Use RAM condition keys to prohibit RAM users from creating high-risk security group rules - Elastic Compute Service

You can attach a custom Resource Access Management (RAM) policy that includes one or more condition keys to a RAM user to impose limits on the permissions of the RAM user for creating security groups or security group rules. For example, you can use the custom RAM policy to prohibit the RAM user from creating security group rules that contain specific IP addresses and protocols, allow the RAM user to create only security group rules that contain specific authorization objects (sources or destinations of traffic), or prohibit the RAM user from using default security groups when the RAM user creates Elastic Compute Service (ECS) instances. This way, you can improve the security of your Alibaba Cloud account. This topic describes how to use RAM condition keys to prohibit a RAM user from creating high-risk security group rules.

Background information

Security groups serve as the first and most important line of defense against threats and provides security isolation in the cloud. In actual business scenarios, security group rules may not be properly configured. For example, security group rules are configured to open sensitive ports, such as ports 22, 3389, 80, 8080, and 443, or contain 0.0.0.0/0 as an authorization object to allow access to or from any IPv4 addresses. Cloud resources, such as ECS instances and ApsaraDB RDS instances, that are associated with the improperly configured security group rules are vulnerable to attacks and intrusions. In this case, security issues may occur.

If you have a large number of RAM users that have different permissions and different business requirements, you must ensure that the security group rules created by the RAM users meet top-down security baselines and requirements to improve security in the cloud. You can configure policies for RAM users in the RAM console to prohibit the RAM users from creating or referencing high-risk security group rules and achieve consistent governance of security group rules.

RAM allows you to create custom policies that exactly describe the involved elements, such as resources, operations, and conditions. For specific production accounts or sensitive accounts, you can use RAM policies to grant specific access permissions to RAM users. You can specify conditions in RAM policies to prohibit specific high-risk security group rules or allow only specific risk-free security group rules. For more information, see the Condition section of the "Policy elements" topic.

Implementation principles

You can use RAM condition keys to prohibit high-risk security group rules in the following manners:

Prohibit security group rules that contain specific IP addresses and protocols and allow only specific risk-free security group rules.
Prevent default security groups from being used during the creation of ECS instances.

Note

Default security groups contain sensitive security group rules. For more information, see Default security groups.

The following table describes the RAM condition keys that you can use.

Condition key	Data type	Description
ecs:SecurityGroupIpProtocols	String	The transport layer protocol. Examples: TCP and ICMP.
ecs:SecurityGroupSourceCidrIps	String	The source IPv4 CIDR block. IPv4 CIDR blocks and IPv4 addresses are supported.
ecs:NotSpecifySecurityGroupId	Boolean	Specifies whether to specify a security group ID.

Note

If a condition key is an array, the condition is met when a security group rule matches a value in the array.
If two condition keys are specified in the same condition, the condition is met when a security group rule matches both the condition keys.

Procedure

Create a custom policy that contains RAM condition keys. For more information, see Create a custom policy.
In this section and the "Verify the result" section, the custom policy that is described in the Example 2: Custom policy that prohibits RAM users from creating security group rules that contain 0.0.0.0/0 as an authorization object section of this topic is created and verified.
Note
To view sample custom policies, see the Sample custom policies section of this topic.
Attach the custom policy to a RAM user. For more information, see Grant permissions to a RAM user.

Verify the result

Use the RAM user to log on to the ECS console.
Perform the following operations to check whether the created custom policy takes effect on the RAM user as expected:
1. Make sure that no custom security groups are created in the region in which you want to create an ECS instance. Then, use the default security group to create the ECS instance. For information about how to create an ECS instance, see Create an instance on the Custom Launch tab.
  Note
  If you did not create custom security groups in the selected region when you create an ECS instance, a default security group is automatically created.
  If the error message shown in the following figure appears on the ECS instance buy page, the RAM user that you use is prohibited from using default security groups.
2. Select a security group and create a security group rule in the security group. Set the Authorization Object parameter (source) of the security group rule to 0.0.0.0/0. For more information, see Add a security group rule.
  If you cannot create a security group rule and the error message shown in the following figure appears, the RAM user is prohibited from creating security group rules whose Authorization Object parameter is set to 0.0.0.0/0.

Sample custom policies

Example 1: Custom policy that allows RAM users to create only security group rules that contain specific authorization objects

Custom policy that allows RAM users to create only security group rules that contain 140.205.XX.XX/27 or 140.205.XX.XX/28 as an authorization object (source) and prohibits RAM users from using default security groups when the RAM users create ECS instances:

Note

You can replace XX with actual values based on your business requirements.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "ecs:AuthorizeSecurityGroup",
        "ecs:ConfigureSecurityGroupPermissions",
        "ecs:ModifySecurityGroupRule"
      ],
      "Resource": "*",
      "Condition": {
        "ForAnyValue:StringNotLike": {
          "ecs:SecurityGroupSourceCidrIps": [
            "140.205.XX.XX/27",
            "140.205.XX.XX/28"
          ]
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": [
        "ecs:CreateInstance",
        "ecs:RunInstances"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "ecs:NotSpecifySecurityGroupId": [
            "true"
          ]
        }
      }
    }
  ]
}

Custom policy that allows RAM users to create only security group rules that contain 140.205.XX.XX/27 as an authorization object (source) and control TCP access and prohibits RAM users from using default security groups when the RAM users create ECS instances:

Note

You can replace XX with actual values based on your business requirements.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "ecs:AuthorizeSecurityGroup",
        "ecs:ConfigureSecurityGroupPermissions",
        "ecs:ModifySecurityGroupRule"
      ],
      "Resource": "*",
      "Condition": {
        "ForAnyValue:StringNotLike": {
          "ecs:SecurityGroupSourceCidrIps": [
            "140.205.XX.XX/27"
          ]
        }
      }
    },
    {
       "Effect": "Deny",
       "Action": [
         "ecs:AuthorizeSecurityGroup",
         "ecs:ConfigureSecurityGroupPermissions",
         "ecs:ModifySecurityGroupRule"
        ],
        "Resource": "*",
        "Condition": {
          "ForAnyValue:StringNotLike": {
            "ecs:SecurityGroupIpProtocols": [
              "TCP"
            ]
          }
        }
      },
      {
        "Effect": "Deny",
        "Action": [
          "ecs:CreateInstance",
          "ecs:RunInstances"
        ],
        "Resource": "*",
        "Condition": {
          "Bool": {
            "ecs:NotSpecifySecurityGroupId": [
              "true"
            ]
          }
        }
      }
   ]
}

Example 2: Custom policy that prohibits RAM users from creating security group rules that contain 0.0.0.0/0 as an authorization object

Custom policy that prohibits RAM users from creating security group rules that contain 0.0.0.0/0 as an authorization object (source) and from using default security groups when the RAM users create ECS instances:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "ecs:AuthorizeSecurityGroup",
        "ecs:ConfigureSecurityGroupPermissions",
        "ecs:ModifySecurityGroupRule"
      ],
      "Resource": "*",
      "Condition": {
        "ForAnyValue:StringLike": {
          "ecs:SecurityGroupSourceCidrIps": [
            "0.0.0.0/0"
          ]
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": [
        "ecs:CreateInstance",
        "ecs:RunInstances"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "ecs:NotSpecifySecurityGroupId": [
            "true"
          ]
        }
      }
    }
  ]
}

References

Be familiar with the syntax, structure, and evaluation process of RAM policies to properly create or update RAM policies. For more information, see Policy structure and syntax and Policy evaluation process.
To view sample RAM policies, see Example policies.