本文为您介绍自定义管控策略的常用示例。
禁止修改和删除RAM用户、RAM用户组、RAM角色
策略内容:
{
"Statement": [
{
"Action": [
"ram:Attach*",
"ram:Detach*",
"ram:BindMFADevice",
"ram:CreateAccessKey",
"ram:CreateLoginProfile",
"ram:CreatePolicyVersion",
"ram:DeleteAccessKey",
"ram:DeleteGroup",
"ram:DeleteLoginProfile",
"ram:DeletePolicy",
"ram:DeletePolicyVersion",
"ram:DeleteRole",
"ram:DeleteUser",
"ram:DisableVirtualMFA",
"ram:AddUserToGroup",
"ram:RemoveUserFromGroup",
"ram:SetDefaultPolicyVersion",
"ram:UnbindMFADevice",
"ram:UpdateAccessKey",
"ram:UpdateGroup",
"ram:UpdateLoginProfile",
"ram:UpdateRole",
"ram:UpdateUser"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN":"acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}
本策略禁止修改和删除RAM用户、RAM用户组、RAM角色,包括禁止修改其权限。
本策略只允许资源目录默认用来访问成员的角色ResourceDirectoryAccountAccessRole执行此操作。您可以删除该Condition,禁止所有RAM用户和RAM角色执行此操作。您也可以添加或修改PrincipalARN的值,自定义限制条件。
禁止修改ResourceDirectoryAccountAccessRole角色及其权限
策略内容:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ram:UpdateRole",
"ram:DeleteRole",
"ram:AttachPolicyToRole",
"ram:DetachPolicyFromRole"
],
"Resource": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
]
}
禁止修改和删除指定的RAM用户
策略内容:
{
"Version": "1",
"Statement": [{
"Action": [
"ram:AttachPolicyToUser",
"ram:DetachPolicyFromUser",
"ram:AddUserToGroup",
"ram:RemoveUserFromGroup",
"ram:UpdateUser",
"ram:DeleteUser",
"ram:CreateLoginProfile",
"ram:UpdateLoginProfile",
"ram:DeleteLoginProfile",
"ram:CreateAccessKey",
"ram:DeleteAccessKey",
"ram:UpdateAccessKey",
"ram:BindMFADevice",
"ram:UnbindMFADevice",
"ram:DisableVirtualMFA"
],
"Resource": [
"acs:ram:*:*:user/Alice"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}]
}
本策略禁止修改和删除指定的RAM用户(例如:Alice),包括禁止修改其权限。您也可以明确指定Alice所在的具体阿里云账号,例如:acs:ram:*:18299873****:user/Alice
。
本策略只允许资源目录默认用来访问成员的角色ResourceDirectoryAccountAccessRole执行此操作。您可以删除该Condition,禁止所有RAM用户和RAM角色执行此操作。您也可以添加或修改PrincipalARN的值,自定义限制条件。
禁止开启任何已存在RAM用户的控制台登录
策略内容:
{
"Statement": [
{
"Action": [
"ram:CreateLoginProfile",
"ram:UpdateLoginProfile"
],
"Resource": [
"*"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}
本策略禁止开启任何已存在RAM用户的控制台登录。本策略仅针对已存在的RAM用户生效,不影响创建RAM用户时开启控制台登录的操作。
本策略只允许资源目录默认用来访问成员的角色ResourceDirectoryAccountAccessRole执行此操作。您可以删除该Condition,禁止所有RAM用户和RAM角色执行此操作。您也可以添加或修改PrincipalARN的值,自定义限制条件。
删除某些资源时RAM用户或RAM角色必须使用多因素认证(MFA)
策略内容:
{
"Statement": [
{
"Action": "ecs:DeleteInstance",
"Effect": "Deny",
"Resource": "*",
"Condition": {
"Bool": {
"acs:MFAPresent": "false"
}
}
}
],
"Version": "1"
}
本策略以删除ECS实例时RAM用户或RAM角色必须使用多因素认证(MFA)为例。如需删除其它资源,请将策略中的Action部分修改为相应资源的操作。
禁止修改用户SSO配置
策略内容:
{
"Statement": [
{
"Action": [
"ram:SetSamlSsoSettings"
],
"Resource": [
"*"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}
本策略只允许资源目录默认用来访问成员的角色ResourceDirectoryAccountAccessRole执行此操作。您可以删除该Condition,禁止所有RAM用户和RAM角色执行此操作。您也可以添加或修改PrincipalARN的值,自定义限制条件。
禁止修改角色SSO配置
策略内容:
{
"Statement": [
{
"Action": [
"ram:CreateSAMLProvider",
"ram:DeleteSAMLProvider",
"ram:UpdateSAMLProvider"
],
"Resource": [
"*"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}
