如果系统权限策略不能满足您的要求,您可以创建自定义权限策略实现最小授权。使用自定义权限策略有助于实现权限的精细化管控,是提升资源访问安全的有效手段。本文介绍云服务器ECS使用自定义权限策略的场景和策略示例。
什么是自定义权限策略
在基于RAM的访问控制体系中,自定义权限策略是指在系统权限策略之外,您可以自主创建、更新和删除的权限策略。自定义权限策略的版本更新需由您来维护。
创建自定义权限策略后,需为RAM用户、用户组或RAM角色绑定权限策略,这些RAM身份才能获得权限策略中指定的访问权限。
已创建的权限策略支持删除,但删除前需确保该策略未被引用。如果该权限策略已被引用,您需要在该权限策略的引用记录中移除授权。
自定义权限策略支持版本控制,您可以按照RAM规定的版本管理机制来管理您创建的自定义权限策略版本。
操作文档
授权信息参考
使用自定义权限策略,您需要了解业务的权限管控需求,并了解云服务器ECS的授权信息。更多信息,请参见授权信息。
常见自定义权限策略示例
授权RAM用户创建按量付费实例
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeImages",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"ecs:DescribeSecurityGroups",
"ecs:DescribeKeyPairs",
"ecs:DescribeTags",
"ecs:RunInstances"
],
"Resource": "*"
}
],
"Version": "1"
}授权RAM用户创建包年包月实例
其中bss相关API主要用于查看并支付包年包月订单,其对应的系统策略为AliyunBSSOrderAccess。
通过RunInstances创建包年包月实例时,若传入autoPay=true(创建实例时自动支付),则不需要授权bss相关API。
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeImages",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"ecs:DescribeSecurityGroups",
"ecs:DescribeKeyPairs",
"ecs:DescribeTags",
"ecs:RunInstances",
"bss:DescribeOrderList",
"bss:DescribeOrderDetail",
"bss:PayOrder",
"bss:CancelOrder"
],
"Resource": "*"
}
],
"Version": "1"
}授权RAM用户重启ECS实例
以下策略表示:仅被授予此策略的RAM用户启用MFA并使用MFA登录时,才具有重启ECS实例的权限。您可以通过设置Condition下acs:MFAPresent的值为true来实现。
{
"Statement": [
{
"Action": "ecs:RebootInstance",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"Bool": {
"acs:MFAPresent": "true"
}
}
}
],
"Version": "1"
}授权RAM用户管理指定的ECS实例
以下策略表示:您可以查看所有ECS实例及资源,但只能操作其中一个实例i-001。
{
"Statement": [
{
"Action": "ecs:*",
"Effect": "Allow",
"Resource": "acs:ecs:*:*:instance/i-001"
},
{
"Action": "ecs:Describe*",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "1"
}授权RAM用户查看指定地域ECS实例
以下策略表示:仅允许您查看青岛的ECS实例,但不允许查看磁盘及快照。
{
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:Describe*",
"Resource": "acs:ecs:cn-qingdao:*:instance/*"
}
],
"Version": "1"
}授权RAM用户管理阿里云账号下ECS安全组
下述策略表示:您拥有管理阿里云账号下ECS安全组的权限。
{
"Version": "1",
"Statement": [
{
"Action": "ecs:*SecurityGroup*",
"Resource": "*",
"Effect": "Allow"
}
]
}授权RAM用户创建实例RAM角色
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs: CreateInstance",
"ecs: AttachInstanceRamRole",
"ecs: DetachInstanceRAMRole"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "*"
}
]
}授权RAM用户创建ECS实例后查询实例和块存储信息
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeDisks"
],
"Resource": "*"
}
],
"Version": "1"
}授权RAM用户购买节省计划
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "savingsplans:*",
"Resource": "*"
}
]
}限制RAM用户创建ECS实例时创建Default VPC
云服务器ECS提供了RAM用户来实现不同业务之间的隔离操作,被赋予AliyunECSFullAccess(管理ECS)权限的RAM用户默认拥有创建ECS、查看ECS、重启ECS等权限。如果您需要限制RAM用户在当前地域没有VPC时禁止创建Default VPC并创建ECS的权限,同时保留其他权限,可通过访问控制RAM自定义策略来实现。
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"vpc:CreateDefaultVpc": [
"true"
]
}
}
}
]
}授权RAM用户使用前缀列表
{
"Statement": [
{
"Action": [
"ecs:CreatePrefixList",
"ecs:ModifyPrefixList",
"ecs:DescribePrefixLists",
"ecs:DescribePrefixListAssociations",
"ecs:DescribePrefixListAttributes",
"ecs:DeletePrefixList"
],
"Resource": "*",
"Effect": "Allow"
}
],
"Version": "1"
}授权RAM用户使用云助手
详细信息,可参见云助手自定义策略示例。
授权RAM用户对OSS Bucket的读权限
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetObject",
"oss:GetBucketLocation",
"oss:GetBucketInfo"
],
"Resource": "*",
"Effect": "Allow"
}
]
}授权RAM用户对OSS Bucket的读写权限
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetObject",
"oss:GetBucketLocation",
"oss:GetBucketInfo",
"oss:PutObject",
"oss:DeleteObject",
"oss:AbortMultipartUpload",
"oss:ListMultipartUploads",
"oss:ListParts"
],
"Resource": "*",
"Effect": "Allow"
}
]
}授权RAM用户只允许通过HTTPS协议访问ECS资源
{
"Statement": [
{
"Action": "ecs:*",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"Bool": {
"acs:SecureTransport": "true"
}
}
}
],
"Version": "1"
}限制RAM用户仅支持创建加密云盘
对于部分高安全合规要求的企业,针对企业账号下所有RAM子账号可能要求必须使用加密以保护数据的机密性。ECS支持配置自定义权限策略限制RAM子账号仅支持创建加密云盘。
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ecs:IsDiskEncrypted": "*false*"
}
},
"Effect": "Deny"
},
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ecs:IsSystemDiskEncrypted": "false"
}
},
"Effect": "Deny"
},
{
"Action": "ecs:CreateDisk",
"Resource": "*",
"Condition": {
"StringLike": {
"ecs:IsDiskEncrypted": "*false*"
}
},
"Effect": "Deny"
}
]
}限制RAM用户只能使用自定义镜像创建ECS实例
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Effect": "Deny",
"Resource": "acs:ecs:<地域ID>:*:instance/*",
"Condition": {
"StringNotEquals": {
"ecs:ImageSource": "Custom"
}
}
}
]
}