How do I attach system policies and custom policies to RAM users? - Security Center

If you want to implement fine-grained access control for the features of Security Center on Resource Access Management (RAM) users, you can attach system policies or custom policies to the RAM users. This topic describes how to attach system policies and custom policies to RAM users to implement fine-grained access control.

Background information

RAM provides the following types of policies for cloud services: system policies and custom policies. System policies are created by Alibaba Cloud. You cannot modify system policies. To implement fine-grained access control on Security Center, you can use custom policies.

Note

Alibaba Cloud provides the AliyunYundunSASFullAccess and AliyunYundunSASReadOnlyAccess system policies that grant permissions on Security Center. If you attach the AliyunYundunSASFullAccess policy to a RAM user, the RAM user is granted full permissions on Security Center. If you attach the AliyunYundunSASReadOnlyAccess policy to a RAM user, the RAM user is granted read-only permissions on Security Center.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.

Attach a system policy to the RAM user

Alibaba Cloud provides both system policies that are related to Billing Management and system policies that grant access or management permissions on Security Center. When a RAM user purchases, renews, or unsubscribes from Security Center, the system may display a message, which indicates that the RAM user does not have the required permissions. When a RAM user accesses Security Center, the system may display a message, which indicates that the RAM user does not have the required permissions and must check the permissions. In these cases, perform the following steps to attach the required system policies to the RAM user.

Important

The system policies that are related to Billing Management take effect on all cloud services. If you attach the system policies that are related to Billing Management to a RAM user, the RAM user can purchase, renew, and unsubscribe from the resources of all cloud services.

Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.

In the Add Permissions panel, grant permissions to the RAM user.

Configure the Resource Scope parameter.
- Account: The authorization takes effect on the current Alibaba Cloud account.
- Resource Group: The authorization takes effect on a specific resource group.
  Important
  If you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
Configure the Principal parameter.
The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.

Select a system policy based on the following scenarios and click Grant permissions.

Scenario	System policy
Purchase, renew, or unsubscribe from Security Center	AliyunBSSOrderAccess and AliyunBSSRefundAccess
Access Security Center in read-only mode	AliyunYundunSASReadOnlyAccess
Manage Security Center	AliyunYundunSASFullAccess

Click Close.

Attach a custom policy to the RAM user

To implement fine-grained access control on Security Center, you can perform the following steps to attach a custom policy to the RAM user:

Step 1: Create a custom policy that grants permissions on Security Center

Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.

On the Create Policy page, click the JSON tab.

Configure a policy based on your business requirements.

Note

The policy that specifies the permissions on O&M operations allows a RAM user to use the vulnerability detection, vulnerability fixing, and baseline check features, and perform operations in the Assets module. For more information about the operations that are allowed by the policy, see the actions and descriptions in the Operations that are supported by custom policies table.

