An instance policy is an authorization policy that you can use to restrict the access sources of an instance, including the IP addresses, networks, and TLS versions that users can use to access the instance. This ensures the security of access sources and the resource security of the instance.
Prerequisites
A Tablestore instance is created. For more information, see the "Step 2: Create an instance" section of the Use the Wide Column model in the Tablestore console topic.
Usage notes
The instance policies that you can configure for a single instance can be up to 4 KB in size.
If the Effect parameter is set to Allow for an instance policy that contains multiple conditions, the instance can be accessed if the access source meets one of the conditions.
If the Effect parameter is set to Deny for an instance policy, the access to the instance is denied for access sources specified in the instance policy even if they are allowed by other authorization policies. An instance policy whose result is a denial enjoys the highest priority during authorization.
If an access source is both allowed and denied by instance policies, the access source is considered denied.
If an instance policy and a network access control list (ACL) are both configured for an instance, the instance can be accessed only if the conditions of the instance policy and rules of the network ACL are met.
Configure the Effect parameter based on your business scenarios.
To allow an access source, set the Effect parameter to Allow and configure the conditions. If this access source is denied by other authorization policies such as a Resource Access Management (RAM) policy, the access source is denied.
To deny an access source, set the Effect parameter to Deny and configure the conditions. If this access source is allowed by other authorization policies such as a RAM policy, the access source is still denied. The authorization policies that allow this access source do not take effect.
Procedure
Go to the Create Policy panel.
Log on to the Tablestore console.
In the left-side navigation pane, click Overview. In the top navigation bar, select a region. Find the instance that you want to manage and click the name of the instance.
On the page that appears, click the Security Policy tab. On the Security Policy tab, click Authorize.
On the Visualized Policy tab of the Create Policy panel, set the Effect parameter to Allow or Deny based on your business requirements.
NoteThe value of the Service parameter is fixed to Tablestore, the value of the Actions parameter is fixed to All Actions (*), and the value of the Resource parameter is fixed to All Resources (*). You cannot modify these parameters.
Add conditions based on your business requirements.
If you need to add multiple conditions, perform the following operations multiple times to configure the conditions.
In the Create Policy panel, click Add Condition. Click Edit to configure a condition.
In the Add Condition panel, configure the parameters that are described in the following table.
Parameter
Description
Condition Key
The key of the condition. Valid values:
acs:SourceVpc
: allows or denies clients in the specified virtual private clouds (VPCs).ots:TLSVersion
: allows or denies clients that use the specified TLS versions.acs:SourceIP
: allows or denies clients from specified IP addresses.
Operator
The operator that defines the condition.
Valid values if the Condition Key parameter is set to
acs:SourceVpc
orots:TLSVersion
:StringEquals: The condition takes effect if the actual value is equal to the value of the condition.
StringNotEquals: The condition takes effect if the actual value is not equal to the value of the condition.
Valid values if the Condition Key parameter is set to
acs:SourceIP
:IpAddress: The condition takes effect if the actual IP address is included in the specified IP addresses.
NotIpAddress: The condition takes effect if the actual IP address is not included in the specified IP addresses.
Condition Value
The value of the condition. Configure the Condition Value parameter based on your business requirements.
If the Condition Key parameter is set to
acs:SourceVpc
, select the VPCs that are associated with the instance from the drop-down list or enter valid VPC IDs.If the Condition Key parameter is set to
ots:TLSVersion
, select TLS versions from the drop-down list. Valid values: 1.0, 1.1, 1.2, and 1.3.If the Condition Key parameter is set to
acs:SourceIP
, enter IP addresses or CIDR blocks.Separate IP addresses or CIDR blocks with commas (,).
Click Yes.
After the conditions are configured, you can view the script of the policy on the Script-based Policy tab of the Create Policy panel.
In the Create Policy panel, click Yes.
After you add the authorization policy to the instance, you can view the complete script of the policy on the Script-based Policy tab. For more information about how to configure instance policies, see Configure an instance policy.
Related operations
After you add an instance policy, you can perform the following operations on the policy on the Visualized Policy tab based on your business requirements.
Operation | Description |
View the information about the policy | You can use one of the following methods to view the configurations of the policy such as the resources, actions, conditions, principles, and effect:
|
Edit the conditions of the policy | You can modify the effect and conditions of the policy based on your business requirements.
|
Delete the policy | You can delete the policy if it is no longer needed. Click Delete in the Actions column. In the message that appears, click Yes. Important
|