Access Alibaba Cloud resources by using a specific IP address or CIDR block - Resource Access Management

This topic provides sample policies that you can use to grant RAM users the permissions to access Alibaba Cloud resources by using a specific IP address or CIDR block.

In this example, the RAM users can access Elastic Cloud Service (ECS) instances only from 192.0.2.0/24 and 203.0.113.2. You can use one of the following policies:

Allow policy: Specify the IpAddress element to add the IP address or CIDR block from which you want the RAM users to access ECS instances.

{
    "Statement": [
        {
            "Action": "ecs:*",
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "IpAddress": {
                    "acs:SourceIp": [
                        "192.0.2.0/24",
                        "203.0.113.2"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}

Deny policy: Specify the NotIpAddress element to add the IP address or CIDR block from which you want the RAM users to access ECS instances.

Note

The Deny policy takes precedence over the Allow policy. A RAM user cannot access an ECS instance from an IP address or a CIDR block other than 192.0.2.0/24 and 203.0.113.2.

{
    "Statement": [
        {
            "Action": "ecs:*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ecs:*",
            "Effect": "Deny",
            "Resource": "*",
            "Condition": {
                "NotIpAddress": {
                    "acs:SourceIp": [
                        "192.0.2.0/24",
                        "203.0.113.2"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}

Note

The Condition element applies only to the actions that are specified for the current policy.
The value of acs:SourceIp in the preceding code is provided for reference only. You must specify a value based on your business requirements.