Scenario	Script
Permissions to query the auto-renewal price (`bssapi:QueryAvailableInstances`) and configure auto-renewal settings (bssapi:SetRenewal)	`{ "Version": "1", "Statement": [ { "Action": [ "bssapi:QueryAvailableInstances", "bssapi:SetRenewal", "bss:ModifyPrepaidInstanceAutoRenew", "bss:PayOrder", "bss:QueryPrice", "bss:RefundBatchRemainRefund" ], "Resource": "*", "Effect": "Allow" } ] }`
Permissions to modify auto-renewal settings (`bss:ModifyPrepaidInstanceAutoRenew`)
Permissions to pay for a renewal and configuration change order (`bss:PayOrder`)
Permissions to query the discounted price (`bss:QueryPrice`)
Permissions to request a refund (`bss:RefundBatchRemainRefund`)
Read-only permissions in the Assets module	`{ "Version": "1", "Statement": [ { "Action": [ "yundun-sas:DescribeCloudCenterInstances", "yundun-sas:DescribeFieldStatistics", "yundun-sas:DescribeCriteria" ], "Resource": "*", "Effect": "Allow" } ] }`
Permissions to perform security checks in the Assets module	`{ "Version": "1", "Statement": [ { "Action": "yundun-sas:ModifyPushAllTask", "Resource": "*", "Effect": "Allow" } ] }`
Read-only permissions on the vulnerability management feature	`{ "Version": "1", "Statement": [ { "Action": [ "yundun-sas:DescribeVulList", "yundun-sas:DescribeVulWhitelist" ], "Resource": "*", "Effect": "Allow" } ] }`
Permissions on the vulnerability management feature	`{ "Version": "1", "Statement": [ { "Action": "yundun-sas:OperateVul", "Resource": "*", "Effect": "Allow" } ] }`
Permissions on O&M operations	{ "Version": "1", "Statement": [{ "Action": [ "yundun-sas:OperateVul", "yundun-sas:ModifyStartVulScan" ], "Resource": "", "Effect": "Allow" }, { "Action": [ "yundun-sas:FixCheckWarnings", "yundun-sas:IgnoreHcCheckWarnings", "yundun-sas:ValidateHcWarnings" ], "Resource": "", "Effect": "Allow" }, { "Action": "ecs:RebootInstance", "Effect": "Allow", "Resource": "", "Condition": { "Bool": { "acs:MFAPresent": "true" } } }, { "Action": "ecs:", "Effect": "Allow", "Resource": [ "acs:ecs:::" ] }, { "Action": "ecs:CreateSnapshot", "Effect": "Allow", "Resource": [ "acs:ecs:::", "acs:ecs:::snapshot/" ] }, { "Action": [ "ecs:Describe" ], "Effect": "Allow", "Resource": "" }, { "Action": [ "yundun-sas:ModifyPushAllTask", "yundun-sas:DeleteTagWithUuid", "yundun-sas:ModifyTagWithUuid", "yundun-sas:CreateOrUpdateAssetGroup", "yundun-sas:DeleteGroup", "yundun-sas:ModifyAssetImportant", "yundun-sas:RefreshAssets" ], "Resource": "", "Effect": "Allow" } ] }

Click Next to edit policy information. On the page that appears, configure the Name and Description parameters for the policy.
Click OK.

Step 2: Grant permissions to the RAM user

Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Permissions > Grants.
On the Permission page, click Grant Permission.
In the Grant Permission panel, grant permissions to the RAM user.
By default, a newly created RAM user does not have any permissions.
1. Configure the Resource Scope parameter.
  - Account: The authorization takes effect on the current Alibaba Cloud account.
  - Resource Group: The authorization takes effect on a specific resource group.
    Important
    If you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
2. Configure the Principal parameter.
  The principal is the RAM user to which you want to grant permissions. You can select multiple RAM users at a time.
3. Select a policy.
  - Search for and click the AliyunYundunSASReadOnlyAccess policy. This system policy grants the RAM user read-only permissions on Security Center.
  - Search for and click the policy that you create in Step 1: Create a custom policy that grants permissions on Security Center.
Click Grant permissions.

Operations that are supported by custom policies

The following tables describe the operations supported by custom policies that grant permissions on Security Center.

Note

In most cases, each action supported by a custom policy corresponds to one API operation of a cloud service.

