自定義管控策略示例
本文為您介紹自定義管控策略的常用示例。
禁止修改和刪除RAM用戶、RAM用戶組、RAM角色
策略內(nèi)容:
{
"Statement": [
{
"Action": [
"ram:Attach*",
"ram:Detach*",
"ram:BindMFADevice",
"ram:CreateAccessKey",
"ram:CreateLoginProfile",
"ram:CreatePolicyVersion",
"ram:DeleteAccessKey",
"ram:DeleteGroup",
"ram:DeleteLoginProfile",
"ram:DeletePolicy",
"ram:DeletePolicyVersion",
"ram:DeleteRole",
"ram:DeleteUser",
"ram:DisableVirtualMFA",
"ram:AddUserToGroup",
"ram:RemoveUserFromGroup",
"ram:SetDefaultPolicyVersion",
"ram:UnbindMFADevice",
"ram:UpdateAccessKey",
"ram:UpdateGroup",
"ram:UpdateLoginProfile",
"ram:UpdateRole",
"ram:UpdateUser"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN":"acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}
本策略禁止修改和刪除RAM用戶、RAM用戶組、RAM角色,包括禁止修改其權限。
本策略只允許資源目錄默認用來訪問成員的角色ResourceDirectoryAccountAccessRole執(zhí)行此操作。您可以刪除該Condition,禁止所有RAM用戶和RAM角色執(zhí)行此操作。您也可以添加或修改PrincipalARN的值,自定義限制條件。
禁止修改ResourceDirectoryAccountAccessRole角色及其權限
策略內(nèi)容:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ram:UpdateRole",
"ram:DeleteRole",
"ram:AttachPolicyToRole",
"ram:DetachPolicyFromRole"
],
"Resource": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
]
}
禁止修改和刪除指定的RAM用戶
策略內(nèi)容:
{
"Version": "1",
"Statement": [{
"Action": [
"ram:AttachPolicyToUser",
"ram:DetachPolicyFromUser",
"ram:AddUserToGroup",
"ram:RemoveUserFromGroup",
"ram:UpdateUser",
"ram:DeleteUser",
"ram:CreateLoginProfile",
"ram:UpdateLoginProfile",
"ram:DeleteLoginProfile",
"ram:CreateAccessKey",
"ram:DeleteAccessKey",
"ram:UpdateAccessKey",
"ram:BindMFADevice",
"ram:UnbindMFADevice",
"ram:DisableVirtualMFA"
],
"Resource": [
"acs:ram:*:*:user/Alice"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}]
}
本策略禁止修改和刪除指定的RAM用戶(例如:Alice),包括禁止修改其權限。您也可以明確指定Alice所在的具體阿里云賬號,例如:acs:ram:*:18299873****:user/Alice
。
本策略只允許資源目錄默認用來訪問成員的角色ResourceDirectoryAccountAccessRole執(zhí)行此操作。您可以刪除該Condition,禁止所有RAM用戶和RAM角色執(zhí)行此操作。您也可以添加或修改PrincipalARN的值,自定義限制條件。
禁止開啟任何已存在RAM用戶的控制臺登錄
策略內(nèi)容:
{
"Statement": [
{
"Action": [
"ram:CreateLoginProfile",
"ram:UpdateLoginProfile"
],
"Resource": [
"*"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}
本策略禁止開啟任何已存在RAM用戶的控制臺登錄。本策略僅針對已存在的RAM用戶生效,不影響創(chuàng)建RAM用戶時開啟控制臺登錄的操作。
本策略只允許資源目錄默認用來訪問成員的角色ResourceDirectoryAccountAccessRole執(zhí)行此操作。您可以刪除該Condition,禁止所有RAM用戶和RAM角色執(zhí)行此操作。您也可以添加或修改PrincipalARN的值,自定義限制條件。
刪除某些資源時RAM用戶或RAM角色必須使用多因素認證(MFA)
策略內(nèi)容:
{
"Statement": [
{
"Action": "ecs:DeleteInstance",
"Effect": "Deny",
"Resource": "*",
"Condition": {
"Bool": {
"acs:MFAPresent": "false"
}
}
}
],
"Version": "1"
}
本策略以刪除ECS實例時RAM用戶或RAM角色必須使用多因素認證(MFA)為例。如需刪除其它資源,請將策略中的Action部分修改為相應資源的操作。
禁止修改用戶SSO配置
策略內(nèi)容:
{
"Statement": [
{
"Action": [
"ram:SetSamlSsoSettings"
],
"Resource": [
"*"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}
