This topic provides examples of custom access control policies.
Policy used to prohibit the modification and deletion of RAM users, RAM user groups, and RAM roles
Document:
{
"Statement": [
{
"Action": [
"ram:Attach*",
"ram:Detach*",
"ram:BindMFADevice",
"ram:CreateAccessKey",
"ram:CreateLoginProfile",
"ram:CreatePolicyVersion",
"ram:DeleteAccessKey",
"ram:DeleteGroup",
"ram:DeleteLoginProfile",
"ram:DeletePolicy",
"ram:DeletePolicyVersion",
"ram:DeleteRole",
"ram:DeleteUser",
"ram:DisableVirtualMFA",
"ram:AddUserToGroup",
"ram:RemoveUserFromGroup",
"ram:SetDefaultPolicyVersion",
"ram:UnbindMFADevice",
"ram:UpdateAccessKey",
"ram:UpdateGroup",
"ram:UpdateLoginProfile",
"ram:UpdateRole",
"ram:UpdateUser"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN":"acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}
The preceding policy prohibits the modification and deletion of RAM users, RAM user groups, and RAM roles and the modification of their permissions.
In this policy, only ResourceDirectoryAccountAccessRole, which is the default role used to access members in a resource directory, can be used to perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot be used to perform these operations. You can also specify RAM users or RAM roles that can be used to perform the operations by changing the value of PrincipalARN.
Policy used to prohibit the modification of the role ResourceDirectoryAccountAccessRole and its permissions
Document:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ram:UpdateRole",
"ram:DeleteRole",
"ram:AttachPolicyToRole",
"ram:DetachPolicyFromRole"
],
"Resource": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
]
}
Policy used to prohibit the modification and deletion of specific RAM users
Document:
{
"Version": "1",
"Statement": [{
"Action": [
"ram:AttachPolicyToUser",
"ram:DetachPolicyFromUser",
"ram:AddUserToGroup",
"ram:RemoveUserFromGroup",
"ram:UpdateUser",
"ram:DeleteUser",
"ram:CreateLoginProfile",
"ram:UpdateLoginProfile",
"ram:DeleteLoginProfile",
"ram:CreateAccessKey",
"ram:DeleteAccessKey",
"ram:UpdateAccessKey",
"ram:BindMFADevice",
"ram:UnbindMFADevice",
"ram:DisableVirtualMFA"
],
"Resource": [
"acs:ram:*:*:user/Alice"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}]
}
The preceding policy prohibits the modification and deletion of the specified RAM user Alice and the modification of the permissions of Alice. You can specify the Alibaba Cloud account to which Alice belongs, such as acs:ram:*:18299873****:user/Alice
.
In this policy, only ResourceDirectoryAccountAccessRole, which is the default role used to access members in a resource directory, can be used to perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot be used to perform these operations. You can also specify RAM users or RAM roles that can be used to perform the operations by changing the value of PrincipalARN.
Policy used to prohibit logon to the Alibaba Cloud Management Console from being enabled for an existing RAM user
Document:
{
"Statement": [
{
"Action": [
"ram:CreateLoginProfile",
"ram:UpdateLoginProfile"
],
"Resource": [
"*"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}
The preceding policy prohibits logon to the Alibaba Cloud Management Console from being enabled for an existing RAM user. Logon to the Alibaba Cloud Management Console can still be enabled for a new RAM user.
In this policy, only ResourceDirectoryAccountAccessRole, which is the default role used to access members in a resource directory, can be used to perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot be used to perform these operations. You can also specify RAM users or RAM roles that can be used to perform the operations by changing the value of PrincipalARN.
Policy used to prohibit a RAM user or RAM role from being used to delete some resources if MFA is not complete for the RAM or RAM role
Document:
{
"Statement": [
{
"Action": "ecs:DeleteInstance",
"Effect": "Deny",
"Resource": "*",
"Condition": {
"Bool": {
"acs:MFAPresent": "false"
}
}
}
],
"Version": "1"
}
The preceding policy prohibits a RAM user or RAM role from being used to delete Elastic Compute Service (ECS) instances if multi-factor authentication (MFA) is not complete for the RAM or RAM role. If you want to delete other resources, change the value of Action to the actions for the resources.
Policy used to prohibit the modification of user-based SSO settings
Document:
{
"Statement": [
{
"Action": [
"ram:SetSamlSsoSettings"
],
"Resource": [
"*"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}
In this policy, only ResourceDirectoryAccountAccessRole, which is the default role used to access members in a resource directory, can be used to perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot be used to perform these operations. You can also specify RAM users or RAM roles that can be used to perform the operations by changing the value of PrincipalARN.
Policy used to prohibit the modification of role-based SSO settings
Document:
{
"Statement": [
{
"Action": [
"ram:CreateSAMLProvider",
"ram:DeleteSAMLProvider",
"ram:UpdateSAMLProvider"
],
"Resource": [
"*"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}
In this policy, only ResourceDirectoryAccountAccessRole, which is the default role used to access members in a resource directory, can be used to perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot be used to perform these operations. You can also specify RAM users or RAM roles that can be used to perform the operations by changing the value of PrincipalARN.
