GA custom policies and examples - Global Accelerator - Alibaba Cloud Documentation Center

If the system policies of Resource Access Management (RAM) cannot meet your requirements, you can configure custom policies to implement the principle of least privilege and achieve fine-grained control over permissions to increase resource access security. This topic describes common scenarios where you can use custom policies for Global Accelerator (GA) and provides examples.

What is a custom policy?

Resource Access Management (RAM) policies are classified into system policies and custom policies. You need to maintain custom policies.

After you create a custom policy, you need to attach it to a RAM user, a user group, or a RAM role so that the permissions specified in the policy can be granted to the principal.
You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, you must detach the RAM policy from the principal before you can delete the RAM policy.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.

References

Scenarios of custom policies and sample custom policies

You can use conditions to allow RAM users to access specific GA resources and grant RAM users specific permissions.

Show authentication conditions supported by GA

Condition key	Condition value	Action	Description
ga:AcceleratorMainland	ChinaMainland Overseas	CreateIpSets CreateEndpointGroup CreateEndpointGroups	Limits where the acceleration area and the origin server region are located.
ga:BandwidthPackageType	Basic CrossDomain	CreateBandwidthPackage	Limits the type of bandwidth plan.
ga:TLSVersion	tls_cipher_policy_1_0 tls_cipher_policy_1_1 tls_cipher_policy_1_2 tls_cipher_policy_1_2_strict tls_cipher_policy_1_2_strict_with_1_3	CreateListener	Limits the TLS security policy versions of HTTPS listeners.

Example 1: Allow a RAM user to add acceleration areas and origin server regions only in the Chinese mainland

{
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "ga:CreateIpSets",
                "ga:CreateEndpointGroup",
                "ga:CreateEndpointGroups"
            ],
            "Resource":"*",
            "Effect":"Allow",
            "Condition":{
                "StringEquals":{
                    "ga:AcceleratorMainland":[
                        "ChinaMainland"
                    ]
                }
            }
        }
    ]
}

Example 2: Allow a RAM user to create only basic bandwidth plans

{
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "ga:CreateBandwidthPackage"
            ],
            "Resource":"*",
            "Effect":"Allow",
            "Condition":{
                "StringEquals":{
                    "ga:BandwidthPackageType":[
                        "Basic"
                    ]
                }
            }
        }
    ]
}

Example 3: Allow a RAM user to add only TLS security policies whose versions are later than 1.2 for HTTPS listeners

{
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "ga:CreateListener"
            ],
            "Resource":"*",
            "Effect":"Allow",
            "Condition":{
                "StringEquals":{
                    "ga:TLSVersion":[
                        "tls_cipher_policy_1_2",
                        "tls_cipher_policy_1_2_strict",
                        "tls_cipher_policy_1_2_strict_with_1_3"
                    ]
                }
            }
        }
    ]
}

Authorization information

To use a custom policy, you must understand the permission control requirements of your business and the authorization information about GA. For more information, see RAM authorization.