本策略只允許資源目錄默認用來訪問成員的角色ResourceDirectoryAccountAccessRole執(zhí)行此操作。您可以刪除該Condition,禁止所有RAM用戶和RAM角色執(zhí)行此操作。您也可以添加或修改PrincipalARN的值,自定義限制條件。
禁止修改角色SSO配置
策略內(nèi)容:
{
"Statement": [
{
"Action": [
"ram:CreateSAMLProvider",
"ram:DeleteSAMLProvider",
"ram:UpdateSAMLProvider"
],
"Resource": [
"*"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}
本策略只允許資源目錄默認用來訪問成員的角色ResourceDirectoryAccountAccessRole執(zhí)行此操作。您可以刪除該Condition,禁止所有RAM用戶和RAM角色執(zhí)行此操作。您也可以添加或修改PrincipalARN的值,自定義限制條件。
禁止修改操作審計的投遞地址、禁止關閉投遞功能
策略內(nèi)容:
{
"Statement": [
{
"Action": [
"actiontrail:UpdateTrail",
"actiontrail:DeleteTrail",
"actiontrail:StopLogging"
],
"Resource": [
"*"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}
本策略只允許資源目錄默認用來訪問成員的角色ResourceDirectoryAccountAccessRole執(zhí)行此操作。您可以刪除該Condition,禁止所有RAM用戶和RAM角色執(zhí)行此操作。您也可以添加或修改PrincipalARN的值,自定義限制條件。
禁止訪問部分網(wǎng)絡服務
策略內(nèi)容:
{
"Statement": [
{
"Action": [
"vpc:*HaVip*",
"vpc:*RouteTable*",
"vpc:*VRouter*",
"vpc:*RouteEntry*",
"vpc:*VSwitch*",
"vpc:*Vpc*",
"vpc:*Cen*",
"vpc:*NetworkAcl*"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
},
{
"Action": [
"vpc:*VpnGateway*",
"vpc:*VpnConnection*",
"vpc:*CustomerGateway*",
"vpc:*SslVpnServer*",
"vpc:*SslVpnClientCert*",
"vpc:*VpnRoute*",
"vpc:*VpnPbrRoute*"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}
本策略以禁止訪問VPC和VPN網(wǎng)關為例。如需禁止訪問其它網(wǎng)絡云服務,請將策略中的Action部分修改為相應云服務的操作。
本策略只允許資源目錄默認用來訪問成員的角色ResourceDirectoryAccountAccessRole執(zhí)行此操作。您可以刪除該Condition,禁止所有RAM用戶和RAM角色執(zhí)行此操作。您也可以添加或修改PrincipalARN的值,自定義限制條件。
禁止創(chuàng)建具有公網(wǎng)訪問能力的網(wǎng)絡資源,包括EIP和NAT網(wǎng)關
策略內(nèi)容:
{
"Version": "1",
"Statement": [
{
"Action": [
"vpc:AllocateEipAddress",
"vpc:AllocateEipAddressPro",
"vpc:AllocateEipSegmentAddress",
"vpc:CreateNatGateway"
],
"Resource": [
"*"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
]
}
本策略只允許資源目錄默認用來訪問成員的角色ResourceDirectoryAccountAccessRole執(zhí)行此操作。您可以刪除該Condition,禁止所有RAM用戶和RAM角色執(zhí)行此操作。您也可以添加或修改PrincipalARN的值,自定義限制條件。
禁止訪問連接云下資源的網(wǎng)絡服務
策略內(nèi)容:
{
"Statement": [
{
"Action": [
"vpc:*PhysicalConnection*",
"vpc:*VirtualBorderRouter*",
"cen:*",
"vpc:*VpnGateway*",
"vpc:*VpnConnection*",
"vpc:*CustomerGateway*",
"vpc:*SslVpnServer*",
"vpc:*SslVpnClientCert*",
"vpc:*VpnRoute*",
"vpc:*VpnPbrRoute*",
"smartag:*"
],
"Resource": "*",
"Effect": "Deny"
}
],
"Version": "1"
}
本策略禁止訪問連接云下資源的網(wǎng)絡服務,包括:高速通道的物理專線和邊界路由器、云企業(yè)網(wǎng)、VPN網(wǎng)關、智能接入網(wǎng)關。
禁止訪問費用中心的部分功能
策略內(nèi)容:
{
"Statement": [
{
"Action": [
"bss:DescribeOrderList",
"bss:DescribeOrderDetail",
"bss:PayOrder",
"bss:CancelOrder"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}
本策略以禁止訪問費用中心的訂單功能為例。如需禁止訪問其它功能,請將策略中的Action部分修改為相應的操作。
本策略只允許資源目錄默認用來訪問成員的角色ResourceDirectoryAccountAccessRole執(zhí)行此操作。您可以刪除該Condition,禁止所有RAM用戶和RAM角色執(zhí)行此操作。您也可以添加或修改PrincipalARN的值,自定義限制條件。
禁止修改云監(jiān)控配置
策略內(nèi)容:
{
"Version": "1",
"Statement": [
{
"Action": [
"cms:Put*",
"cms:Update*",
"cms:Create*",
"cms:Modify*",
"cms:Disable*",
"cms:Enable*",
"cms:Delete*",
"cms:Send*",
"cms:Subscribe*",
"cms:Unsubscribe*",
"cms:Remove*",
"cms:CreateAction",
"cms:Pause*",
"cms:Stop*",
"cms:Start*",
"cms:BatchCreate*",
"cms:ProfileSet",
"cms:ApplyMonitoringTemplate"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
]
}
本策略只允許資源目錄默認用來訪問成員的角色ResourceDirectoryAccountAccessRole執(zhí)行此操作。您可以刪除該Condition,禁止所有RAM用戶和RAM角色執(zhí)行此操作。您也可以添加或修改PrincipalARN的值,自定義限制條件。
禁止購買預留實例券
策略內(nèi)容:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:PurchaseReservedInstancesOffering"
],
"Resource": "*",
"Effect": "Deny"
}
]
}
禁止在非指定VPC下創(chuàng)建ECS實例
策略內(nèi)容:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:CreateInstance",
"ecs:RunInstances"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"vpc:VPC": "acs:vpc:cn-shenzhen:*:vpc/vpc-wz95ya85js0avrkabc****"
}
}
}
]
}
本策略的示例中指定VPC為acs:vpc:cn-shenzhen:*:vpc/vpc-wz95ya85js0avrkabc****,實際使用時請?zhí)鎿Q為自己的VPC信息。
禁止購買域名
策略內(nèi)容:
{
"Version": "1",
"Statement": [
{
"Action": [
"domain:CreateOrderActivate"
],
"Resource": "*",
"Effect": "Deny"
}
]
}
禁止訪問工單系統(tǒng)
策略內(nèi)容:
{
"Version": "1",
"Statement": [
{
"Action": [
"support:*",
"workorder:*"
],
"Resource": "*",
"Effect": "Deny"
}
]
}
禁止訪問特定地域的ECS服務
策略內(nèi)容:
{
"Version": "1",
"Statement": [{
"Effect": "Deny",
"Action": [
"ecs:*"
],
"Resource": "acs:ecs:us-east-1:*:*"
}]
}
本策略禁止在美國東部(弗吉尼亞)地域使用ECS服務。
禁止組織外資源共享
策略內(nèi)容:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"resourcesharing:CreateResourceShare",
"resourcesharing:UpdateResourceShare"
],
"Resource": "*",
"Condition": {
"Bool": {
"resourcesharing:RequestedAllowExternalTargets": "true"
}
}
}
]
}
通過本策略可以防止用戶創(chuàng)建允許共享給組織外賬號的共享單元。
禁止將資源共享給預期外的賬號
策略內(nèi)容:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"resourcesharing:AssociateResourceShare",
"resourcesharing:CreateResourceShare"
],
"Resource": "*",
"Condition": {
"StringNotLike": {
"resourcesharing:Target": [
"rd-3G****/r-Wm****/*",
"rd-3G****/r-Wm****",
"192796193830****"
]
}
}
}
]
}
本策略僅允許將資源共享給賬號192796193830****
、資源夾rd-3G****/r-Wm****
下的所有成員,禁止共享給其他賬號。請?zhí)鎿Q成您自己的目標賬號。
禁止用戶接受組織外賬號的資源共享邀請
策略內(nèi)容:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": "resourcesharing:AcceptResourceShareInvitation",
"Resource": "*"
}
]
}
本策略會阻止用戶接受組織外賬號的資源共享邀請。與共享賬號屬于同一資源目錄時不會產(chǎn)生共享邀請,因此不受此策略的影響。
禁止共享預期外資源的類型
策略內(nèi)容:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"resourcesharing:CreateResourceShare",
"resourcesharing:UpdateResourceShare",
"resourcesharing:AssociateResourceShare"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"resourcesharing:RequestedResourceType": ["VSwitch","Image","Snapshot"]
}
}
}
]
}
本策略僅允許共享交換機VSwitch
、鏡像Image
和快照Snapshot
,禁止共享除這些資源類型以外的資源。