceMember `acs:cloudfirewall::{#accountId}:instancemember/{#MemberUid}`	None	None
yundun-cloudfirewall:ModifyUserSlsLogStorageTime	ModifyUserSlsLogStorageTime	update	All Resource ``	None	None
yundun-cloudfirewall:DescribePostpayTrafficTotal	DescribePostpayTrafficTotal	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeMemberInfo	DescribeMemberInfo	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeIspInfo	DescribeIspInfo	get	All Resource ``	None	None
yundun-cloudfirewall:DeleteVpcFirewallControlPolicy	DeleteVpcFirewallControlPolicy	delete	*VpcFirewallControlPolicy `acs:cloudfirewall::{#accountId}:vpcfirewallcontrolpolicy/{#AclUuid}`	None	None
yundun-cloudfirewall:ModifyNatFirewallControlPolicyPosition	ModifyNatFirewallControlPolicyPosition	update	*NatFirewallControlPolicy `acs:cloudfirewall::{#accountId}:natfirewallcontrolpolicy/{#AclUuid}`	None	None
yundun-cloudfirewall:DescribeVpcFirewallPolicyPriorUsed	DescribeVpcFirewallPolicyPriorUsed	get	*VpcFirewall `acs:cloudfirewall::{#accountId}:vpcfirewall/{#VpcFirewallId}`	None	None
yundun-cloudfirewall:DeleteVpcFirewallConfigure	DeleteVpcFirewallConfigure	delete	*VpcFirewall `acs:cloudfirewall::{#accountId}:vpcfirewall/{#VpcFirewallId}`	None	None
yundun-cloudfirewall:ModifyVpcFirewallCenSwitchStatus	ModifyVpcFirewallCenSwitchStatus	update	*VpcFirewallCen `acs:cloudfirewall::{#accountId}:vpcfirewallcen/{#VpcFirewallId}`	None	None
yundun-cloudfirewall:DescribeLocationInfo	DescribeLocationInfo	get	All Resource ``	None	None
yundun-cloudfirewall:DescribePostpayUserVpcStatus	DescribePostpayUserVpcStatus	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeNatFirewallQuota	DescribeNatFirewallQuota	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeUserIPSWhitelist	DescribeUserIPSWhitelist	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeInternetOpenService	DescribeInternetOpenService	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeControlPolicyDomainResolve	DescribeControlPolicyDomainResolve	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeVpcFirewallIPSWhitelist	DescribeVpcFirewallIPSWhitelist	get	All Resource ``	None	None
yundun-cloudfirewall:DescribePrivateDnsEndpointList	DescribePrivateDnsEndpointList	get	*PrivateDNS `acs:cloudfirewall::{#accountId}:privatedns/{#AccessInstanceId}`	None	None
yundun-cloudfirewall:DescribeVpcFirewallAccessDetail	DescribeVpcFirewallAccessDetail	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeConfiguredDomainNames	DescribeConfiguredDomainNames	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeVulnerabilityProtectedList	DescribeVulnerabilityProtectedList	get	All Resource ``	None	None
yundun-cloudfirewall:ModifyAddressBook	ModifyAddressBook	update	*AddressBook `acs:yundun-cloudfirewall::{#accountId}:addressbook/{#GroupUuid}`	None	None
yundun-cloudfirewall:DescribeAccessInstanceVpcList	DescribeAccessInstanceVpcList	none	All Resource ``	None	None
yundun-cloudfirewall:DescribeDownloadTask	DescribeDownloadTask	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeDnsFirewallPolicy	DescribeDnsFirewallPolicy	get	*DnsFirewallPolicy `acs:yundun-cloudfirewall::{#accountId}:dnsfirewallpolicy/{#AclUuid}`	None	None
yundun-cloudfirewall:AddDomainResolveRealtimeTask	AddDomainResolveRealtimeTask	create	All Resource ``	None	None
yundun-cloudfirewall:CreateVpcFirewallPrecheck	CreateVpcFirewallPrecheck	create	All Resource ``	None	None
yundun-cloudfirewall:ModifySlsDispatchStatus	ModifySlsDispatchStatus	update	All Resource ``	None	None
