通過(guò)自定義權(quán)限策略授權(quán)RAM用戶(hù)使用ECS
如果系統(tǒng)權(quán)限策略不能滿足您的要求,您可以創(chuàng)建自定義權(quán)限策略實(shí)現(xiàn)最小授權(quán)。使用自定義權(quán)限策略有助于實(shí)現(xiàn)權(quán)限的精細(xì)化管控,是提升資源訪問(wèn)安全的有效手段。本文介紹云服務(wù)器ECS使用自定義權(quán)限策略的場(chǎng)景和策略示例。
什么是自定義權(quán)限策略
在基于RAM的訪問(wèn)控制體系中,自定義權(quán)限策略是指在系統(tǒng)權(quán)限策略之外,您可以自主創(chuàng)建、更新和刪除的權(quán)限策略。自定義權(quán)限策略的版本更新需由您來(lái)維護(hù)。
創(chuàng)建自定義權(quán)限策略后,需為RAM用戶(hù)、用戶(hù)組或RAM角色綁定權(quán)限策略,這些RAM身份才能獲得權(quán)限策略中指定的訪問(wèn)權(quán)限。
已創(chuàng)建的權(quán)限策略支持刪除,但刪除前需確保該策略未被引用。如果該權(quán)限策略已被引用,您需要在該權(quán)限策略的引用記錄中移除授權(quán)。
自定義權(quán)限策略支持版本控制,您可以按照RAM規(guī)定的版本管理機(jī)制來(lái)管理您創(chuàng)建的自定義權(quán)限策略版本。
操作文檔
授權(quán)信息參考
使用自定義權(quán)限策略,您需要了解業(yè)務(wù)的權(quán)限管控需求,并了解云服務(wù)器ECS的授權(quán)信息。更多信息,請(qǐng)參見(jiàn)授權(quán)信息。
常見(jiàn)自定義權(quán)限策略示例
授權(quán)RAM用戶(hù)創(chuàng)建按量付費(fèi)實(shí)例
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeImages",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"ecs:DescribeSecurityGroups",
"ecs:DescribeKeyPairs",
"ecs:DescribeTags",
"ecs:RunInstances"
],
"Resource": "*"
}
],
"Version": "1"
}授權(quán)RAM用戶(hù)創(chuàng)建包年包月實(shí)例
其中bss相關(guān)API主要用于查看并支付包年包月訂單,其對(duì)應(yīng)的系統(tǒng)策略為AliyunBSSOrderAccess。
通過(guò)RunInstances創(chuàng)建包年包月實(shí)例時(shí),若傳入autoPay=true(創(chuàng)建實(shí)例時(shí)自動(dòng)支付),則不需要授權(quán)bss相關(guān)API。
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeImages",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"ecs:DescribeSecurityGroups",
"ecs:DescribeKeyPairs",
"ecs:DescribeTags",
"ecs:RunInstances",
"bss:DescribeOrderList",
"bss:DescribeOrderDetail",
"bss:PayOrder",
"bss:CancelOrder"
],
"Resource": "*"
}
],
"Version": "1"
}授權(quán)RAM用戶(hù)重啟ECS實(shí)例
以下策略表示:僅被授予此策略的RAM用戶(hù)啟用MFA并使用MFA登錄時(shí),才具有重啟ECS實(shí)例的權(quán)限。您可以通過(guò)設(shè)置Condition下acs:MFAPresent的值為true來(lái)實(shí)現(xiàn)。
{
"Statement": [
{
"Action": "ecs:RebootInstance",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"Bool": {
"acs:MFAPresent": "true"
}
}
}
],
"Version": "1"
}授權(quán)RAM用戶(hù)管理指定的ECS實(shí)例
以下策略表示:您可以查看所有ECS實(shí)例及資源,但只能操作其中一個(gè)實(shí)例i-001。
{
"Statement": [
{
"Action": "ecs:*",
"Effect": "Allow",
"Resource": "acs:ecs:*:*:instance/i-001"
},
{
"Action": "ecs:Describe*",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "1"
}授權(quán)RAM用戶(hù)查看指定地域ECS實(shí)例
以下策略表示:僅允許您查看青島的ECS實(shí)例,但不允許查看磁盤(pán)及快照。
{
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:Describe*",
"Resource": "acs:ecs:cn-qingdao:*:instance/*"
}
],
"Version": "1"
}授權(quán)RAM用戶(hù)管理阿里云賬號(hào)下ECS安全組
下述策略表示:您擁有管理阿里云賬號(hào)下ECS安全組的權(quán)限。
{
"Version": "1",
"Statement": [
{
"Action": "ecs:*SecurityGroup*",
"Resource": "*",
"Effect": "Allow"
}
]
}授權(quán)RAM用戶(hù)創(chuàng)建實(shí)例RAM角色
