If system policies cannot meet your requirements, you can create custom policies to implement the principle of least privilege. Custom policies allow you to achieve fine-grained control over permissions and improve resource access security. This topic describes custom policies and provides a sample custom policy for ApsaraVideo Media Processing (MPS).
What is a custom policy?
Resource Access Management (RAM) policies are classified into system policies and custom policies. You can create, update, and delete custom policies. You need to maintain custom policies.
After you create a custom policy, you need to attach it to a RAM user, a user group, or a RAM role so that the permissions specified in the policy can be granted to the principal.
You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, you must detach the RAM policy from the principal before you can delete the RAM policy.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.
References
Sample custom policy
In this example, a custom policy is created to limit the IP addresses that can be used to access MPS and the time range during which MPS can be accessed.
The RAM user can access MPS only from 192.0.2.0/24 and 203.0.113.2.
The RAM user can access MPS only before 17:00 on August 12, 2019 (UTC+8).
{
"Version": "1",
"Statement": [{
"Effect": "Allow",
"Action": [
"mts:*",
"mts-inner:*"
],
"Resource": "*",
"Condition": {
"NotIpAddress": {
"acs:SourceIp": [
"192.0.2.0/24",
"203.0.113.2"
]},
"DateLessThan": {
"acs:CurrentTime": "2019-08-12T17:00:00+08:00"
}
}
]
}Authorization information
Before you create custom policies, you must understand the permission control requirements of your business and learn about the authorization rules of MPS. For more information, see Authorization information.