yundun-cloudfirewall:AddDnsFirewallPolicy	AddDnsFirewallPolicy	get	DnsFirewallPolicy `acs:yundun-cloudfirewall::{#accountId}:dnsfirewallpolicy/`	None	None
yundun-cloudfirewall:DescribeSdlEventStatistic	DescribeSdlEventStatistic	none	All Resource ``	None	None
yundun-cloudfirewall:DescribeUnprotectedVulnTrend	DescribeUnprotectedVulnTrend	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeVpcFirewallDropTrafficTrend	DescribeVpcFirewallDropTrafficTrend	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeSecurityMode	DescribeSecurityMode	get	All Resource ``	None	None
yundun-cloudfirewall:DeletePrivateDnsDomainName	DeletePrivateDnsDomainName	delete	*PrivateDNS `acs:cloudfirewall::{#accountId}:privatedns/{#AccessInstanceId}`	None	None
yundun-cloudfirewall:DescribeFirewallVswitchResources	DescribeFirewallVswitchResources	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeVpcFirewallAclGroupList	DescribeVpcFirewallAclGroupList	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeInternetOpenPort	DescribeInternetOpenPort	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeDownloadTaskType	DescribeDownloadTaskType	get	All Resource ``	None	None
yundun-cloudfirewall:ModifyIpsRulesToDefault	ModifyIpsRulesToDefault	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeSecurityProxyResources	DescribeSecurityProxyResources	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeRiskEventStatistic	DescribeRiskEventStatistic	list	All Resource ``	None	None
yundun-cloudfirewall:DescribeAclApps	DescribeAclApps	get	All Resource ``	None	None
yundun-cloudfirewall:ModifyVpcFirewallControlPolicyPosition	ModifyVpcFirewallControlPolicyPosition	update	All Resource ``	None	None
yundun-cloudfirewall:DescribeTrafficLog	DescribeTrafficLog	get	All Resource ``	None	None
yundun-cloudfirewall:ModifyVpcFirewallIPSWhitelist	ModifyVpcFirewallIPSWhitelist	update	All Resource ``	None	None
yundun-cloudfirewall:DescribeTrFirewallV2RoutePolicyList	DescribeTrFirewallV2RoutePolicyList	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeInternetOpenStatistic	DescribeInternetOpenStatistic	get	All Resource ``	None	None
yundun-cloudfirewall:ListTlsInspectCACertificates	ListTlsInspectCACertificates	list	*TlsInspectCaCertificate `acs:cloudfirewall::{#accountId}:tlsinspectcacertificate/{#CaCertId}`	None	None
yundun-cloudfirewall:DescribeAclWhitelist	DescribeAclWhitelist	list	All Resource ``	None	None
yundun-cloudfirewall:CreateVpcFirewallConfigure	CreateVpcFirewallConfigure	create	VpcFirewall `acs:cloudfirewall::{#accountId}:vpcfirewall/`	None	None
yundun-cloudfirewall:DeleteAddressBook	DeleteAddressBook	delete	*AddressBook `acs:cloudfirewall::{#accountId}:addressbook/{#GroupUuid}`	None	None
yundun-cloudfirewall:DescribeAclChecks	DescribeAclChecks	get	All Resource ``	None	None
yundun-cloudfirewall:PutDisableFwSwitch	PutDisableFwSwitch	update	All Resource ``	None	None
yundun-cloudfirewall:DescribeNetworkInstanceList	DescribeNetworkInstanceList	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeInternetSlb	DescribeInternetSlb	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeAclBackupList	DescribeAclBackupList	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeVpcFirewallAssetList	DescribeVpcFirewallAssetList	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeNatFirewallDropTrafficTrend	DescribeNatFirewallDropTrafficTrend	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeTrFirewallsV2Detail	DescribeTrFirewallsV2Detail	get	*VpcCenTrFirewall `acs:cloudfirewall::{#accountId}:vpccentrfirewall/{#FirewallId}`	None	None
