If system policies do not meet your requirements, you can create custom policies to implement the principle of least privilege. You can use custom policies to implement fine-grained permission management and improve resource access security. This topic describes common scenarios where you can use custom policies for Tair (Redis OSS-compatible) and provides examples.
What is a custom policy?
Resource Access Management (RAM) policies are classified into system policies and custom policies. You can manage custom policies based on your business requirements.
After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.
You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, before you can delete the RAM policy you must detach the RAM policy from the principal.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.
References
Common scenarios and examples
The following code provides examples of common custom policies. You must replace Instance ID in the following code with your actual instance ID.
Full management permissions on a single instance
The following policy grants full management permissions on the specified instance:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "kvstore:*", "Resource": "acs:kvstore:*:*:*/<Instance ID>", "Condition": {} }, { "Action": "kvstore:Describe*", "Resource": "*", "Effect": "Allow" } ] }Full management permissions on multiple instances
The following policy grants full management permissions on multiple specified instances:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "kvstore:*", "Resource": [ "acs:kvstore:*:*:*/<Instance ID>", "acs:kvstore:*:*:*/<Instance ID>" ], "Condition": {} }, { "Action": "kvstore:Describe*", "Resource": "*", "Effect": "Allow" } ] }Full management permissions on instances with the specified tag
The following policy grants full management permissions on instances that have the specified tag, such as the
TagKey:TagValuetag in the following code. However, you cannot add or remove tags.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "kvstore:DescribeInstances", "kvstore:ListTagResources", "kvstore:DescribeParameterTemplates", "kvstore:DescribeHistoryMonitorValues", "sts:AssumeRole", "hdm:*" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "kvstore:TagResources", "kvstore:UntagResources" ], "Resource": "*" }, { "Effect": "Allow", "Action": "kvstore:*", "Resource": "*", "Condition": { "StringEquals": { "acs:ResourceTag/TagKey": [ "TagValue" ] } } } ] }Permissions to modify whitelists for a single instance
The following policy grants the permissions to modify the IP address whitelists of the specified instance:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "kvstore:ModifySecurityIps", "Resource": "acs:kvstore:*:*:*/<Instance ID>", "Condition": {} }, { "Action": "kvstore:Describe*", "Resource": "*", "Effect": "Allow" } ] }Permissions for offline key analysis
The following policy grants the permissions to perform offline key analysis on the specified instance:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "hdm:CreateCacheAnalysisTask", "hdm:DescribeCacheAnalysisReportList", "hdm:DescribeCacheAnalysisReport", "hdm:CreateCacheAnalysisJob", "hdm:DescribeCacheAnalysisJob", "hdm:DescribeCacheAnalysisJobs", "hdm:GetInstanceLatestBackup" ], "Resource": "acs:kvstore:*:*:instance/<Instance ID>", "Condition": {} }, { "Action": "ram:CreateServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "hdm.aliyuncs.com" } } } ] }
References
To use custom policies, you must understand the access control requirements of your business and the authorization information about Tair (Redis OSS-compatible). For more information, see RAM authorization.