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs: CreateInstance",
"ecs: AttachInstanceRamRole",
"ecs: DetachInstanceRAMRole"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "*"
}
]
}授權(quán)RAM用戶(hù)創(chuàng)建ECS實(shí)例后查詢(xún)實(shí)例和塊存儲(chǔ)信息
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeDisks"
],
"Resource": "*"
}
],
"Version": "1"
}授權(quán)RAM用戶(hù)購(gòu)買(mǎi)節(jié)省計(jì)劃
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "savingsplans:*",
"Resource": "*"
}
]
}限制RAM用戶(hù)創(chuàng)建ECS實(shí)例時(shí)創(chuàng)建Default VPC
云服務(wù)器ECS提供了RAM用戶(hù)來(lái)實(shí)現(xiàn)不同業(yè)務(wù)之間的隔離操作,被賦予AliyunECSFullAccess(管理ECS)權(quán)限的RAM用戶(hù)默認(rèn)擁有創(chuàng)建ECS、查看ECS、重啟ECS等權(quán)限。如果您需要限制RAM用戶(hù)在當(dāng)前地域沒(méi)有VPC時(shí)禁止創(chuàng)建Default VPC并創(chuàng)建ECS的權(quán)限,同時(shí)保留其他權(quán)限,可通過(guò)訪問(wèn)控制RAM自定義策略來(lái)實(shí)現(xiàn)。
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"vpc:CreateDefaultVpc": [
"true"
]
}
}
}
]
}授權(quán)RAM用戶(hù)使用前綴列表
{
"Statement": [
{
"Action": [
"ecs:CreatePrefixList",
"ecs:ModifyPrefixList",
"ecs:DescribePrefixLists",
"ecs:DescribePrefixListAssociations",
"ecs:DescribePrefixListAttributes",
"ecs:DeletePrefixList"
],
"Resource": "*",
"Effect": "Allow"
}
],
"Version": "1"
}授權(quán)RAM用戶(hù)使用云助手
詳細(xì)信息,可參見(jiàn)云助手自定義策略示例。
授權(quán)RAM用戶(hù)對(duì)OSS Bucket的讀權(quán)限
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetObject",
"oss:GetBucketLocation",
"oss:GetBucketInfo"
],
"Resource": "*",
"Effect": "Allow"
}
]
}授權(quán)RAM用戶(hù)對(duì)OSS Bucket的讀寫(xiě)權(quán)限
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetObject",
"oss:GetBucketLocation",
"oss:GetBucketInfo",
"oss:PutObject",
"oss:DeleteObject",
"oss:AbortMultipartUpload",
"oss:ListMultipartUploads",
"oss:ListParts"
],
"Resource": "*",
"Effect": "Allow"
}
]
}授權(quán)RAM用戶(hù)只允許通過(guò)HTTPS協(xié)議訪問(wèn)ECS資源
{
"Statement": [
{
"Action": "ecs:*",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"Bool": {
"acs:SecureTransport": "true"
}
}
}
],
"Version": "1"
}限制RAM用戶(hù)僅支持創(chuàng)建加密云盤(pán)
對(duì)于部分高安全合規(guī)要求的企業(yè),針對(duì)企業(yè)賬號(hào)下所有RAM子賬號(hào)可能要求必須使用加密以保護(hù)數(shù)據(jù)的機(jī)密性。ECS支持配置自定義權(quán)限策略限制RAM子賬號(hào)僅支持創(chuàng)建加密云盤(pán)。
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ecs:IsDiskEncrypted": "*false*"
}
},
"Effect": "Deny"
},
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ecs:IsSystemDiskEncrypted": "false"
}
},
"Effect": "Deny"
},
{
"Action": "ecs:CreateDisk",
"Resource": "*",
"Condition": {
"StringLike": {
"ecs:IsDiskEncrypted": "*false*"
}
},
"Effect": "Deny"
}
]
}限制RAM用戶(hù)只能使用自定義鏡像創(chuàng)建ECS實(shí)例
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Effect": "Deny",
"Resource": "acs:ecs:<地域ID>:*:instance/*",
"Condition": {
"StringNotEquals": {
"ecs:ImageSource": "Custom"
}
}
}
]
}