自定義管控策略示例
本文為您介紹自定義管控策略的常用示例。
禁止修改和刪除RAM用戶(hù)、RAM用戶(hù)組、RAM角色
策略?xún)?nèi)容:
{
"Statement": [
{
"Action": [
"ram:Attach*",
"ram:Detach*",
"ram:BindMFADevice",
"ram:CreateAccessKey",
"ram:CreateLoginProfile",
"ram:CreatePolicyVersion",
"ram:DeleteAccessKey",
"ram:DeleteGroup",
"ram:DeleteLoginProfile",
"ram:DeletePolicy",
"ram:DeletePolicyVersion",
"ram:DeleteRole",
"ram:DeleteUser",
"ram:DisableVirtualMFA",
"ram:AddUserToGroup",
"ram:RemoveUserFromGroup",
"ram:SetDefaultPolicyVersion",
"ram:UnbindMFADevice",
"ram:UpdateAccessKey",
"ram:UpdateGroup",
"ram:UpdateLoginProfile",
"ram:UpdateRole",
"ram:UpdateUser"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN":"acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}本策略禁止修改和刪除RAM用戶(hù)、RAM用戶(hù)組、RAM角色,包括禁止修改其權(quán)限。
本策略只允許資源目錄默認(rèn)用來(lái)訪(fǎng)問(wèn)成員的角色ResourceDirectoryAccountAccessRole執(zhí)行此操作。您可以刪除該Condition,禁止所有RAM用戶(hù)和RAM角色執(zhí)行此操作。您也可以添加或修改PrincipalARN的值,自定義限制條件。
禁止修改ResourceDirectoryAccountAccessRole角色及其權(quán)限
策略?xún)?nèi)容:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ram:UpdateRole",
"ram:DeleteRole",
"ram:AttachPolicyToRole",
"ram:DetachPolicyFromRole"
],
"Resource": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
]
}禁止修改和刪除指定的RAM用戶(hù)
策略?xún)?nèi)容:
{
"Version": "1",
"Statement": [{
"Action": [
"ram:AttachPolicyToUser",
"ram:DetachPolicyFromUser",
"ram:AddUserToGroup",
"ram:RemoveUserFromGroup",
"ram:UpdateUser",
"ram:DeleteUser",
"ram:CreateLoginProfile",
"ram:UpdateLoginProfile",
"ram:DeleteLoginProfile",
"ram:CreateAccessKey",
"ram:DeleteAccessKey",
"ram:UpdateAccessKey",
"ram:BindMFADevice",
"ram:UnbindMFADevice",
"ram:DisableVirtualMFA"
],
"Resource": [
"acs:ram:*:*:user/Alice"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}]
}本策略禁止修改和刪除指定的RAM用戶(hù)(例如:Alice),包括禁止修改其權(quán)限。您也可以明確指定Alice所在的具體阿里云賬號(hào),例如:acs:ram:*:18299873****:user/Alice。
本策略只允許資源目錄默認(rèn)用來(lái)訪(fǎng)問(wèn)成員的角色ResourceDirectoryAccountAccessRole執(zhí)行此操作。您可以刪除該Condition,禁止所有RAM用戶(hù)和RAM角色執(zhí)行此操作。您也可以添加或修改PrincipalARN的值,自定義限制條件。
禁止開(kāi)啟任何已存在RAM用戶(hù)的控制臺(tái)登錄
策略?xún)?nèi)容:
{
"Statement": [
{
"Action": [
"ram:CreateLoginProfile",
"ram:UpdateLoginProfile"
],
"Resource": [
"*"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}本策略禁止開(kāi)啟任何已存在RAM用戶(hù)的控制臺(tái)登錄。本策略?xún)H針對(duì)已存在的RAM用戶(hù)生效,不影響創(chuàng)建RAM用戶(hù)時(shí)開(kāi)啟控制臺(tái)登錄的操作。
本策略只允許資源目錄默認(rèn)用來(lái)訪(fǎng)問(wèn)成員的角色ResourceDirectoryAccountAccessRole執(zhí)行此操作。您可以刪除該Condition,禁止所有RAM用戶(hù)和RAM角色執(zhí)行此操作。您也可以添加或修改PrincipalARN的值,自定義限制條件。
刪除某些資源時(shí)RAM用戶(hù)或RAM角色必須使用多因素認(rèn)證(MFA)
策略?xún)?nèi)容:
{
"Statement": [
{