Assets

Action in a policy	Description	Operation
yundun-sas:DescribeCloudCenterInstances	Queries asset information. The information includes asset types, alerts, and the status of the Security Center agent.	DescribeCloudCenterInstances
yundun-sas:DescribeFieldStatistics	Queries the statistics of servers.	DescribeFieldStatistics
yundun-sas:DescribeCriteria	Queries the search conditions when you query an asset. You can specify a keyword for fuzzy search.	DescribeCriteria
yundun-sas:ModifyPushAllTask	Performs security checks on servers.	ModifyPushAllTask
yundun-sas:DeleteGroup	Deletes a server group.	DeleteGroup
yundun-sas:DescribeSearchCondition	Queries the filter conditions that are used to search for specific assets.	DescribeSearchCondition
yundun-sas:DescribeImageStatistics	Queries the risk statistics of container images.	DescribeImageStatistics
yundun-sas:DescribeGroupedTags	Queries the statistics of asset tags.	DescribeGroupedTags
yundun-sas:DescribeDomainCount	Queries the number of domain assets.	DescribeDomainCount
yundun-sas:DescribeCloudProductFieldStatistics	Queries the statistics of cloud services.	DescribeCloudProductFieldStatistics
yundun-sas:DescribeCloudCenterInstances	Queries asset information.	DescribeCloudCenterInstances
yundun-sas:DescribeAllGroups	Queries grouping information about all servers.	DescribeAllGroups
yundun-sas:CreateOrUpdateAssetGroup	Creates a server group, adds servers to a server group, or removes servers from a server group.	CreateOrUpdateAssetGroup
yundun-sas:DescribeInstanceStatistics	Queries the risk statistics of an asset.	DescribeInstanceStatistics
yundun-sas:PauseClient	Enables or disables the Security Center agent.	PauseClient
yundun-sas:ModifyTagWithUuid	Changes the names of the tags that are added to assets, or modifies the tags for assets.	ModifyTagWithUuid
yundun-sas:RefreshAssets	Updates the information about all assets.	RefreshAssets
yundun-sas:ExportRecord	Exports the check results of the Assets module, and the check results on the Configuration Assessment, Image Security, Attack Analysis, and AccessKey Leak Detection pages to Excel files.	ExportRecord
yundun-sas:DescribeExportInfo	Queries the progress of the task that exports the list of assets.	DescribeExportInfo
yundun-sas:DescribeDomainList	Queries domain assets.	DescribeDomainList
yundun-sas:DescribeDomainDetail	Queries the details of a domain asset.	DescribeDomainDetail
yundun-sas:DescribeAssetDetailByUuid	Queries the details of a server by using the UUID of the server.	DescribeAssetDetailByUuid

Vulnerability fixing

Action in a policy	Description	Operation
yundun-sas:DescribeVulWhitelist	Queries the whitelist of vulnerabilities by page.	DescribeVulWhitelist
yundun-sas:ModifyOperateVul	Handles detected vulnerabilities. You can fix, check, or ignore the vulnerabilities.	ModifyOperateVul
yundun-sas:ModifyVulTargetConfig	Configures vulnerability detection for a server.	ModifyVulTargetConfig
yundun-sas:DescribeConcernNecessity	Queries the priorities based on which vulnerabilities are fixed.	DescribeConcernNecessity
yundun-sas:DescribeVulList	Queries vulnerabilities by type.	DescribeVulList
yundun-sas:ModifyOperateVul	Handles detected vulnerabilities. You can fix, check, or ignore the vulnerabilities.	ModifyOperateVul
yundun-sas:DescribeImageVulList	Queries the details of vulnerabilities that are detected by using container image scan and the information about the affected images.	DescribeImageVulList
yundun-sas:ExportVul	Exports the list of vulnerabilities.	ExportVul
yundun-sas:DescribeVulExportInfo	Queries the progress of the task that exports the list of vulnerabilities.	DescribeVulExportInfo

Baseline check

Action in a policy	Description	Operation
yundun-sas:FixCheckWarnings	Fixes a baseline risk item.	FixCheckWarnings
yundun-sas:IgnoreHcCheckWarnings	Ignores or cancels ignoring baseline risks.	IgnoreHcCheckWarnings
yundun-sas:ValidateHcWarnings	Verifies whether baseline risk items are fixed.	ValidateHcWarnings

References

Elements: You can refer to this topic to view the elements of policies that are used in RAM to define permissions. The elements are Effect, Action, Resource, Condition, and Principal.

Policy structure and syntax: You can refer to this topic to view the structure and syntax that are used to create or update policies in RAM.

Use RAM to manage permissions of O&M engineers: You can refer to this topic to grant permissions to O&M engineers and manage the permissions.

Use RAM to limit the IP addresses that are allowed to access Alibaba Cloud resources: You can refer to this topic to limit the IP addresses that are allowed to access Alibaba Cloud resources. This ensures a higher level of data security.

Use RAM to limit the period of time in which users are allowed to access Alibaba Cloud resources: You can refer to this topic to limit the period of time in which users are allowed to access Alibaba Cloud resources. This ensures a higher level of data security.