本策略只允许资源目录默认用来访问成员的角色ResourceDirectoryAccountAccessRole执行此操作。您可以删除该Condition,禁止所有RAM用户和RAM角色执行此操作。您也可以添加或修改PrincipalARN的值,自定义限制条件。
禁止修改操作审计的投递地址、禁止关闭投递功能
策略内容:
{
"Statement": [
{
"Action": [
"actiontrail:UpdateTrail",
"actiontrail:DeleteTrail",
"actiontrail:StopLogging"
],
"Resource": [
"*"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}
本策略只允许资源目录默认用来访问成员的角色ResourceDirectoryAccountAccessRole执行此操作。您可以删除该Condition,禁止所有RAM用户和RAM角色执行此操作。您也可以添加或修改PrincipalARN的值,自定义限制条件。
禁止访问部分网络服务
策略内容:
{
"Statement": [
{
"Action": [
"vpc:*HaVip*",
"vpc:*RouteTable*",
"vpc:*VRouter*",
"vpc:*RouteEntry*",
"vpc:*VSwitch*",
"vpc:*Vpc*",
"vpc:*Cen*",
"vpc:*NetworkAcl*"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
},
{
"Action": [
"vpc:*VpnGateway*",
"vpc:*VpnConnection*",
"vpc:*CustomerGateway*",
"vpc:*SslVpnServer*",
"vpc:*SslVpnClientCert*",
"vpc:*VpnRoute*",
"vpc:*VpnPbrRoute*"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}
本策略以禁止访问VPC和VPN网关为例。如需禁止访问其它网络云服务,请将策略中的Action部分修改为相应云服务的操作。
本策略只允许资源目录默认用来访问成员的角色ResourceDirectoryAccountAccessRole执行此操作。您可以删除该Condition,禁止所有RAM用户和RAM角色执行此操作。您也可以添加或修改PrincipalARN的值,自定义限制条件。
禁止创建具有公网访问能力的网络资源,包括EIP和NAT网关
策略内容:
{
"Version": "1",
"Statement": [
{
"Action": [
"vpc:AllocateEipAddress",
"vpc:AllocateEipAddressPro",
"vpc:AllocateEipSegmentAddress",
"vpc:CreateNatGateway"
],
"Resource": [
"*"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
]
}
本策略只允许资源目录默认用来访问成员的角色ResourceDirectoryAccountAccessRole执行此操作。您可以删除该Condition,禁止所有RAM用户和RAM角色执行此操作。您也可以添加或修改PrincipalARN的值,自定义限制条件。
禁止访问连接云下资源的网络服务
策略内容:
{
"Statement": [
{
"Action": [
"vpc:*PhysicalConnection*",
"vpc:*VirtualBorderRouter*",
"cen:*",
"vpc:*VpnGateway*",
"vpc:*VpnConnection*",
"vpc:*CustomerGateway*",
"vpc:*SslVpnServer*",
"vpc:*SslVpnClientCert*",
"vpc:*VpnRoute*",
"vpc:*VpnPbrRoute*",
"smartag:*"
],
"Resource": "*",
"Effect": "Deny"
}
],
"Version": "1"
}
本策略禁止访问连接云下资源的网络服务,包括:高速通道的物理专线和边界路由器、云企业网、VPN网关、智能接入网关。
禁止访问费用中心的部分功能
策略内容:
{
"Statement": [
{
"Action": [
"bss:DescribeOrderList",
"bss:DescribeOrderDetail",
"bss:PayOrder",
"bss:CancelOrder"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}
本策略以禁止访问费用中心的订单功能为例。如需禁止访问其它功能,请将策略中的Action部分修改为相应的操作。
本策略只允许资源目录默认用来访问成员的角色ResourceDirectoryAccountAccessRole执行此操作。您可以删除该Condition,禁止所有RAM用户和RAM角色执行此操作。您也可以添加或修改PrincipalARN的值,自定义限制条件。
禁止修改云监控配置
策略内容:
{
"Version": "1",
"Statement": [
{
"Action": [
"cms:Put*",
"cms:Update*",
"cms:Create*",
"cms:Modify*",
"cms:Disable*",
"cms:Enable*",
"cms:Delete*",
"cms:Send*",
"cms:Subscribe*",
"cms:Unsubscribe*",
"cms:Remove*",
"cms:CreateAction",
"cms:Pause*",
"cms:Stop*",
"cms:Start*",
"cms:BatchCreate*",
"cms:ProfileSet",
"cms:ApplyMonitoringTemplate"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
]
}
本策略只允许资源目录默认用来访问成员的角色ResourceDirectoryAccountAccessRole执行此操作。您可以删除该Condition,禁止所有RAM用户和RAM角色执行此操作。您也可以添加或修改PrincipalARN的值,自定义限制条件。
禁止购买预留实例券
策略内容:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:PurchaseReservedInstancesOffering"
],
"Resource": "*",
"Effect": "Deny"
}
]
}
禁止在非指定VPC下创建ECS实例
策略内容:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:CreateInstance",
