If Resource Management Service (RAM) system policies do not meet your business requirements, you can configure custom policies based on the principle of least privilege. You can use custom policies to manage permissions in a fine-grained manner and increase resource access security. This topic describes how to configure custom policies for Elastic Compute Service (ECS) and provides sample custom policies.
What is a custom policy?
Resource Access Management (RAM) policies are classified into system policies and custom policies. You can manage custom policies based on your business requirements.
After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.
You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, you must detach the RAM policy from the principal before you can delete the RAM policy.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.
References
Authorization information
To use custom policies, you must understand the access control requirements of your business and the authorization information of ECS. For more information, see RAM authorization.
Sample custom policies
Custom policy that grants a RAM user the permissions to create pay-as-you-go ECS instances
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeImages",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"ecs:DescribeSecurityGroups",
"ecs:DescribeKeyPairs",
"ecs:DescribeTags",
"ecs:RunInstances"
],
"Resource": "*"
}
],
"Version": "1"
}
Custom policy that grants a RAM user the permissions to create subscription ECS instances
You can call bss-related API operations to query and pay for subscription orders. The corresponding system policy is AliyunBSSOrderAccess
.
If you set autoPay to true when you call the RunInstances operation to create subscription ECS instances, you do not need the permissions to call bss-related API operations.
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeImages",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"ecs:DescribeSecurityGroups",
"ecs:DescribeKeyPairs",
"ecs:DescribeTags",
"ecs:RunInstances",
"bss:DescribeOrderList",
"bss:DescribeOrderDetail",
"bss:PayOrder",
"bss:CancelOrder"
],
"Resource": "*"
}
],
"Version": "1"
}
Custom policy that grants a RAM user the permissions to restart ECS instances
The following policy indicates that the authorized RAM user can restart ECS instances. The ECS instances can be restarted only when MFA is enabled for the RAM user and the RAM user uses MFA to log on. In this case, the acs:MFAPresent
condition key in the Condition
element is set to true
.
{
"Statement": [
{
"Action": "ecs:RebootInstance",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"Bool": {
"acs:MFAPresent": "true"
}
}
}
],
"Version": "1"
}
Custom policy that grants a RAM user the permissions to manage a specific ECS instance
The following policy indicates that the authorized RAM user can view all ECS instances under an Alibaba Cloud account, but the user can manage only the i-001
ECS instance.
{
"Statement": [
{
"Action": "ecs:*",
"Effect": "Allow",
"Resource": "acs:ecs:*:*:instance/i-001"
},
{
"Action": "ecs:Describe*",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "1"
}
Custom policy that grants a RAM user the permissions to view ECS instances in a specific region
The following policy indicates that the authorized RAM user can view ECS instances in the China (Qingdao) region, but cannot view disks or snapshots in this region.
{
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:Describe*",
"Resource": "acs:ecs:cn-qingdao:*:instance/*"
}
],
"Version": "1"
}
Custom policy that grants a RAM user the permissions to manage security groups in an Alibaba Cloud account
The following policy specifies that the authorized RAM user can manage ECS security groups within an Alibaba Cloud account.
{
"Version": "1",
"Statement": [
{
"Action": "ecs:*SecurityGroup*",
"Resource": "*",
"Effect": "Allow"
}
]
}
Custom policy that grants a RAM user the permissions to create instance RAM roles
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs: CreateInstance",
"ecs: AttachInstanceRamRole",
"ecs: DetachInstanceRAMRole"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "*"
}
]
}
Custom policy that grants a RAM user the permissions to query information about existing ECS instances and block storage devices
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeDisks"
],
"Resource": "*"
}
],
"Version": "1"
}
Custom policy that grants a RAM user the permissions to purchase savings plans
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "savingsplans:*",
"Resource": "*"
}
]
}
Custom policy that denies a RAM user the permissions to create a default virtual private cloud (VPC) when the RAM user creates ECS instances
ECS allows you to use RAM users to isolate operations between different business. By default, RAM users that are granted the AliyunECSFullAccess permission can perform operations on ECS resources, such as creating, viewing, and restarting ECS instances. If you want to deny a RAM user the permissions to create a default VPC in a region where no VPCs are available when the RAM user creates ECS instances but you want to retain the other permissions for the RAM user, you can configure a custom policy.
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"vpc:CreateDefaultVpc": [
"true"
]
}
}
}
]
}
Custom policy that grants a RAM user the permissions to use prefix lists
{
"Statement": [
{
"Action": [
"ecs:CreatePrefixList",
"ecs:ModifyPrefixList",
"ecs:DescribePrefixLists",
"ecs:DescribePrefixListAssociations",
"ecs:DescribePrefixListAttributes",
"ecs:DeletePrefixList"
],
"Resource": "*",
"Effect": "Allow"
}
],
"Version": "1"
}
Custom policy that grants a RAM user the permissions to use Cloud Assistant
For more information, see the Cloud Assistant-specific sample custom policies section of the "Grant a RAM user permissions to use Cloud Assistant" topic.
Custom policy that grants a RAM user the permissions to read OSS buckets
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetObject",
"oss:GetBucketLocation",
"oss:GetBucketInfo"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
Custom policy that grants a RAM user the permissions to read and write OSS buckets
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetObject",
"oss:GetBucketLocation",
"oss:GetBucketInfo",
"oss:PutObject",
"oss:DeleteObject",
"oss:AbortMultipartUpload",
"oss:ListMultipartUploads",
"oss:ListParts"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
Custom policy that grants a RAM user the permissions to access ECS resources only over HTTPS
{
"Statement": [
{
"Action": "ecs:*",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"Bool": {
"acs:SecureTransport": "true"
}
}
}
],
"Version": "1"
}
Custom policy that grants a RAM user the permissions to create only encrypted disks
For specific enterprises that have high security compliance requirements, all RAM users who belong to the Alibaba Cloud accounts of the enterprises require data encryption to ensure data confidentiality. You can apply custom policies to RAM users to allow the RAM users to create only encrypted disks in ECS.
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ecs:IsDiskEncrypted": "*false*"
}
},
"Effect": "Deny"
},
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ecs:IsSystemDiskEncrypted": "false"
}
},
"Effect": "Deny"
},
{
"Action": "ecs:CreateDisk",
"Resource": "*",
"Condition": {
"StringLike": {
"ecs:IsDiskEncrypted": "*false*"
}
},
"Effect": "Deny"
}
]
}
Custom policy that grants a RAM user the permissions to create ECS instances by using only custom images
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Effect": "Deny",
"Resource": "acs:ecs:<Region ID>:*:instance/*",
"Condition": {
"StringNotEquals": {
"ecs:ImageSource": "Custom"
}
}
}
]
}