If system policies do not meet your requirements, you can configure custom policies to implement the principle of least privilege. You can use custom policies to implement fine-grained permission control and improve your resource security. This topic describes how to configure custom policies for a Virtual Private Cloud (VPC) and provides examples.
What is a custom policy?
Resource Access Management (RAM) policies are classified into system policies and custom policies. You need to maintain custom policies.
After you create a custom policy, you need to attach it to a RAM user, a user group, or a RAM role so that the permissions specified in the policy can be granted to the principal.
You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, you must detach the RAM policy from the principal before you can delete the RAM policy.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.
References
Examples
Example 1: Authorize a RAM user to manage all VPCs.
To authorize a RAM user to manage all VPCs within the Alibaba Cloud account 1234567, use the following sample script:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*" ], "Resource": [ "acs:vpc:*:1234567:*/*" ] }, { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "*" ] } ] }
Example 2: Authorize a RAM user to manage the vSwitches in a VPC.
You can use the following sample script to authorize a RAM user to manage the vSwitches in the China (Qingdao) region. More specifically, the RAM user can create vSwitches, delete vSwitches, associate subnet routes, and disassociate subnet routes. The RAM user can only view the vSwitches in other regions.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*Describe*", "vpc:*vSwitch*", "vpc:*RouteTable*" ], "Resource": [ "acs:vpc:cn-qingdao:*:*/*" ] }, { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "acs:ecs:cn-qingdao:*:*/*" ] } ] }
Example 3: Authorize a RAM user to manage the route tables and routes in a specific region.
To authorize a RAM user to manage the VPCs within the Alibaba Cloud account 11111111 in the China (Hangzhou) region, use the following sample script. After the RAM user is authorized, the RAM user can add and delete routes, create subnet routes, and associate vSwitches in the China (Hangzhou) region. The RAM user can only view the cloud services in other regions.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "*" ], "Condition": { } }, { "Effect": "Allow", "Action": [ "slb:*Describe*" ], "Resource": [ "*" ], "Condition": { } }, { "Effect": "Allow", "Action": [ "rds:*Describe*" ], "Resource": [ "*" ], "Condition": { } }, { "Effect": "Allow", "Action": [ "vpc:*Describe*", "vpc:*RouteEntry*", "vpc:*RouteTable*" ], "Resource": [ "acs:vpc:cn-hangzhou:11111111:*/*" ], "Condition": { } } ] }
Example 4: Authorize a RAM user to add routes to or delete routes from a specified route table
To authorize a RAM user to add or delete the route entries in a specified route table, use the following sample script:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*RouteEntry*" ], "Resource": [ "acs:vpc:cn-qingdao:*:routetable/vtb-m5e64ujkb7xn5zlq0xxxx" ] }, { "Effect": "Allow", "Action": [ "vpc:*Describe*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "*" ] } ] }