To ensure the security of your resources, you can use Resource Access Management (RAM) policies, control policies for resource directories, network ACLs for Tablestore instances, and instance policies for Tablestore instances to control access to your Tablestore resources. This way, only authorized users can access Tablestore resources.
The following access control methods are supported by Tablestore: RAM policies, control policies, network ACLs, and instance policies. You can use multiple access control methods in combination based on your needs.
The RAM Policy feature provided by RAM allows you to manage your users such as employees, systems, and applications in a centralized manner and control their access to cloud resources.
The Control Policy feature provided by the Resource Directory service of Resource Management allows you to manage the permission boundaries of the folders or members in a resource directory in a centralized manner.
The Network ACL feature provided by Tablestore allows you to restrict the types of networks from which users can access a Tablestore instance.
The Instance Policy feature provided by Tablestore allows you to restrict the access sources of a Tablestore instance.
The following table describes the functionality and applicable scenarios of different access control methods.
Access control method | Applicable scenario | Service | Intended user | Usage note |
Manage the permissions and temporary access permissions of the RAM users under an Alibaba Cloud account. | RAM | You want to grant permissions to a RAM user and use Tablestore as the RAM user, or you want to access Tablestore by using temporary access tokens. For more information, see Use a RAM policy to grant permissions to a RAM user. |
| |
Manage the security policies for Alibaba Cloud accounts of different departments in an enterprise in a centralized manner. The Control Policy feature does not grant permissions but only denies access. | Resource Management | You have multiple Alibaba Cloud accounts for your enterprise and want to manage the permissions of these accounts in a centralized manner. For more information, see Use a custom access control policy to define the permission boundaries of enterprise users. |
| |
Control the network access to a Tablestore instance under an Alibaba Cloud account. | Tablestore | You want to restrict the types of networks or sources from which users can access the resources of a Tablestore instance. For more information, see the Network ACL. |
| |
Grant fine-grained permissions on API operations on a Tablestore instance under an Alibaba Cloud account. | Tablestore | You want to restrict the access sources of the resources of a Tablestore instance. For more information, see Use instance policies to restrict the access sources of an instance. | Restrict the access sources of a Tablestore instance, including the IP addresses, networks, and TLS versions that users can use to access the instance. |