yundun-cloudfirewall:ModifyPrivateDnsEndpoint	ModifyPrivateDnsEndpoint	update	*PrivateDNS `acs:cloudfirewall::{#accountId}:privatedns/{#AccessInstanceId}`	None	None
yundun-cloudfirewall:ModifyUserAlarmConfig	ModifyUserAlarmConfig	update	All Resource ``	None	None
yundun-cloudfirewall:DescribeLogStoreInfo	DescribeLogStoreInfo	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeInternetDropTrafficTrend	DescribeInternetDropTrafficTrend	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeOpenIpAccessSrcStat	DescribeOpenIpAccessSrcStat	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeResourceTypeAutoEnable	DescribeResourceTypeAutoEnable	none	All Resource ``	None	None
yundun-cloudfirewall:DescribeAITrafficAnalysisStatus	DescribeAITrafficAnalysisStatus	none	AiTrafficAnalysisStatus `acs:yundun-cloudfirewall::{#accountId}:aitrafficanalysisstatus/`	None	None
yundun-cloudfirewall:DescribePolicyAdvancedConfig	DescribePolicyAdvancedConfig	list	*PolicyAdvancedConfig `acs:yundun-cloudfirewall::{#accountId}:policyadvancedconfig`	None	None
yundun-cloudfirewall:DescribeAssetList	DescribeAssetList	get	*Asset `acs:cloudfirewall::{#accountId}:asset/{#Type}`	None	None
yundun-cloudfirewall:DescribeInvadeEventList	DescribeInvadeEventList	get	All Resource ``	None	None
yundun-cloudfirewall:ClearLogStoreStorage	ClearLogStoreStorage	none	All Resource ``	None	None
yundun-cloudfirewall:DescribeNatFirewallTrafficTrend	DescribeNatFirewallTrafficTrend	get	All Resource ``	None	None
yundun-cloudfirewall:ModifyVpcFirewallConfigure	ModifyVpcFirewallConfigure	update	*VpcFirewall `acs:cloudfirewall::{#accountId}:vpcfirewall/{#VpcFirewallId}`	None	None
yundun-cloudfirewall:DeleteNatFirewallControlPolicyBatch	DeleteNatFirewallControlPolicyBatch	delete	All Resource ``	None	None
yundun-cloudfirewall:DescribeRiskSecurityGroupDetail	DescribeRiskSecurityGroupDetail	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeAckClusterConnectors	DescribeAckClusterConnectors	get	All Resource ``	None	None
yundun-cloudfirewall:GetTlsInspectCertificateDownloadUrl	GetTlsInspectCertificateDownloadUrl	get	*TlsInspectCaCertificate `acs:yundun-cloudfirewall::{#accountId}:tlsinspectcacertificate/{#CaCertId}`	None	None
yundun-cloudfirewall:CreateVpcFirewallTask	CreateVpcFirewallTask	create	All Resource ``	None	None
yundun-cloudfirewall:DescribeOutgoingDomainDetail	DescribeOutgoingDomainDetail	get	All Resource ``	None	None
yundun-cloudfirewall:ModifyVpcFirewallControlPolicy	ModifyVpcFirewallControlPolicy	update	*VpcFirewallControlPolicy `acs:yundun-cloudfirewall::{#accountId}:vpcfirewallcontrolpolicy/{#AclUuid}`	None	None
yundun-cloudfirewall:DescribeFirewallDropStatistics	DescribeFirewallDropStatistics	get	All Resource ``	None	None
yundun-cloudfirewall:ResetNatFirewallRuleHitCount	ResetNatFirewallRuleHitCount	update	All Resource ``	None	None
yundun-cloudfirewall:DescribeAckClusters	DescribeAckClusters	get	All Resource ``	None	None
yundun-cloudfirewall:DeleteFirewallV2RoutePolicies	DeleteFirewallV2RoutePolicies	delete	*VpcCenTrFirewallPolicy `acs:yundun-cloudfirewall::{#accountId}:vpccentrfirewall/{#FirewallId}/{#TrFirewallRoutePolicyId}`	None	None
yundun-cloudfirewall:DescribeRegionInfo	DescribeRegionInfo	list	All Resource ``	None	None
yundun-cloudfirewall:UseAclBackupData	UseAclBackupData	none	All Resource ``	None	None
yundun-cloudfirewall:DescribeInternetTrafficTop	DescribeInternetTrafficTop	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeOutgoingAssetList	DescribeOutgoingAssetList	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeAssetRiskList	DescribeAssetRiskList	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeControlPolicy	DescribeControlPolicy	get	ControlPolicyOrder `acs:cloudfirewall::{#accountId}:controlpolicy/{#AclUuid}/controlpolicyorder/{#Direction}` ControlPolicy `acs:cloudfirewall::{#accountId}:controlpolicy/{#AclUuid}`	None	None
yundun-cloudfirewall:DescribeUserAssetIPTrafficInfo	DescribeUserAssetIPTrafficInfo	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeInstanceMembers	DescribeInstanceMembers	get	*InstanceMember `acs:cloudfirewall::{#accountId}:instancemember/{#MemberUid}`	None	None
yundun-cloudfirewall:AddAddressBook	AddAddressBook	create	AddressBook `acs:yundun-cloudfirewall::{#accountId}:addressbook/`	None	None
yundun-cloudfirewall:DescribeSdlEventDetail	DescribeSdlEventDetail	none	All Resource ``	None	None
yundun-cloudfirewall:ModifyIpsRules	ModifyIpsRules	get	All Resource ``	None	None
yundun-cloudfirewall:EnableSdlProtectedAsset	EnableSdlProtectedAsset	update	All Resource ``	None	None
yundun-cloudfirewall:DescribeVpcFirewallZone	DescribeVpcFirewallZone	none	All Resource ``	None	None
yundun-cloudfirewall:DescribeVpcFirewallControlPolicy	DescribeVpcFirewallControlPolicy	get	VpcFirewallControlPolicy `acs:cloudfirewall::{#accountId}:vpcfirewallcontrolpolicy/{#AclUuid}` VpcFirewall `acs:cloudfirewall::{#accountId}:vpcfirewall/{#VpcFirewallId}`	None	None
yundun-cloudfirewall:DescribeUnprotectedPortTrend	DescribeUnprotectedPortTrend	get	All Resource ``	None	None
yundun-cloudfirewall:ModifyTrFirewallV2RoutePolicyScope	ModifyTrFirewallV2RoutePolicyScope	update	*VpcCenTrFirewallPolicy `acs:cloudfirewall::{#accountId}:vpccentrfirewall/{#FirewallId}/{#TrFirewallRoutePolicyId}`	None	None
yundun-cloudfirewall:DescribeAttackAppCategory	DescribeAttackAppCategory	none	All Resource ``	None	None
yundun-cloudfirewall:DescribeNetworkInstanceRelationList	DescribeNetworkInstanceRelationList	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeAckClusterPodLabels	DescribeAckClusterPodLabels	get	All Resource ``	None	None
yundun-cloudfirewall:DeleteVpcFirewallCenConfigure	DeleteVpcFirewallCenConfigure	delete	*VpcFirewallCen `acs:cloudfirewall::{#accountId}:vpcfirewallcen/{#VpcFirewallId}`	None	None
yundun-cloudfirewall:DescribeVpcFirewallCenList	DescribeVpcFirewallCenList	get	*VpcFirewallCen `acs:cloudfirewall::{#accountId}:vpcfirewallcen/{#VpcFirewallId}`	None	None
yundun-cloudfirewall:DescribePostpayUserNatStatus	DescribePostpayUserNatStatus	get	All Resource ``	None	None
yundun-cloudfirewall:ModifyDefaultIPSConfig	ModifyDefaultIPSConfig	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeVpcZone	DescribeVpcZone	list	All Resource ``	None	None
yundun-cloudfirewall:DescribeSdlEventList	DescribeSdlEventList	none	All Resource ``	None	None
yundun-cloudfirewall:CreateAclCheck	CreateAclCheck	create	All Resource ``	None	None
yundun-cloudfirewall:DeleteControlPolicyTemplate	DeleteControlPolicyTemplate	delete	All Resource ``	None	None
yundun-cloudfirewall:DescribeNetworkTrafficTopRatio	DescribeNetworkTrafficTopRatio	get	All Resource ``	None	None
yundun-cloudfirewall:UpdatePostpayUserNatStatus	UpdatePostpayUserNatStatus	get	All Resource ``	None	None
yundun-cloudfirewall:UpdateAckClusterConnector	UpdateAckClusterConnector	update	All Resource ``	None	None
yundun-cloudfirewall:DescribeCreatedNatFirewall	DescribeCreatedNatFirewall	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeAccessInstanceZoneList	DescribeAccessInstanceZoneList	none	All Resource ``	None	None