"ecs:RunInstances"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"vpc:VPC": "acs:vpc:cn-shenzhen:*:vpc/vpc-wz95ya85js0avrkabc****"
}
}
}
]
}
本策略的示例中指定VPC为acs:vpc:cn-shenzhen:*:vpc/vpc-wz95ya85js0avrkabc****
,实际使用时请替换为自己的VPC信息。
禁止购买域名
策略内容:
{
"Version": "1",
"Statement": [
{
"Action": [
"domain:CreateOrderActivate"
],
"Resource": "*",
"Effect": "Deny"
}
]
}
禁止访问工单系统
策略内容:
{
"Version": "1",
"Statement": [
{
"Action": [
"support:*",
"workorder:*"
],
"Resource": "*",
"Effect": "Deny"
}
]
}
禁止访问特定地域的ECS服务
策略内容:
{
"Version": "1",
"Statement": [{
"Effect": "Deny",
"Action": [
"ecs:*"
],
"Resource": "acs:ecs:us-east-1:*:*"
}]
}
本策略禁止在美国东部(弗吉尼亚)地域使用ECS服务。
禁止组织外资源共享
策略内容:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"resourcesharing:CreateResourceShare",
"resourcesharing:UpdateResourceShare"
],
"Resource": "*",
"Condition": {
"Bool": {
"resourcesharing:RequestedAllowExternalTargets": "true"
}
}
}
]
}
通过本策略可以防止用户创建允许共享给组织外账号的共享单元。
禁止将资源共享给预期外的账号
策略内容:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"resourcesharing:AssociateResourceShare",
"resourcesharing:CreateResourceShare"
],
"Resource": "*",
"Condition": {
"StringNotLike": {
"resourcesharing:Target": [
"rd-3G****/r-Wm****/*",
"rd-3G****/r-Wm****",
"192796193830****"
]
}
}
}
]
}
本策略仅允许将资源共享给账号192796193830****
、资源夹rd-3G****/r-Wm****
下的所有成员,禁止共享给其他账号。请替换成您自己的目标账号。
禁止用户接受组织外账号的资源共享邀请
策略内容:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": "resourcesharing:AcceptResourceShareInvitation",
"Resource": "*"
}
]
}
本策略会阻止用户接受组织外账号的资源共享邀请。与共享账号属于同一资源目录时不会产生共享邀请,因此不受此策略的影响。
仅允许共享指定的资源类型
策略内容:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"resourcesharing:CreateResourceShare",
"resourcesharing:AssociateResourceShare"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"resourcesharing:RequestedResourceType": ["VSwitch","Image","Snapshot"]
}
}
}
]
}
本策略仅允许共享交换机VSwitch
、镜像Image
和快照Snapshot
,禁止共享除这些资源类型以外的其他资源。资源类型代码请参见支持资源共享的云服务的资源类型列。
仅允许共享指定的资源
策略内容:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"resourcesharing:CreateResourceShare",
"resourcesharing:AssociateResourceShare"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"resourcesharing:ResourceArn": [
"acs:vpc:cn-shanghai:131993166204****:vswitch/vsw-7xv4sfwo86u2etl64****",
"acs:ecs:cn-shanghai:131993166204****:snapshot/s-7xviog7aq4tenbqj****"
]
}
}
}
]
}
本策略仅允许共享阿里云账号131993166204****
下的指定交换机vsw-7xv4sfwo86u2etl64****
和指定快照s-7xviog7aq4tenbqj****
,禁止共享除这些资源以外的其他资源。资源ARN格式请参见支持资源共享的云服务的资源ARN列。
仅允许从IPAM地址池创建VPC
策略内容:
{
"Statement": [
{
"Action": [
"vpc:CreateVpc",
"vpc:AssociateVpcCidrBlock"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"Null": {
"vpc:Ipv4IpamPoolId": "true"
}
}
}
],
"Version": "1"
}
本策略仅允许从IPAM地址池创建VPC。
仅允许从指定IPAM地址池创建VPC
策略内容:
{
"Statement": [
{
"Action": [
"vpc:CreateVpc",
"vpc:AssociateVpcCidrBlock"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"ForAllValues:StringNotLikeIfExists": {
"vpc:Ipv4IpamPoolId": "ipam-pool-bp1dt0ttxkrzpq5nr****"
}
}
}
],
"Version": "1"
}
本策略仅允许从指定IPAM地址池ipam-pool-bp1dt0ttxkrzpq5nr****
创建VPC。