If you want to implement fine-grained access control for the features of Security Center on Resource Access Management (RAM) users, you can attach system policies or custom policies to the RAM users. This topic describes how to attach system policies and custom policies to RAM users to implement fine-grained access control.
Background information
RAM provides the following types of policies for cloud services: system policies and custom policies. System policies are created by Alibaba Cloud. You cannot modify system policies. To implement fine-grained access control on Security Center, you can use custom policies.
Alibaba Cloud provides the AliyunYundunSASFullAccess
and AliyunYundunSASReadOnlyAccess
system policies that grant permissions on Security Center. If you attach the AliyunYundunSASFullAccess policy to a RAM user, the RAM user is granted full permissions on Security Center. If you attach the AliyunYundunSASReadOnlyAccess policy to a RAM user, the RAM user is granted read-only permissions on Security Center.
Prerequisites
A RAM user is created. For more information, see Create a RAM user.
Attach a system policy to the RAM user
Alibaba Cloud provides both system policies that are related to Billing Management and system policies that grant access or management permissions on Security Center. When a RAM user purchases, renews, or unsubscribes from Security Center, the system may display a message, which indicates that the RAM user does not have the required permissions. When a RAM user accesses Security Center, the system may display a message, which indicates that the RAM user does not have the required permissions and must check the permissions. In these cases, perform the following steps to attach the required system policies to the RAM user.
The system policies that are related to Billing Management take effect on all cloud services. If you attach the system policies that are related to Billing Management to a RAM user, the RAM user can purchase, renew, and unsubscribe from the resources of all cloud services.
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose .
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Add Permissions panel, grant permissions to the RAM user.
Configure the Resource Scope parameter.
Account: The authorization takes effect on the current Alibaba Cloud account.
ResourceGroup: The authorization takes effect on a specific resource group.
ImportantIf you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
Configure the Principal parameter.
The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.
Select a system policy based on the following scenarios and click Grant permissions.
Scenario
System policy
Purchase, renew, or unsubscribe from Security Center
AliyunBSSOrderAccess and AliyunBSSRefundAccess
Access Security Center in read-only mode
AliyunYundunSASReadOnlyAccess
Manage Security Center
AliyunYundunSASFullAccess
Click Close.
Attach a custom policy to the RAM user
To implement fine-grained access control on Security Center, you can perform the following steps to attach a custom policy to the RAM user:
Step 1: Create a custom policy that grants permissions on Security Center
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.
Configure a policy based on your business requirements.
NoteThe policy that specifies the permissions on O&M operations allows a RAM user to use the vulnerability detection, vulnerability fixing, and baseline check features, and perform operations in the Assets module. For more information about the operations that are allowed by the policy, see the actions and descriptions in the Operations that are supported by custom policies table.
Scenario
Script
Permissions to query the auto-renewal price (
bssapi:QueryAvailableInstances
) and configure auto-renewal settings (bssapi:SetRenewal){ "Version": "1", "Statement": [ { "Action": [ "bssapi:QueryAvailableInstances", "bssapi:SetRenewal", "bss:ModifyPrepaidInstanceAutoRenew", "bss:PayOrder", "bss:QueryPrice", "bss:RefundBatchRemainRefund" ], "Resource": "*", "Effect": "Allow" } ] }
Permissions to modify auto-renewal settings (
bss:ModifyPrepaidInstanceAutoRenew
)Permissions to pay for a renewal and configuration change order (
bss:PayOrder
)Permissions to query the discounted price (
bss:QueryPrice
)Permissions to request a refund (
bss:RefundBatchRemainRefund
)Read-only permissions in the Assets module
{ "Version": "1", "Statement": [ { "Action": [ "yundun-sas:DescribeCloudCenterInstances", "yundun-sas:DescribeFieldStatistics", "yundun-sas:DescribeCriteria" ], "Resource": "*", "Effect": "Allow" } ] }
Permissions to perform security checks in the Assets module
{ "Version": "1", "Statement": [ { "Action": "yundun-sas:ModifyPushAllTask", "Resource": "*", "Effect": "Allow" } ] }
Read-only permissions on the vulnerability management feature
{ "Version": "1", "Statement": [ { "Action": [ "yundun-sas:DescribeVulList", "yundun-sas:DescribeVulWhitelist" ], "Resource": "*", "Effect": "Allow" } ] }
Permissions on the vulnerability management feature
{ "Version": "1", "Statement": [ { "Action": "yundun-sas:OperateVul", "Resource": "*", "Effect": "Allow" } ] }
Permissions on O&M operations
{ "Version": "1", "Statement": [{ "Action": [ "yundun-sas:OperateVul", "yundun-sas:ModifyStartVulScan" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "yundun-sas:FixCheckWarnings", "yundun-sas:IgnoreHcCheckWarnings", "yundun-sas:ValidateHcWarnings" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ecs:RebootInstance", "Effect": "Allow", "Resource": "*", "Condition": { "Bool": { "acs:MFAPresent": "true" } } }, { "Action": "ecs:*", "Effect": "Allow", "Resource": [ "acs:ecs:*:*:*" ] }, { "Action": "ecs:CreateSnapshot", "Effect": "Allow", "Resource": [ "acs:ecs:*:*:*", "acs:ecs:*:*:snapshot/*" ] }, { "Action": [ "ecs:Describe*" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "yundun-sas:ModifyPushAllTask", "yundun-sas:DeleteTagWithUuid", "yundun-sas:ModifyTagWithUuid", "yundun-sas:CreateOrUpdateAssetGroup", "yundun-sas:DeleteGroup", "yundun-sas:ModifyAssetImportant", "yundun-sas:RefreshAssets" ], "Resource": "*", "Effect": "Allow" } ] }
Click Next to edit policy information. On the page that appears, configure the Name and Description parameters for the policy.
Click OK.
Step 2: Grant permissions to the RAM user
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose .
On the Permission page, click Grant Permission.
In the Grant Permission panel, grant permissions to the RAM user.
By default, a newly created RAM user does not have any permissions.
Configure the Resource Scope parameter.
Account: The authorization takes effect on the current Alibaba Cloud account.
Resource Group: The authorization takes effect on a specific resource group.
ImportantIf you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
Configure the Principal parameter.
The principal is the RAM user to which you want to grant permissions. You can select multiple RAM users at a time.
Select a policy.
Search for and click the AliyunYundunSASReadOnlyAccess policy. This system policy grants the RAM user read-only permissions on Security Center.
Search for and click the policy that you create in Step 1: Create a custom policy that grants permissions on Security Center.
Click Grant permissions.
Operations that are supported by custom policies
References
Elements: You can refer to this topic to view the elements of policies that are used in RAM to define permissions. The elements are Effect, Action, Resource, Condition, and Principal.
Policy structure and syntax: You can refer to this topic to view the structure and syntax that are used to create or update policies in RAM.
Use RAM to manage permissions of O&M engineers: You can refer to this topic to grant permissions to O&M engineers and manage the permissions.
Use RAM to limit the IP addresses that are allowed to access Alibaba Cloud resources: You can refer to this topic to limit the IP addresses that are allowed to access Alibaba Cloud resources. This ensures a higher level of data security.
Use RAM to limit the period of time in which users are allowed to access Alibaba Cloud resources: You can refer to this topic to limit the period of time in which users are allowed to access Alibaba Cloud resources. This ensures a higher level of data security.