yundun-cloudfirewall:DescribeRiskEventGroup	DescribeRiskEventGroup	list	All Resource ``	None	None
yundun-cloudfirewall:DisableSdlProtectedAsset	DisableSdlProtectedAsset	update	All Resource ``	None	None
yundun-cloudfirewall:DescribePostpayTrafficDetail	DescribePostpayTrafficDetail	get	All Resource ``	None	None
yundun-cloudfirewall:ModifyFirewallV2RoutePolicySwitch	ModifyFirewallV2RoutePolicySwitch	update	*VpcCenTrFirewallPolicy `acs:cloudfirewall::{#accountId}:vpccentrfirewall/{#FirewallId}/{#TrFirewallRoutePolicyId}`	None	None
yundun-cloudfirewall:ModifyResourceTypeAutoEnable	ModifyResourceTypeAutoEnable	update	All Resource ``	None	None
yundun-cloudfirewall:DeleteDownloadTask	DeleteDownloadTask	delete	All Resource ``	None	None
yundun-cloudfirewall:DescribeVpcFirewallCenSummaryList	DescribeVpcFirewallCenSummaryList	get	All Resource ``	None	None
yundun-cloudfirewall:CreateIpsPrivateAssoc	CreateIpsPrivateAssoc	create	All Resource ``	None	None
yundun-cloudfirewall:BatchCopyVpcFirewallControlPolicy	BatchCopyVpcFirewallControlPolicy	update	VpcFirewallControlPolicy `acs:yundun-cloudfirewall::{#accountId}:vpcfirewallcontrolpolicy/`	None	None
yundun-cloudfirewall:DescribeDefaultIPSConfig	DescribeDefaultIPSConfig	get	All Resource ``	None	None
yundun-cloudfirewall:DeleteSecurityProxy	DeleteSecurityProxy	get	*NatFirewall `acs:cloudfirewall::{#accountId}:natfirewall/{#ProxyId}`	None	None
yundun-cloudfirewall:UpdatePostpayUserInternetStatus	UpdatePostpayUserInternetStatus	update	All Resource ``	None	None
yundun-cloudfirewall:ModifyVpcFirewallCenConfigure	ModifyVpcFirewallCenConfigure	update	*VpcFirewallCen `acs:cloudfirewall::{#accountId}:vpcfirewallcen/{#VpcFirewallId}`	None	None
yundun-cloudfirewall:DeleteTrFirewallV2	DeleteTrFirewallV2	delete	*VpcCenTrFirewall `acs:cloudfirewall::{#accountId}:vpccentrfirewall/{#FirewallId}`	None	None
yundun-cloudfirewall:DescribeACLProtectTrend	DescribeACLProtectTrend	get	All Resource ``	None	None
yundun-cloudfirewall:AddInstanceMembers	AddInstanceMembers	create	InstanceMember `acs:yundun-cloudfirewall::{#accountId}:instancemember/`	None	None
yundun-cloudfirewall:DescribeInvadeEventStatistic	DescribeInvadeEventStatistic	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeTransitRouterResourcesList	DescribeTransitRouterResourcesList	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeOutgoingTag	DescribeOutgoingTag	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeVpcListLite	DescribeVpcListLite	get	All Resource ``	None	None
yundun-cloudfirewall:DescribeNatFirewallList	DescribeNatFirewallList	get	*NatFirewall `acs:cloudfirewall::{#accountId}:natfirewall/{#ProxyId}`	None	None

Resource

The following table lists the resources defined by Cloud Firewall. Specify them in the Resource element of RAM policy statements to grant permissions for specific operations. They are uniquely identified by ARNs. Format: acs:{#ramcode}:{#regionId}:{#accountId}:{#resourceType}:

acs: The initialism of Alibaba Cloud service, which indicates the public cloud of Alibaba Cloud.
{#ramcode}: The code used in RAM to indicate an Alibaba Cloud service.
{#regionId}: The region ID. If the resource covers all regions, set it to an asterisk (*).
{#accountId}: The ID of the Alibaba Cloud account. If the resource covers all Alibaba Cloud accounts, set it to an asterisk (*).
{#resourceType}: The service-defined resource identifier. It supports a hierarchical structure, which is similar to a file path. If the statement covers global resources, set it to an asterisk (*).

