All Products
Search

This Product

    Cloud Firewall:RAM authorization

    Document Center

    Cloud Firewall:RAM authorization

    最終更新日:Sep 02, 2024
    Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. You can use RAM to prevent RAM users from sharing the AccessKey pairs of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. RAM uses policies to define permissions.
    This topic describes the elements, such as Action, Resource, and Condition, which are defined by CloudFirewall. You can use the elements to create policies in RAM. The code (RamCode) in RAM that is used to indicate CloudFirewall is yundun-cloudfirewall,yundun-ndr. You can grant permissions on CloudFirewall at the SERVICE.

    General structure of a policy

    Policies can be stored as JSON files. The following code provides an example on the general structure of a policy:
    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}
    The following list describes the fields in the policy:
    • Effect: specifies the authorization effect. Valid values: Allow, Deny.
    • Action: specifies one or more API operations that are allowed or denied. For more information, see the Action section of this topic.
    • Resource: specifies one or more resources to which the policy applies. You can use an Alibaba Cloud Resource Name (ARN) to specify a resource. For more information, see the Resource section of this topic.
    • Condition: specifies one or more conditions that are required for the policy to take effect. This is an optional field. For more information, see the Condition section of this topic.
      • Condition_operator: specifies the conditional operators. Different types of conditions support different conditional operators. For more information, see Policy elements.
      • Condition_key: specifies the condition keys.
      • Condition_value: specifies the condition values.

