All Products
Search
Document Center

CDN:Alibaba Cloud CDN custom policies

Last Updated:May 07, 2024

If the system policies of Resource Access Management (RAM) cannot meet your requirements, you can create custom policies to implement the principle of least privilege. Custom policies allow you to achieve fine-grained control over permissions and improve resource access security. This topic describes common scenarios where you can use custom policies for Alibaba Cloud CDN and provides examples.

What is a custom policy?

Resource Access Management (RAM) policies are classified into system policies and custom policies. You can manage custom policies based on your business requirements.

  • After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.

  • You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, you must detach the RAM policy from the principal before you can delete the RAM policy.

  • Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.

References

Scenarios of custom policies and sample custom policies

  • Example 1: Grant purge and prefetch permissions

    This policy grants the RAM user permissions on the purge and prefetch API operations. The RAM user can call API operations to prefetch or refresh resources.

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "cdn:PushObjectCache",
            "cdn:RefreshObjectCaches",
            "cdn:DescribeRefreshTasks",
            "cdn:DescribeRefreshQuota"
          ],
          "Resource": "acs:cdn:*:*:*",
          "Effect": "Allow"
        }
      ]
    }
  • Example 2: Revoke the permissions that allow a RAM user to change the metering method

    {
        "Statement": [
            {
                "Action": "cdn:*",
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "cdn:OpenCdnService",
                    "cdn:ModifyCdnService"
                ],
                "Resource": "*",
                "Effect": "Deny"
            },
            {
                "Action": "ram:CreateServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": [
                            "cdn-waf.cdn.aliyuncs.com",
                            "cdn-ddos.cdn.aliyuncs.com"
                        ]
                    }
                }
            }
        ],
        "Version": "1"
    }

Authorization information

To use a custom policy, you must understand the permission control requirements of your business and the authorization information about Alibaba Cloud CDN. For more information, see RAM authorization.