how to configure permission policy restrictions for ram users - ApsaraDB RDS

You can configure Resource Access Management (RAM) access policies for RAM users to restrict their operations on RDS instances.

Introduction

Alibaba Cloud provides RAM access policies to enhance the security of your RDS instances. You can configure these policies to suit different scenarios. For more information, see List of RDS access policies.

Note

For more information about RAM access policies, see Policy overview.

Procedure

Log on to the RAM console.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.
On the JSON tab of the page that appears, enter the policy document and click OK.
Note
- You can find the RAM policy script in the Code column in the "List of RDS access policies" section of this topic.
- For more information about the syntax and structure of RAM policies, see Policy structure and syntax.
In the Create Policy dialog box, configure the Name and Description parameters. Then, confirm the information and click OK.
Note
You can also customize the name of the RAM policy. The name of the RAM policy must meet the following requirements:
- The name must be 1 to 128 characters in length.
- The name can contain letters, digits, and hyphens (-).
In the left-side navigation pane, choose Permissions > Grants. On the page that appears, click Grant Permission to grant permissions to the required RAM user.
1. Configure the Resource Scope parameter.
  - Account: The permissions take effect on all resources within the current Alibaba Cloud account.
  - ResourceGroup: The permissions take effect on resources in a resource group.
    Note
    If you want to select the Specific Resource Group option, make sure that ApsaraDB RDS supports resource groups. For more information, see Services that work with Resource Group.
2. Configure the Principal parameter.
  Note
  The Principal parameter specifies the RAM user to which you want to attach the RAM policy. You can enter a part of the username to perform a fuzzy match to search for the RAM user.
3. In the Policy section, select Custom Policy from the drop-down list.
4. Select the RAM policy that you created in Step 4. Then, click Grant Permission.
  Note
  You can enter a part of the name of the RAM policy in the search box above the listed RAM policies to perform a fuzzy match to search for the RAM policy.

List of RDS access policies

Restriction item	Policy name	Code	Description
Instance creation	CreateRdsWithNonDiskEncryptionForbidden	Click to expand `{ "Statement": [ { "Action": [ "rds:CreateDBInstance", "rds:PreCheckCreateOrder", "rds:CreateOrder" ], "Effect": "Deny", "Resource": "*", "Condition": { "Bool": { "rds:DiskEncryptionRequired": "false" } } } ], "Version": "1" }`	Prevents users from creating RDS instances that have unencrypted disks. Note This feature takes effect only when you create a primary instance. It does not take effect in other scenarios, such as creating a read-only instance or recovering data to a new instance.
Instance creation	CreateRdsWithNonVPCNetworkTypeForbidden	Click to expand `{ "Statement": [ { "Action": [ "rds:CreateDBInstance", "rds:PreCheckCreateOrder", "rds:CreateOrder" ], "Effect": "Deny", "Resource": "*", "Condition": { "StringNotEquals": { "rds:InstanceNetworkType": "VPC" } } } ], "Version": "1" }`	Prevents users from creating RDS instances whose network type is not virtual private cloud (VPC). Note This feature takes effect only when you create a primary instance. It does not take effect in other scenarios, such as creating a read-only instance or recovering data to a new instance.
Network configuration	DatabaseConnectionNonVPCNetworkTypeForbidden	Click to expand `{ "Statement": [ { "Action": "rds:ModifyDBInstanceNetworkType", "Effect": "Deny", "Resource": "*", "Condition": { "StringNotEquals": { "rds:InstanceNetworkType": "VPC" } } } ], "Version": "1" }`	Prevents users from switching the network type of an RDS instance to classic network.
Security configuration	DataSecuritySSLDisabledForbidden	Click to expand `{ "Statement": [ { "Action": "rds:ModifyDBInstanceSSL", "Effect": "Deny", "Resource": "*", "Condition": { "StringEquals": { "rds:SSLEnabled": "0" } } } ], "Version": "1" }`	Prevents users from disabling Secure Sockets Layer (SSL) encryption for an RDS instance.
Security configuration	DataSecurityTDEDisabledForbidden	Click to expand `{ "Statement": [ { "Action": "rds:ModifyDBInstanceTDE", "Effect": "Deny", "Resource": "*", "Condition": { "StringNotEquals": { "rds:TDEStatus": "Enabled" } } } ], "Version": "1" }`	Prevents users from disabling transparent data encryption (TDE) for an RDS instance.
Database proxy configuration	DatabaseProxyWithNonVPCNetworkTypeForbidden	Click to expand `{ "Statement": [ { "Action": "rds:ModifyDBProxy", "Effect": "Deny", "Resource": "*", "Condition": { "StringNotEquals": { "rds:InstanceNetworkType": "VPC" } } } ], "Version": "1" }`	Prevents users from specifying the network type as public when they enable the database proxy feature for an RDS instance.
	DatabaseProxyCreateEndpointAddressWithNonVPCNetworkTypeForbidden	Click to expand `{ "Statement": [ { "Action": "rds:CreateDBProxyEndpointAddress", "Effect": "Deny", "Resource": "*", "Condition": { "StringNotEquals": { "rds:DBProxyConnectStringNetType": "VPC" } } } ], "Version": "1" }`	Prevents users from specifying the network type as public when they create a database proxy endpoint for an RDS instance.
	DatabaseProxyModifyEndpointAddressWithNonVPCNetworkTypeForbidden	Click to expand `{ "Statement": [ { "Action": "rds:ModifyDBProxyEndpointAddress", "Effect": "Deny", "Resource": "*", "Condition": { "StringNotEquals": { "rds:DBProxyConnectStringNetType": "VPC" } } } ], "Version": "1" }`	Prevents users from specifying the network type as public when they modify a database proxy endpoint for an RDS instance.
	DatabaseProxyDbProxyInstanceSslDisabledForbidden	Click to expand `{ "Statement": [ { "Action": "rds:ModifyDbProxyInstanceSsl", "Effect": "Deny", "Resource": "*", "Condition": { "StringEquals": { "rds:DbProxySslEnabled": "0" } } } ], "Version": "1" }`	Prevents users from disabling the SSL encryption feature for the database proxy of an RDS instance.
Backup-related configuration	BackupAndRestorationCrossBackupDisabledForbidden	Click to expand `{ "Statement": [ { "Action": "rds:ModifyInstanceCrossBackupPolicy", "Effect": "Deny", "Resource": "", "Condition": { "StringNotEquals": { "rds:BackupEnabled": "1" } } }, { "Action": "rds:ModifyInstanceCrossBackupPolicy", "Effect": "Deny", "Resource": "", "Condition": { "StringNotEquals": { "rds:LogBackupEnabled": "1" } } } ], "Version": "1" }`	Prevents users from disabling the cross-region backup feature for an RDS instance.
Backup-related configuration	BackupAndRestorationBackupPolicyDisabledForbidden	Click to expand `{ "Statement": [ { "Action": "rds:ModifyBackupPolicy", "Effect": "Deny", "Resource": "", "Condition": { "StringEquals": { "rds:EnableBackupLog": "0" } } }, { "Action": "rds:ModifyBackupPolicy", "Effect": "Deny", "Resource": "", "Condition": { "StringEquals": { "rds:BackupLog": "Disabled" } } } ], "Version": "1" }`	Prevents users from disabling the log backup feature for an RDS instance.
Historical events	EventCenterActionEventEnableEventLogForbidden	Click to expand `{ "Statement": [ { "Action": "rds:ModifyActionEventPolicy", "Effect": "Deny", "Resource": "*", "Condition": { "StringNotEquals": { "rds:EnableEventLog": "False" } } } ], "Version": "1" }`	Prevents users from enabling the historical events feature for an RDS instance.