Policy used to prohibit the Delivery feature of ActionTrail from being disabled and prohibit the destination to which ActionTrail delivers events from being changed
Document:
{
"Statement": [
{
"Action": [
"actiontrail:UpdateTrail",
"actiontrail:DeleteTrail",
"actiontrail:StopLogging"
],
"Resource": [
"*"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}
In this policy, only ResourceDirectoryAccountAccessRole, which is the default role used to access members in a resource directory, can be used to perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot be used to perform these operations. You can also specify RAM users or RAM roles that can be used to perform the operations by changing the value of PrincipalARN.
Policy used to prohibit access to some network services
Document:
{
"Statement": [
{
"Action": [
"vpc:*HaVip*",
"vpc:*RouteTable*",
"vpc:*VRouter*",
"vpc:*RouteEntry*",
"vpc:*VSwitch*",
"vpc:*Vpc*",
"vpc:*Cen*",
"vpc:*NetworkAcl*"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
},
{
"Action": [
"vpc:*VpnGateway*",
"vpc:*VpnConnection*",
"vpc:*CustomerGateway*",
"vpc:*SslVpnServer*",
"vpc:*SslVpnClientCert*",
"vpc:*VpnRoute*",
"vpc:*VpnPbrRoute*"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}
The preceding policy prohibits access to Virtual Private Cloud (VPC) and VPN Gateway. If you want to prohibit access to other network services, change the value of Action to the actions for these network services.
In this policy, only ResourceDirectoryAccountAccessRole, which is the default role used to access members in a resource directory, can be used to perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot be used to perform these operations. You can also specify RAM users or RAM roles that can be used to perform the operations by changing the value of PrincipalARN.
Policy used to prohibit the creation of network resources (EIPs and NAT gateways) that can be used to access the Internet
Document:
{
"Version": "1",
"Statement": [
{
"Action": [
"vpc:AllocateEipAddress",
"vpc:AllocateEipAddressPro",
"vpc:AllocateEipSegmentAddress",
"vpc:CreateNatGateway"
],
"Resource": [
"*"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
]
}
In this policy, only ResourceDirectoryAccountAccessRole, which is the default role used to access members in a resource directory, can be used to perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot be used to perform these operations. You can also specify RAM users or RAM roles that can be used to perform the operations by changing the value of PrincipalARN.
Policy used to prohibit access to network services that are connected to on-premises resources
Document:
{
"Statement": [
{
"Action": [
"vpc:*PhysicalConnection*",
"vpc:*VirtualBorderRouter*",
"cen:*",
"vpc:*VpnGateway*",
"vpc:*VpnConnection*",
"vpc:*CustomerGateway*",
"vpc:*SslVpnServer*",
"vpc:*SslVpnClientCert*",
"vpc:*VpnRoute*",
"vpc:*VpnPbrRoute*",
"smartag:*"
],
"Resource": "*",
"Effect": "Deny"
}
],
"Version": "1"
}
The preceding policy prohibits access to network services that are connected to on-premises resources. These network services include Express Connect, Cloud Enterprise Network, VPN Gateway, and Smart Access Gateway.
Policy used to prohibit the use of some features provided by the Expenses and Costs service
Document:
{
"Statement": [
{
"Action": [
"bss:DescribeOrderList",
"bss:DescribeOrderDetail",
"bss:PayOrder",
"bss:CancelOrder"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}
The preceding policy prohibits the use of the Orders feature provided by the Expenses and Costs service. If you want to prohibit the use of other features, change the value of Action to the actions for these features.
In this policy, only ResourceDirectoryAccountAccessRole, which is the default role used to access members in a resource directory, can be used to perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot be used to perform these operations. You can also specify RAM users or RAM roles that can be used to perform the operations by changing the value of PrincipalARN.
Policy used to prohibit the modification of CloudMonitor-related settings
Document:
{
"Version": "1",
"Statement": [
{
"Action": [
"cms:Put*",
"cms:Update*",
"cms:Create*",
"cms:Modify*",
"cms:Disable*",
"cms:Enable*",
"cms:Delete*",
"cms:Send*",
"cms:Subscribe*",
"cms:Unsubscribe*",
"cms:Remove*",
"cms:CreateAction",
"cms:Pause*",
"cms:Stop*",
"cms:Start*",
"cms:BatchCreate*",
"cms:ProfileSet",
"cms:ApplyMonitoringTemplate"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
]
}
In this policy, only ResourceDirectoryAccountAccessRole, which is the default role used to access members in a resource directory, can be used to perform the preceding operations. You can remove this condition to make sure that all RAM users and RAM roles cannot be used to perform these operations. You can also specify RAM users or RAM roles that can be used to perform the operations by changing the value of PrincipalARN.
Policy used to prohibit the purchase of reserved instances
Document:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:PurchaseReservedInstancesOffering"
],
"Resource": "*",
"Effect": "Deny"
}
]
}
Policy used to prohibit the creation of ECS instances in an unspecified VPC
Document:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:CreateInstance",
"ecs:RunInstances"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"vpc:VPC": "acs:vpc:cn-shenzhen:*:vpc/vpc-wz95ya85js0avrkabc****"
}
}
}
]
}
In the preceding policy, acs:vpc:cn-shenzhen:*:vpc/vpc-wz95ya85js0avrkabc****
is used as a specified VPC. You can replace it based on your business requirements.
Policy used to prohibit the purchase of domain names
Document:
{
"Version": "1",
"Statement": [
{
"Action": [
"domain:CreateOrderActivate"
],
"Resource": "*",
"Effect": "Deny"
}
]
}
Policy used to prohibit access to the ticket system
Document:
{
"Version": "1",
"Statement": [
{
"Action": [
"support:*",
"workorder:*"
],
"Resource": "*",
"Effect": "Deny"
}
]
}
Policy used to prohibit access to ECS in a specific region
Document:
{
"Version": "1",
"Statement": [{
"Effect": "Deny",
"Action": [
"ecs:*"
],
"Resource": "acs:ecs:us-east-1:*:*"
}]
}
The preceding policy prohibits access to ECS in the US (Virginia) region.
Policy used to prohibit resource sharing outside a resource directory
Document:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"resourcesharing:CreateResourceShare",
"resourcesharing:UpdateResourceShare"
],
"Resource": "*",
"Condition": {
"Bool": {
"resourcesharing:RequestedAllowExternalTargets": "true"
}
}
}
]
}
The preceding policy prohibits the creation of resource shares through which resources are shared to accounts outside the current resource directory.
Policy used to prohibit resource sharing with unexpected accounts
Document:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"resourcesharing:AssociateResourceShare",
"resourcesharing:CreateResourceShare"
],
"Resource": "*",
"Condition": {
"StringNotLike": {
"resourcesharing:Target": [
"rd-3G****/r-Wm****/*",
"rd-3G****/r-Wm****",
"192796193830****"
]
}
}
}
]
}
The preceding policy allows resource sharing only with the account 192796193830****
and all members in the folder rd-3G****/r-Wm****
. You can change the value of the resourcesharing:Target parameter based on your business requirements.
Policy used to prohibit the acceptance of resource sharing invitations from accounts outside a resource directory
Document:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": "resourcesharing:AcceptResourceShareInvitation",
"Resource": "*"
}
]
}
The preceding policy prohibits the acceptance of resource sharing invitations from accounts outside the current resource directory. If principals and resource owners belong to the same resource directory, no resource sharing invitations are initiated. Therefore, this policy does not affect resource sharing within the same resource directory.
Policy used to allow sharing of resources of only specific types
Document:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"resourcesharing:CreateResourceShare",
"resourcesharing:AssociateResourceShare"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"resourcesharing:RequestedResourceType": ["VSwitch","Image","Snapshot"]
}
}
}
]
}
The preceding policy allows sharing of only vSwitches
, images
, and snapshots
. For information about resource type codes, see the Resource type column in Services that work with Resource Sharing.
Policy used to allow sharing of only specific resources
Document:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"resourcesharing:CreateResourceShare",
"resourcesharing:AssociateResourceShare"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"resourcesharing:ResourceArn": [
"acs:vpc:cn-shanghai:131993166204****:vswitch/vsw-7xv4sfwo86u2etl64****",
"acs:ecs:cn-shanghai:131993166204****:snapshot/s-7xviog7aq4tenbqj****"
]
}
}
}
]
}
The preceding policy allows sharing of only the vSwitch vsw-7xv4sfwo86u2etl64****
and the snapshot s-7xviog7aq4tenbqj****
within the Alibaba Cloud account 131993166204****
. For information about the Alibaba Cloud Resource Names (ARNs) of resources, see the Resource ARN column in Services that work with Resource Sharing.
Policy used to allow VPC creation based only on IPAM pools
Document:
{
"Statement": [
{
"Action": [
"vpc:CreateVpc",
"vpc:AssociateVpcCidrBlock"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"Null": {
"vpc:Ipv4IpamPoolId": "true"
}
}
}
],
"Version": "1"
}
The preceding policy allows VPC creation based only on IP Address Manager (IPAM) pools.
Policy used to allow VPC creation based only on a specific IPAM pool
Document:
{
"Statement": [
{
"Action": [
"vpc:CreateVpc",
"vpc:AssociateVpcCidrBlock"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"ForAllValues:StringNotLikeIfExists": {
"vpc:Ipv4IpamPoolId": "ipam-pool-bp1dt0ttxkrzpq5nr****"
}
}
}
],
"Version": "1"
}
The preceding policy allows VPC creation based only on the IPAM pool ipam-pool-bp1dt0ttxkrzpq5nr****
.