Resource type	ARN
VpcCenTrFirewall	acs:cloudfirewall::{#accountId}:vpccentrfirewall/{#FirewallId} acs:yundun-cloudfirewall::{#accountId}:vpccentrfirewall/* acs:yundun-cloudfirewall::{#accountId}:vpccentrfirewall/{#FirewallId}
PrivateDNS	acs:cloudfirewall::{#accountId}:privatedns/{#AccessInstanceId} acs:yundun-cloudfirewall::{#accountId}:privatedns/* acs:yundun-cloudfirewall::{#accountId}:privatedns/{#AccessInstanceId}
ControlPolicy	acs:cloudfirewall::{#accountId}:controlpolicy/* acs:yundun-cloudfirewall::{#accountId}:controlpolicy/{#AclUuid} acs:cloudfirewall::{#accountId}:controlpolicy/{#AclUuid}
PolicyAdvancedConfig	acs:yundun-cloudfirewall::{#accountId}:policyadvancedconfig
VpcFirewallControlPolicy	acs:cloudfirewall::{#accountId}:vpcfirewallcontrolpolicy/* acs:yundun-cloudfirewall::{#accountId}:vpcfirewallcontrolpolicy/{#AclUuid} acs:cloudfirewall::{#accountId}:vpcfirewallcontrolpolicy/{#AclUuid} acs:yundun-cloudfirewall::{#accountId}:vpcfirewallcontrolpolicy/*
VpcFirewallIpsConfig	acs:cloudfirewall::{#accountId}:vpcfirewallipsconfig/{#VpcFirewallId}
Instance	acs:yundun-cloudfirewall::{#accountId}:instance/{#InstanceId}
VpcFirewallCen	acs:cloudfirewall::{#accountId}:vpcfirewallcen/{#VpcFirewallId} acs:yundun-cloudfirewall::{#accountId}:vpcfirewallcen/*
VpcCenTrFirewallPolicy	acs:cloudfirewall::{#accountId}:vpccentrfirewall/{#FirewallId}/{#TrFirewallRoutePolicyId} acs:yundun-cloudfirewall::{#accountId}:vpccentrfirewall/{#FirewallId}/{#TrFirewallRoutePolicyId}
AiTrafficAnalysisStatus	acs:yundun-cloudfirewall::{#accountId}:aitrafficanalysisstatus/*
NatFirewallControlPolicy	acs:cloudfirewall::{#accountId}:natfirewallcontrolpolicy/{#AclUuid} acs:yundun-cloudfirewall::{#accountId}:natfirewallcontrolpolicy/*
VpcFirewall	acs:cloudfirewall::{#accountId}:vpcfirewall/{#VpcFirewallId} acs:cloudfirewall::{#accountId}:vpcfirewall/*
ControlPolicyOrder	acs:cloudfirewall::{#accountId}:controlpolicy/{#AclUuid} acs:cloudfirewall::{#accountId}:controlpolicy/{#AclUuid}/controlpolicyorder/{#Direction}
ThreatIntelligenceSwitch	acs:cloudfirewall::{#accountId}:threatintelligenceswitch acs:cloudfirewall::{#accountId}:threatintelligenceswitch/{#CategoryId}
DnsFirewallPolicy	acs:yundun-cloudfirewall::{#accountId}:dnsfirewallpolicy/{#AclUuid} acs:yundun-cloudfirewall::{#accountId}:dnsfirewallpolicy/*
NatFirewall	acs:cloudfirewall::{#accountId}:natfirewall/{#ProxyId}
AddressBook	acs:cloudfirewall::{#accountId}:addressbook/{#GroupUuid} acs:yundun-cloudfirewall::{#accountId}:addressbook/{#GroupUuid} acs:yundun-cloudfirewall::{#accountId}:addressbook/*
InstanceMember	acs:cloudfirewall::{#accountId}:instancemember/{#MemberUid} acs:yundun-cloudfirewall::{#accountId}:instancemember/*
Domain	acs:yundun-cloudfirewall::{#accountId}:domain/{#Domain}
TlsInspectCaCertificate	acs:cloudfirewall::{#accountId}:tlsinspectcacertificate/{#CaCertId} acs:yundun-cloudfirewall::{#accountId}:tlsinspectcacertificate/{#CaCertId}
Asset	acs:cloudfirewall::{#accountId}:asset/{#Type}

Condition

Cloud Firewall does not define product-level condition keys. However, you can use Alibaba Cloud common condition keys for access control. For more information, see Common condition keys.

How to create custom RAM policies?

You can create custom policies and grant them to RAM users, RAM user groups, or RAM roles. For instructions, see: