What is a system policy?
A policy defines a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. Alibaba Cloud Resource Access Management (RAM) provides system policies and custom policies. All system policies are created and updated by Alibaba Cloud. You can use system policies, but you cannot modify them. You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. During service iteration, ACC adds new permissions to system policies to support new features and capabilities. The update of a system policy affects all RAM identities to which the policy is attached, including RAM users, RAM user groups, and RAM roles. For more information about RAM policies, see Policy overview.
System policies are designed for new users to quickly get started with Alibaba Cloud products on the management console, though they also enable the use of more advanced methods like API operations or CLI commands. If you are familiar with the advanced methods, we recommend that you use custom policies to implement finer-grained control on who is permitted to call what API operations, thereby improving security.
System policies can be classified into service system policies, service role policies, and service-linked role policies. Some cloud services provide only one or two of the three types of policies. For more information, see the policy types that are described in the following section.
Service system policies
AliyunAccFullAccess
The AliyunAccFullAccess policy: Provides full access to Container Compute Service (ACS) via Management Console. It can be attached to RAM identities.
Service role policies
AliyunCCAgentSandboxRolePolicy
The AliyunCCAgentSandboxRolePolicy policy is the dedicated authorization policy of the AliyunCCAgentSandboxRole service role. By default, ACS will use this role to access your resources in other services. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCCAgentSandboxRolePolicy
AliyunCCCISDefaultRolePolicy
The AliyunCCCISDefaultRolePolicy policy is the dedicated authorization policy of the AliyunCCCISDefaultRole service role. By default, The policy for AliyunCCCISDefaultRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCCCSIPluginRolePolicy
The AliyunCCCSIPluginRolePolicy policy is the dedicated authorization policy of the AliyunCCCSIPluginRole service role. By default, The policy for AliyunCCCSIPluginRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCCForResourceProviderRolePolicy
The AliyunCCForResourceProviderRolePolicy policy is the dedicated authorization policy of the AliyunCCForResourceProviderRole service role. By default, ACS will use this role to access your resources in other services. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCCForResourceProviderRolePolicy
AliyunCCKubernetesAuditRolePolicy
The AliyunCCKubernetesAuditRolePolicy policy is the dedicated authorization policy of the AliyunCCKubernetesAuditRole service role. By default, The policy for AliyunCCKubernetesAuditRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCCKubernetesAuditRolePolicy
AliyunCCManagedACSBrokerRolePolicy
The AliyunCCManagedACSBrokerRolePolicy policy is the dedicated authorization policy of the AliyunCCManagedACSBrokerRole service role. By default, ACS will use this role to access your resources in other services. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCCManagedACSBrokerRolePolicy
AliyunCCManagedAcrRolePolicy
The AliyunCCManagedAcrRolePolicy policy is the dedicated authorization policy of the AliyunCCManagedAcrRole service role. By default, The policy for AliyunCCManagedAcrRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCCManagedApigRolePolicy
The AliyunCCManagedApigRolePolicy policy is the dedicated authorization policy of the AliyunCCManagedApigRole service role. By default, The ACS will use this role to access your resources in APIG. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCCManagedArmsRolePolicy
The AliyunCCManagedArmsRolePolicy policy is the dedicated authorization policy of the AliyunCCManagedArmsRole service role. By default, The policy for AliyunCCManagedArmsRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCCManagedCostRolePolicy
The AliyunCCManagedCostRolePolicy policy is the dedicated authorization policy of the AliyunCCManagedCostRole service role. By default, ACS will use this role to access your resources in other services. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCCManagedLogRolePolicy
The AliyunCCManagedLogRolePolicy policy is the dedicated authorization policy of the AliyunCCManagedLogRole service role. By default, The policy for AliyunCCManagedLogRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCCManagedMseRolePolicy
The AliyunCCManagedMseRolePolicy policy is the dedicated authorization policy of the AliyunCCManagedMseRole service role. By default, ACS will use this role to access your resources in other services. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCCManagedNetworkRolePolicy
The AliyunCCManagedNetworkRolePolicy policy is the dedicated authorization policy of the AliyunCCManagedNetworkRole service role. By default, ACS uses this role to access your network-related cloud resources. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCCManagedNetworkRolePolicy
AliyunCCManagedSecurityRolePolicy
The AliyunCCManagedSecurityRolePolicy policy is the dedicated authorization policy of the AliyunCCManagedSecurityRole service role. By default, ACS utilizes this role to access your KMS service for issuing tokens related to the control plane disk encryption component. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCCManagedSecurityRolePolicy
AliyunCCManagedVirtualNodeRolePolicy
The AliyunCCManagedVirtualNodeRolePolicy policy is the dedicated authorization policy of the AliyunCCManagedVirtualNodeRole service role. By default, ACS will use this role to access your resources in other services. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCCManagedVirtualNodeRolePolicy
AliyunCCNECRolePolicy
The AliyunCCNECRolePolicy policy is the dedicated authorization policy of the AliyunCCNECRole service role. By default, The policy for AliyunCCNECRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunCCPrivateZoneRolePolicy
The AliyunCCPrivateZoneRolePolicy policy is the dedicated authorization policy of the AliyunCCPrivateZoneRole service role. By default, ACS will use this role to access your resources in other services. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
Service-linked role policies
AliyunServiceRolePolicyForAcc
ACC assumes the AliyunServiceRolePolicyForAcc service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForAcc policy is the dedicated authorization policy of the AliyunServiceRoleForAcc service-linked role. This policy is defined and used by ACC. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForAccImc
ACC assumes the AliyunServiceRolePolicyForAccImc service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForAccImc policy is the dedicated authorization policy of the AliyunServiceRoleForAccImc service-linked role. This policy is defined and used by ACC. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
References
By default, RAM identities do not have any permissions. RAM identities can access cloud resources within an Alibaba Cloud account only after an account administrator grants the required permissions to the RAM identities. To ensure resource security, we recommend that you grant only the required permissions to the RAM identities based on the principle of least privilege. For more information, see the following topics: