This topic describes how to attach Resource Access Management (RAM) policies to RAM users to manage the permissions of the RAM users on ApsaraDB RDS instances.
Introduction
Alibaba Cloud allows you to use RAM policies to improve the security of RDS instances. You can use RAM policies to grant different permissions to RAM users on RDS instances. For more information, see RAM policies for ApsaraDB RDS.
For more information about RAM policies, see Policy overview.
Procedure
Log on to the RAM console.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the JSON tab of the page that appears, enter the policy document and click OK.
NoteYou can find the RAM policy script in the Code column in the "RAM policies for ApsaraDB RDS" section of this topic.
For more information about the syntax and structure of RAM policies, see Policy structure and syntax.
In the Create Policy dialog box, configure the Name and Description parameters. Then, confirm the information and click OK.
NoteYou can also customize the name of the RAM policy. The name of the RAM policy must meet the following requirements:
The name must be 1 to 128 characters in length.
The name can contain letters, digits, and hyphens (-).
In the left-side navigation pane, choose . On the page that appears, click Grant Permission to grant permissions to the required RAM user.
Configure the Resource Scope parameter.
Account: The permissions take effect on all resources within the current Alibaba Cloud account.
ResourceGroup: The permissions take effect on resources in a resource group.
NoteIf you want to select the Specific Resource Group option, make sure that ApsaraDB RDS supports resource groups. For more information, see Services that work with Resource Group.
Configure the Principal parameter.
NoteThe Principal parameter specifies the RAM user to which you want to attach the RAM policy. You can enter a part of the username to perform a fuzzy match to search for the RAM user.
In the Policy section, select Custom Policy from the drop-down list.
Select the RAM policy that you created in Step 4. Then, click OK.
NoteYou can enter a part of the name of the RAM policy in the search box above the listed RAM policies to perform a fuzzy match to search for the RAM policy.
RAM policies for ApsaraDB RDS
Item | Policy | Code | Description |
Instance creation | CreateRdsWithNonDiskEncryptionForbidden | This policy is used to prevent users from creating RDS instances that do not use encrypted disks. Note This policy takes effect only when users create primary RDS instances. This policy does not take effect when users create read-only RDS instances or restore data to new RDS instances. | |
CreateRdsWithNonVPCNetworkTypeForbidden | This policy is used to prevent users from creating RDS instances whose network types are not Virtual Private Cloud (VPC). Note This policy takes effect only when users create primary RDS instances. This policy does not take effect when users create read-only RDS instances or restore data to new RDS instances. | ||
Network configurations | DatabaseConnectionNonVPCNetworkTypeForbidden | This policy is used to prevent users from changing the network type of RDS instances to classic network. | |
Security configurations | DataSecuritySSLDisabledForbidden | This policy is used to prevent users from disabling SSL encryption for RDS instances. | |
DataSecurityTDEDisabledForbidden | This policy is used to prevent users from disabling Transparent Data Encryption (TDE) for RDS instances. | ||
Database proxy configurations | DatabaseProxyWithNonVPCNetworkTypeForbidden | This policy is used to prevent users from specifying public endpoints when the users enable the database proxy feature for RDS instances. | |
DatabaseProxyCreateEndpointAddressWithNonVPCNetworkTypeForbidden | This policy is used to prevent users from specifying public endpoints when the users create endpoints to connect to the database proxies of RDS instances. | ||
DatabaseProxyModifyEndpointAddressWithNonVPCNetworkTypeForbidden | This policy is used to prevent users from specifying public endpoints when the users modify the endpoints that are used to connect to the database proxies of RDS instances. | ||
DatabaseProxyDbProxyInstanceSslDisabledForbidden | This policy is used to prevent users from disabling SSL encryption for the specified endpoints of the database proxies of RDS instances. | ||
Backup-related configurations | BackupAndRestorationCrossBackupDisabledForbidden | This policy is used to prevent users from disabling the cross-region backup feature for RDS instances. | |
BackupAndRestorationBackupPolicyDisabledForbidden | This policy is used to prevent users from disabling the log backup feature for RDS instances. | ||
Event history | EventCenterActionEventEnableEventLogForbidden | This policy is used to prevent users from enabling the event history feature for RDS instances. |