All Products
Search
Document Center

:ApsaraDB for Redis custom policies

Last Updated:Nov 17, 2023

If system policies do not meet your requirements, you can configure custom policies to implement the principle of least privilege. You can use custom policies to implement fine-grained permission management and improve resource security. This topic describes common scenarios where you can use custom policies for ApsaraDB for Redis and provides examples.

What is a custom policy?

Resource Access Management (RAM) policies are classified into system policies and custom policies. You can manage custom policies based on your business requirements.

  • After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.

  • You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, you must detach the RAM policy from the principal before you can delete the RAM policy.

  • Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.

References

Common scenarios and examples

The following code provides examples of common custom policies. You must replace ApsaraDB for Redis instance ID in the following code with your actual instance ID.

  • Manage all permissions on a single instance

    The following policy indicates that you have all permissions to manage the specified ApsaraDB for Redis instance:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "kvstore:*",
                "Resource": "acs:kvstore:*:*:*/<ApsaraDB for Redis instance ID>",
                "Condition": {}
            },
            {
                "Action": "kvstore:Describe*",
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
  • Manage all permissions on multiple instances

    The following policy indicates that you have all permissions to manage multiple specified ApsaraDB for Redis instances:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "kvstore:*",
                "Resource": [
                    "acs:kvstore:*:*:*/<ApsaraDB for Redis instance ID>",
                    "acs:kvstore:*:*:*/<ApsaraDB for Redis instance ID>"
                ],
                "Condition": {}
            },
            {
                "Action": "kvstore:Describe*",
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
  • Modify the permissions on whitelists for a single instance

    The following policy indicates that you have the permissions to modify the IP address whitelists of the specified ApsaraDB for Redis instance:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "kvstore:ModifySecurityIps",
                "Resource": "acs:kvstore:*:*:*/<ApsaraDB for Redis instance ID>",
                "Condition": {}
            },
            {
                "Action": "kvstore:Describe*",
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
  • Permissions for offline key analysis

    The following policy indicates that you have the permissions to perform offline key analysis on the specified ApsaraDB for Redis instance:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "hdm:CreateCacheAnalysisTask",
                    "hdm:DescribeCacheAnalysisReportList",
                    "hdm:DescribeCacheAnalysisReport",
                    "hdm:CreateCacheAnalysisJob",
                    "hdm:DescribeCacheAnalysisJob",
                    "hdm:DescribeCacheAnalysisJobs",
                    "hdm:GetInstanceLatestBackup"
                ],
                "Resource": "acs:kvstore:*:*:instance/<ApsaraDB for Redis instance ID>",
                "Condition": {}
            },
            {
                "Action": "ram:CreateServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "hdm.aliyuncs.com"
                    }
                }
            }
        ]
    }

Authorization information

To use custom policies, you must understand the access control requirements of your business and the authorization information about ApsaraDB for Redis. For more information, see RAM authorization.