"Action": "ecs:DeleteInstance",
"Effect": "Deny",
"Resource": "*",
"Condition": {
"Bool": {
"acs:MFAPresent": "false"
}
}
}
],
"Version": "1"
}本策略以刪除ECS實(shí)例時(shí)RAM用戶(hù)或RAM角色必須使用多因素認(rèn)證(MFA)為例。如需刪除其它資源,請(qǐng)將策略中的Action部分修改為相應(yīng)資源的操作。
禁止修改用戶(hù)SSO配置
策略?xún)?nèi)容:
{
"Statement": [
{
"Action": [
"ram:SetSamlSsoSettings"
],
"Resource": [
"*"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}本策略只允許資源目錄默認(rèn)用來(lái)訪(fǎng)問(wèn)成員的角色ResourceDirectoryAccountAccessRole執(zhí)行此操作。您可以刪除該Condition,禁止所有RAM用戶(hù)和RAM角色執(zhí)行此操作。您也可以添加或修改PrincipalARN的值,自定義限制條件。
禁止修改角色SSO配置
策略?xún)?nèi)容:
{
"Statement": [
{
"Action": [
"ram:CreateSAMLProvider",
"ram:DeleteSAMLProvider",
"ram:UpdateSAMLProvider"
],
"Resource": [
"*"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}本策略只允許資源目錄默認(rèn)用來(lái)訪(fǎng)問(wèn)成員的角色ResourceDirectoryAccountAccessRole執(zhí)行此操作。您可以刪除該Condition,禁止所有RAM用戶(hù)和RAM角色執(zhí)行此操作。您也可以添加或修改PrincipalARN的值,自定義限制條件。
禁止修改操作審計(jì)的投遞地址、禁止關(guān)閉投遞功能
策略?xún)?nèi)容:
{
"Statement": [
{
"Action": [
"actiontrail:UpdateTrail",
"actiontrail:DeleteTrail",
"actiontrail:StopLogging"
],
"Resource": [
"*"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}本策略只允許資源目錄默認(rèn)用來(lái)訪(fǎng)問(wèn)成員的角色ResourceDirectoryAccountAccessRole執(zhí)行此操作。您可以刪除該Condition,禁止所有RAM用戶(hù)和RAM角色執(zhí)行此操作。您也可以添加或修改PrincipalARN的值,自定義限制條件。
禁止訪(fǎng)問(wèn)部分網(wǎng)絡(luò)服務(wù)
策略?xún)?nèi)容:
{
"Statement": [
{
"Action": [
"vpc:*HaVip*",
"vpc:*RouteTable*",
"vpc:*VRouter*",
"vpc:*RouteEntry*",
"vpc:*VSwitch*",
"vpc:*Vpc*",
"vpc:*Cen*",
"vpc:*NetworkAcl*"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
},
{
"Action": [
"vpc:*VpnGateway*",
"vpc:*VpnConnection*",
"vpc:*CustomerGateway*",
"vpc:*SslVpnServer*",
"vpc:*SslVpnClientCert*",
"vpc:*VpnRoute*",
"vpc:*VpnPbrRoute*"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}本策略以禁止訪(fǎng)問(wèn)VPC和VPN網(wǎng)關(guān)為例。如需禁止訪(fǎng)問(wèn)其它網(wǎng)絡(luò)云服務(wù),請(qǐng)將策略中的Action部分修改為相應(yīng)云服務(wù)的操作。
本策略只允許資源目錄默認(rèn)用來(lái)訪(fǎng)問(wèn)成員的角色ResourceDirectoryAccountAccessRole執(zhí)行此操作。您可以刪除該Condition,禁止所有RAM用戶(hù)和RAM角色執(zhí)行此操作。您也可以添加或修改PrincipalARN的值,自定義限制條件。
禁止創(chuàng)建具有公網(wǎng)訪(fǎng)問(wèn)能力的網(wǎng)絡(luò)資源,包括EIP和NAT網(wǎng)關(guān)
策略?xún)?nèi)容:
{
"Version": "1",
"Statement": [
{
"Action": [
"vpc:AllocateEipAddress",
"vpc:AllocateEipAddressPro",
"vpc:AllocateEipSegmentAddress",
"vpc:CreateNatGateway"
],
"Resource": [
"*"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
]
}本策略只允許資源目錄默認(rèn)用來(lái)訪(fǎng)問(wèn)成員的角色ResourceDirectoryAccountAccessRole執(zhí)行此操作。您可以刪除該Condition,禁止所有RAM用戶(hù)和RAM角色執(zhí)行此操作。您也可以添加或修改PrincipalARN的值,自定義限制條件。
禁止訪(fǎng)問(wèn)連接云下資源的網(wǎng)絡(luò)服務(wù)
策略?xún)?nèi)容:
{
"Statement": [
{
"Action": [
"vpc:*PhysicalConnection*",
"vpc:*VirtualBorderRouter*",
"cen:*",
"vpc:*VpnGateway*",
"vpc:*VpnConnection*",
"vpc:*CustomerGateway*",
"vpc:*SslVpnServer*",
"vpc:*SslVpnClientCert*",
"vpc:*VpnRoute*",
"vpc:*VpnPbrRoute*",
"smartag:*"
],
"Resource": "*",
"Effect": "Deny"
}
],
"Version": "1"
}本策略禁止訪(fǎng)問(wèn)連接云下資源的網(wǎng)絡(luò)服務(wù),包括:高速通道的物理專(zhuān)線(xiàn)和邊界路由器、云企業(yè)網(wǎng)、VPN網(wǎng)關(guān)、智能接入網(wǎng)關(guān)。
禁止訪(fǎng)問(wèn)費(fèi)用中心的部分功能
策略?xún)?nèi)容:
{
"Statement": [
{
"Action": [
"bss:DescribeOrderList",
"bss:DescribeOrderDetail",
"bss:PayOrder",
"bss:CancelOrder"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}本策略以禁止訪(fǎng)問(wèn)費(fèi)用中心的訂單功能為例。如需禁止訪(fǎng)問(wèn)其它功能,請(qǐng)將策略中的Action部分修改為相應(yīng)的操作。
本策略只允許資源目錄默認(rèn)用來(lái)訪(fǎng)問(wèn)成員的角色ResourceDirectoryAccountAccessRole執(zhí)行此操作。您可以刪除該Condition,禁止所有RAM用戶(hù)和RAM角色執(zhí)行此操作。您也可以添加或修改PrincipalARN的值,自定義限制條件。
禁止修改云監(jiān)控配置
策略?xún)?nèi)容:
{
"Version": "1",
"Statement": [
{
"Action": [
"cms:Put*",
"cms:Update*",
"cms:Create*",
"cms:Modify*",
"cms:Disable*",
"cms:Enable*",
"cms:Delete*",
"cms:Send*",
"cms:Subscribe*",
"cms:Unsubscribe*",
"cms:Remove*",
"cms:CreateAction",
"cms:Pause*",
"cms:Stop*",
"cms:Start*",
"cms:BatchCreate*",
"cms:ProfileSet",
"cms:ApplyMonitoringTemplate"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
]
}本策略只允許資源目錄默認(rèn)用來(lái)訪(fǎng)問(wèn)成員的角色ResourceDirectoryAccountAccessRole執(zhí)行此操作。您可以刪除該Condition,禁止所有RAM用戶(hù)和RAM角色執(zhí)行此操作。您也可以添加或修改PrincipalARN的值,自定義限制條件。
禁止購(gòu)買(mǎi)預(yù)留實(shí)例券
策略?xún)?nèi)容:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:PurchaseReservedInstancesOffering"
],
"Resource": "*",
"Effect": "Deny"
}
]
}禁止在非指定VPC下創(chuàng)建ECS實(shí)例
策略?xún)?nèi)容:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:CreateInstance",
"ecs:RunInstances"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"vpc:VPC": "acs:vpc:cn-shenzhen:*:vpc/vpc-wz95ya85js0avrkabc****"
}
}
}
]
}本策略的示例中指定VPC為acs:vpc:cn-shenzhen:*:vpc/vpc-wz95ya85js0avrkabc****,實(shí)際使用時(shí)請(qǐng)?zhí)鎿Q為自己的VPC信息。
禁止購(gòu)買(mǎi)域名
策略?xún)?nèi)容:
{
"Version": "1",
"Statement": [
{
"Action": [
"domain:CreateOrderActivate"
],
"Resource": "*",
"Effect": "Deny"
}
]
}禁止訪(fǎng)問(wèn)工單系統(tǒng)
策略?xún)?nèi)容:
{
"Version": "1",
"Statement": [
{
"Action": [
"support:*",
"workorder:*"
],
"Resource": "*",
"Effect": "Deny"
}
]
}禁止訪(fǎng)問(wèn)特定地域的ECS服務(wù)
策略?xún)?nèi)容:
{
"Version": "1",
"Statement": [{
"Effect": "Deny",
"Action": [
"ecs:*"
],
"Resource": "acs:ecs:us-east-1:*:*"
}]
}本策略禁止在美國(guó)東部(弗吉尼亞)地域使用ECS服務(wù)。
禁止組織外資源共享