    Action

    CloudFirewall defines the values that you can use in the Action element of a policy statement. You can attach the policy to a RAM user or a RAM role so that the RAM user or the RAM role can perform a group of operations. You cannot authorize the RAM user or the RAM role to perform a specific operation in CloudFirewall. You can authorize the RAM user or the RAM role to perform only a group of operations at the service level. The following list describes the columns in the table:
    • Operation: a group of operations that you can authorize the RAM user or the RAM to perform.
    • Access level: the access level of each operation. The levels are read, write, and list.
    • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the group of operations. You cannot grant permissions on this Alibaba Cloud service at the resource level. Therefore, you must grant permissions on all resources in this Alibaba Cloud service.
    • Condition key: the condition keys that are defined by the Alibaba Cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Generic Condition Keyword.
    • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
    ActionsAccess levelResource typeCondition keyAssociated operation
    yundun-cloudfirewall:DeleteControlPolicydelete
    All Resources
    		NoneNone
    yundun-cloudfirewall:ModifyObjectGroupOperationupdate
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeTrFirewallsV2Listget
    All Resources
    		NoneNone
    yundun-cloudfirewall:DeleteControlPolicyTemplatedelete
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeTrFirewallsV2Detailget
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeInstanceMembersget
    All Resources
    		NoneNone
    yundun-cloudfirewall:ModifyVpcFirewallIPSWhitelistupdate
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeDownloadTasklist
    All Resources
    		NoneNone
    yundun-cloudfirewall:CreateTrFirewallV2create
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeAssetListget
    All Resources
    		NoneNone
    yundun-cloudfirewall:CreateVpcFirewallControlPolicycreate
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeSignatureLibVersionnone
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeVpcFirewallDefaultIPSConfigget
    All Resources
    		NoneNone
    yundun-cloudfirewall:DeleteSecurityProxyget
    All Resources
    		NoneNone
    yundun-cloudfirewall:ModifyTrFirewallV2RoutePolicyScopeupdate
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeVpcFirewallControlPolicyget
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeTrFirewallV2RoutePolicyListget
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeVpcFirewallDetailget
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribePolicyPriorUsedget
    All Resources
    		NoneNone
    yundun-cloudfirewall:CreateNatFirewallControlPolicycreate
    All Resources
    		NoneNone
    yundun-cloudfirewall:ReleasePostInstancedelete
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeOutgoingDestinationIPget
    All Resources
    		NoneNone
    yundun-cloudfirewall:ModifyVpcFirewallControlPolicyupdate
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeRiskEventGrouplist
    All Resources
    		NoneNone
    yundun-cloudfirewall:ModifyAddressBookupdate
    All Resources
    		NoneNone
    yundun-cloudfirewall:CreateVpcFirewallCenConfigurecreate
    All Resources
    		NoneNone
    yundun-cloudfirewall:ModifyVpcFirewallControlPolicyPositionupdate
    All Resources
    		NoneNone
    yundun-cloudfirewall:DeleteDownloadTaskdelete
    All Resources
    		NoneNone
    yundun-cloudfirewall:ModifyVpcFirewallSwitchStatusupdate
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeVpcFirewallAclGroupListget
    All Resources
    		NoneNone
    yundun-cloudfirewall:CreateVpcFirewallConfigurecreate
    All Resources
    		NoneNone
    yundun-cloudfirewall:AddControlPolicycreate
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeVpcFirewallCenDetailget
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeNatFirewallListget
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeInvadeEventListget
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeNatFirewallPolicyPriorUsedget
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeControlPolicyget
    All Resources
    		NoneNone
    yundun-cloudfirewall:ModifyPolicyAdvancedConfigupdate
    All Resources
    		NoneNone
    yundun-cloudfirewall:DeleteNatFirewallControlPolicyBatchdelete
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeCfwRiskLevelSummaryget
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeVulnerabilityProtectedListget
    All Resources
    		NoneNone
    yundun-cloudfirewall:DeleteVpcFirewallCenConfiguredelete
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeNatFirewallControlPolicylist
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeTrFirewallsV2RouteListget
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeAddressBookget
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeDefaultIPSConfigget
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeInstanceRiskLevelslist
    All Resources
    		NoneNone
    yundun-cloudfirewall:ModifyFirewallV2RoutePolicySwitchupdate
    All Resources
    		NoneNone
    yundun-cloudfirewall:DeleteVpcFirewallControlPolicydelete
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribePostpayTrafficTotalget
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribePolicyAdvancedConfigget
    All Resources
    		NoneNone
    yundun-cloudfirewall:ResetVpcFirewallRuleHitCountupdate
    All Resources
    		NoneNone
    yundun-cloudfirewall:ModifyNatFirewallControlPolicyPositionupdate
    All Resources
    		NoneNone
    yundun-cloudfirewall:ModifyVpcFirewallDefaultIPSConfigupdate
    All Resources
    		NoneNone
    yundun-cloudfirewall:ModifyControlPolicyPositionupdate
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeAssetRiskListget
    All Resources
    		NoneNone
    yundun-cloudfirewall:ResetNatFirewallRuleHitCountupdate
    All Resources
    		NoneNone
    yundun-cloudfirewall:PutDisableAllFwSwitchupdate
    All Resources
    		NoneNone
    yundun-cloudfirewall:BatchCopyVpcFirewallControlPolicyupdate
    All Resources
    		NoneNone
    yundun-cloudfirewall:ModifyNatFirewallControlPolicyupdate
    All Resources
    		NoneNone
    yundun-cloudfirewall:SwitchSecurityProxyget
    All Resources
    		NoneNone
    yundun-cloudfirewall:CreateDownloadTaskcreate
    All Resources
    		NoneNone
    yundun-cloudfirewall:CreateTrFirewallV2RoutePolicycreate
    All Resources
    		NoneNone
    yundun-cloudfirewall:BatchDeleteVpcFirewallControlPolicynone
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeTrFirewallPolicyBackUpAssociationListget
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeDownloadTaskTypeget
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeVpcListLiteget
    All Resources
    		NoneNone
    yundun-cloudfirewall:AddInstanceMemberscreate
    All Resources
    		NoneNone
    yundun-cloudfirewall:ModifyTrFirewallV2Configurationupdate
    All Resources
    		NoneNone
    yundun-cloudfirewall:ModifyVpcFirewallCenSwitchStatusupdate
    All Resources
    		NoneNone
    yundun-cloudfirewall:CreateSecurityProxyget
    All Resources
    		NoneNone
    yundun-cloudfirewall:DeleteInstanceMembersdelete
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeVpcFirewallPolicyPriorUsedget
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribePrefixListslist
    All Resources
    		NoneNone
    yundun-cloudfirewall:PutDisableFwSwitchupdate
    All Resources
    		NoneNone
    yundun-cloudfirewall:ModifyVpcFirewallCenConfigureupdate
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeVpcFirewallCenListget
    All Resources
    		NoneNone
    yundun-cloudfirewall:DeleteAddressBookdelete
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeRiskEventPayloadget
    All Resources
    		NoneNone
    yundun-cloudfirewall:PutEnableAllFwSwitchupdate
    All Resources
    		NoneNone
    yundun-cloudfirewall:ModifyControlPolicyupdate
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeInternetTrafficTrendget
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeNatAclPageStatusget
    All Resources
    		NoneNone
    yundun-cloudfirewall:ModifyVpcFirewallConfigureupdate
    All Resources
    		NoneNone
    yundun-cloudfirewall:DeleteFirewallV2RoutePoliciesdelete
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribePostpayTrafficDetailget
    All Resources
    		NoneNone
    yundun-cloudfirewall:ModifyDefaultIPSConfigget
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeDomainResolveget
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeInternetOpenIpget
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeACLProtectTrendget
    All Resources
    		NoneNone
    yundun-cloudfirewall:DeleteTrFirewallV2delete
    All Resources
    		NoneNone
    yundun-cloudfirewall:AddAddressBookcreate
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeOutgoingDomainget
    All Resources
    		NoneNone
    yundun-cloudfirewall:DeleteVpcFirewallConfiguredelete
    All Resources
    		NoneNone
    yundun-cloudfirewall:ModifyInstanceMemberAttributesupdate
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeVpcZonelist
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeVpcFirewallListget
    All Resources
    		NoneNone
    yundun-cloudfirewall:DeleteNatFirewallControlPolicydelete
    All Resources
    		NoneNone
    yundun-cloudfirewall:PutEnableFwSwitchupdate
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeUserAssetIPTrafficInfoget
    All Resources
    		NoneNone
    yundun-cloudfirewall:CreateSlsLogDispatchcreate
    All Resources
    		NoneNone
    yundun-cloudfirewall:DescribeVpcFirewallIPSWhitelistget
    All Resources
    		NoneNone

    Resource

    In CloudFirewall, you cannot specify an ARN in the Resource element in a policy statement. If you want to authorize a RAM user or a RAM role to access CloudFirewall, you cannot specify an ARN in the "Resource": "*".

    Condition

    CloudFirewall does not define service-specific condition keys. For more information about common condition keys that are defined by Alibaba Cloud, see Generic Condition Keyword.

    What to do next

    You can create a custom policy and attach the policy to a RAM user, RAM user group, or RAM role. For more information, see the following topics: