All Products
Search
Document Center

Tablestore:Use custom access control policies

Last Updated:Feb 20, 2024

Custom access control policies can be used to define the permission boundaries for resource access. Tablestore supports custom access control policies. For example, you can use custom access control policies to restrict the TLS versions that users can use to access Tablestore and restrict users to creating only instances that do not support public access. Configure custom access control policies based on your business requirements.

Background information

A resource directory control policy is an access control policy based on the structure of resources, such as folders and members. A resource directory control policy can be used to manage permission boundaries of the folders or members in a resource directory in a centralized manner. For more information, see Overview.

Access control policy syntax

An access control policy consists of four basic elements: Effect, Action, Resource, and Condition. For more information, see Languages of access control policies.

Elements

Element

Description

Effect

Specifies whether a statement result is an explicit allow or an explicit deny. Valid values: Allow and Deny.

Action

Specifies one or more API operations that are allowed or denied. For more information, see the Action section of the "Configure a custom policy" topic.

Resource

Specifies one or more objects to which a policy applies. For more information, see the Resource section of the "Configure a custom policy" topic.

Condition

Specifies the conditions that are required for a policy to take effect. For more information, see the Examples section of this topic.

Examples

Tablestore supports custom access control policies. For example, you can use custom access control policies to restrict the TLS versions that users can use to access Tablestore and restrict users to creating only instances that do not support public access. Configure custom access control policies based on your business requirements.

Restrict the TLS versions that users can use to access Tablestore

You can use a custom access control policy to restrict access to Tablestore only over specified TLS versions. This enhances Tablestore access security.

The following sample policy allows access to Tablestore only over TLS 1.2 and TLS 1.3. If a client requests access to Tablestore by using a TLS version earlier than TLS 1.2 or later than TLS 1.3, the request fails.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "ots:*",
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringNotEquals": {
                  "ots:TLSVersion": [
                    "TLSv1.2",
                    "TLSv1.3"
                  ]
                }
            }
        }
    ]
}

Restrict users to create only instances that do not support public access

You can use a custom access control policy to restrict users to create only instances that do not support public access.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "ots:InsertInstance",
        "ots:CreateInstance",
        "ots:UpdateInstance"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "ots:AllowInstanceInternetAccess": [
            "true"
          ]
        }
      }
    }
  ]
}

Typical scenarios

Before you access a resource directory, make sure that the following prerequisites are met:

  • An invitation to use Resource Directory is received.

  • The Alibaba Cloud account that you use to enable a resource directory passes enterprise real-name verification. An account that has passed only individual real-name verification cannot be used to enable a resource directory. For more information, see Enable a resource directory.

  • Folders are created based on the organizational structure of your enterprise. For more information, see Create a folder.

  • Members are created or existing Alibaba Cloud accounts are invited to your resource directory. The members are moved to the corresponding folders. For more information, see Create a member, Invite an Alibaba Cloud account to join a resource directory, and Move a member.

Scenario 1: Restrict the TLS versions that users can use to access Tablestore

  1. Use a management account to enable the control policy feature.

    1. Log on to the Resource Management console.

    2. In the left-side navigation pane, choose Resource Directory > Control Policy.

    3. On the page that appears, click Enable Control Policy.

    4. In the message that appears, click OK.

    5. Click the Refresh icon and view the status of the control policy feature.

  2. Use the management account to create a custom access control policy on the JSON tab.

    1. In the left-side navigation pane, choose Resource Directory > Control Policy.

    2. On the Policies tab of the page that appears, click Create Policy.

    3. On the Create Policy page, click the JSON tab.

    4. Enter the following access control policy and click Next to edit policy information.

      {
          "Version": "1",
          "Statement": [
              {
                  "Effect": "Deny",
                  "Action": [
                      "ots:*",
                  ],
                  "Resource": [
                      "*"
                  ],
                  "Condition": {
                      "StringNotEquals": {
                        "ots:TLSVersion": [
                          "TLSv1.2",
                          "TLSv1.3"
                        ]
                      }
                  }
              }
          ]
      }
    5. Configure the Name and Note parameters.

    6. Check and optimize the content of the access control policy based on the actual situation.

  3. Use the management account of your resource directory to attach the created custom access control policy to folders or members in the resource directory.

    After the configuration is complete, the specified members can access Tablestore only over TLS 1.2 and TLS 1.3.

    1. In the left-side navigation pane, choose Resource Directory > Control Policy.

    2. On the Control Policy page, click the Attachments tab. In the navigation tree of the Attachments tab, find the folder or member to which you want to attach the access control policy. Then, click the name of the folder or member.

    3. In the section that appears, click Attach Policy.

    4. In the Attach Policy dialog box, select the access control policy that you want to attach to the folder or member.

    5. In the message that appears, click OK.

Scenario 2: Restrict users to create only instances that do not support public access

  1. Use a management account to enable the control policy feature.

    1. Log on to the Resource Management console.

    2. In the left-side navigation pane, choose Resource Directory > Control Policy.

    3. On the page that appears, click Enable Control Policy.

    4. In the message that appears, click OK.

    5. Click the Refresh icon and view the status of the control policy feature.

  2. Use the management account to create a custom access control policy on the JSON tab.

    1. In the left-side navigation pane, choose Resource Directory > Control Policy.

    2. On the Policies tab of the page that appears, click Create Policy.

    3. On the Create Policy page, click the JSON tab.

    4. Enter the following access control policy and click Next to edit policy information.

      {
        "Version": "1",
        "Statement": [
          {
            "Effect": "Deny",
            "Action": [
              "ots:InsertInstance",
              "ots:CreateInstance",
              "ots:UpdateInstance"
            ],
            "Resource": "*",
            "Condition": {
              "Bool": {
                "ots:AllowInstanceInternetAccess": [
                  "true"
                ]
              }
            }
          }
        ]
      }
    5. Configure the Name and Note parameters.

    6. Check and optimize the content of the access control policy based on the actual situation.

  3. Use the management account of your resource directory to attach the created custom access control policy to folders or members in the resource directory.

    After the configuration is complete, the specified members can create only Tablestore instances that do not support public access.

    1. In the left-side navigation pane, choose Resource Directory > Control Policy.

    2. On the Control Policy page, click the Attachments tab. In the navigation tree of the Attachments tab, find the folder or member to which you want to attach the access control policy. Then, click the name of the folder or member.

    3. In the section that appears, click Attach Policy.

    4. In the Attach Policy dialog box, select the access control policy that you want to attach to the folder or member.

    5. In the message that appears, click OK.