策略?xún)?nèi)容:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"resourcesharing:CreateResourceShare",
"resourcesharing:UpdateResourceShare"
],
"Resource": "*",
"Condition": {
"Bool": {
"resourcesharing:RequestedAllowExternalTargets": "true"
}
}
}
]
}通過(guò)本策略可以防止用戶(hù)創(chuàng)建允許共享給組織外賬號(hào)的共享單元。
禁止將資源共享給預(yù)期外的賬號(hào)
策略?xún)?nèi)容:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"resourcesharing:AssociateResourceShare",
"resourcesharing:CreateResourceShare"
],
"Resource": "*",
"Condition": {
"StringNotLike": {
"resourcesharing:Target": [
"rd-3G****/r-Wm****/*",
"rd-3G****/r-Wm****",
"192796193830****"
]
}
}
}
]
}本策略?xún)H允許將資源共享給賬號(hào)192796193830****、資源夾rd-3G****/r-Wm****下的所有成員,禁止共享給其他賬號(hào)。請(qǐng)?zhí)鎿Q成您自己的目標(biāo)賬號(hào)。
禁止用戶(hù)接受組織外賬號(hào)的資源共享邀請(qǐng)
策略?xún)?nèi)容:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": "resourcesharing:AcceptResourceShareInvitation",
"Resource": "*"
}
]
}本策略會(huì)阻止用戶(hù)接受組織外賬號(hào)的資源共享邀請(qǐng)。與共享賬號(hào)屬于同一資源目錄時(shí)不會(huì)產(chǎn)生共享邀請(qǐng),因此不受此策略的影響。
僅允許共享指定的資源類(lèi)型
策略?xún)?nèi)容:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"resourcesharing:CreateResourceShare",
"resourcesharing:AssociateResourceShare"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"resourcesharing:RequestedResourceType": ["VSwitch","Image","Snapshot"]
}
}
}
]
}本策略?xún)H允許共享交換機(jī)VSwitch、鏡像Image和快照Snapshot,禁止共享除這些資源類(lèi)型以外的其他資源。資源類(lèi)型代碼請(qǐng)參見(jiàn)支持資源共享的云服務(wù)的資源類(lèi)型列。
僅允許共享指定的資源
策略?xún)?nèi)容:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"resourcesharing:CreateResourceShare",
"resourcesharing:AssociateResourceShare"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"resourcesharing:ResourceArn": [
"acs:vpc:cn-shanghai:131993166204****:vswitch/vsw-7xv4sfwo86u2etl64****",
"acs:ecs:cn-shanghai:131993166204****:snapshot/s-7xviog7aq4tenbqj****"
]
}
}
}
]
}本策略?xún)H允許共享阿里云賬號(hào)131993166204****下的指定交換機(jī)vsw-7xv4sfwo86u2etl64****和指定快照s-7xviog7aq4tenbqj****,禁止共享除這些資源以外的其他資源。資源ARN格式請(qǐng)參見(jiàn)支持資源共享的云服務(wù)的資源ARN列。
僅允許從IPAM地址池創(chuàng)建VPC
策略?xún)?nèi)容:
{
"Statement": [
{
"Action": [
"vpc:CreateVpc",
"vpc:AssociateVpcCidrBlock"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"Null": {
"vpc:Ipv4IpamPoolId": "true"
}
}
}
],
"Version": "1"
}本策略?xún)H允許從IPAM地址池創(chuàng)建VPC。
僅允許從指定IPAM地址池創(chuàng)建VPC
策略?xún)?nèi)容:
{
"Statement": [
{
"Action": [
"vpc:CreateVpc",
"vpc:AssociateVpcCidrBlock"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"ForAllValues:StringNotLikeIfExists": {
"vpc:Ipv4IpamPoolId": "ipam-pool-bp1dt0ttxkrzpq5nr****"
}
}
}
],
"Version": "1"
} 本策略?xún)H允許從指定IPAM地址池ipam-pool-bp1dt0ttxkrzpq5nr****創(chuàng)建VPC。