If system policies cannot meet your specific requirements, you can create custom policies to implement the principle of least privilege. Custom policies allow you to achieve fine-grained control over permissions and improve resource access security. This topic describes the scenarios and samples of the custom policies for Express Connect.
What is a custom policy?
Resource Access Management (RAM) policies are classified into system policies and custom policies. You need to maintain custom policies.
After you create a custom policy, you need to attach it to a RAM user, a user group, or a RAM role so that the permissions specified in the policy can be granted to the principal.
You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, you must detach the RAM policy from the principal before you can delete the RAM policy.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.
References
RAM authorization information
To use custom policies, you need to take note of the permission control requirements of your business and the authorization information for private connections. For more information, see RAM authorization.
Sample custom policies
Sample 1: Authorize a RAM user to manage all Express Connect circuits.
Assume that the ID of your Alibaba Cloud account is 132193271328**** and you want to authorize a RAM user to manage all Express Connect circuits that belong to your account.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*PhysicalConnection*" ], "Resource": [ "acs:vpc:*:132193271328****:physicalconnection/*" ] }, { "Effect": "Allow", "Action": [ "vpc:*Describe*" ], "Resource": [ "*" ] } ] }
Example 2: Authorize a RAM user to manage VBRs that are deployed in a specific region.
Assume that you want to authorize a RAM user to manage, create, or delete VBRs that are deployed in the China (Qingdao) region.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*Vbr*", ], "Resource": [ "acs:vpc:cn-qingdao:*:virtualborderrouter/*" ] }, { "Effect": "Allow", "Action": [ "vpc:*Describe*" ], "Resource": [ "*" ] } ] }
Example 3: Authorize a RAM user to manage router interfaces that are deployed in a specific region.
Assume that you want to authorize a RAM user to manage, create, or delete router interfaces that are in the China (Qingdao) region.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*RouterInterface*" ], "Resource": [ "acs:vpc:cn-qingdao:*:routerinterface/ri-xxxx" ] }, { "Effect": "Allow", "Action": [ "vpc:*Describe*" ], "Resource": [ "*" ] } ] }