If an AccessKey is accidentally exposed, an attacker can call AI Guardrails API operations from any IP address. Creating a Resource Access Management (RAM) user with an IP-restricted custom policy ensures that the AccessKey works only from your trusted network, reducing the blast radius of a credential leak.
Prerequisites
Before you begin, ensure that you have:
A RAM administrator account with permission to create RAM users and custom policies
The IP address ranges from which your application servers call the AI Guardrails API
Restrict API access by IP address
Log on to the RAM console as a RAM administrator.
Create a RAM user, select OpenAPI Access, and record the AccessKey pair generated for the RAM user. For details, see Create a RAM user.
Create a custom policy that restricts the source IP addresses allowed to call AI Guardrails API operations. For details on creating custom policies, see Use RAM to limit the IP addresses that are allowed to access Alibaba Cloud resources. The following example policy allows all AI Guardrails API operations (
yundun-greenweb:*) only when the request originates from192.X.X.X/24or203.X.X.X. TheIpAddressoperator in theConditionblock evaluates theacs:SourceIpcontext key against the specified ranges. Requests from any other IP address are denied.{ "Version": "1", "Statement": [ { "Action": "yundun-greenweb:*", "Resource": "*", "Effect": "Allow", "Condition": { "IpAddress": { "acs:SourceIp": [ "192.X.X.X/24", "203.X.X.X" ] } } } ] }Replace
192.X.X.X/24and203.X.X.Xwith your actual IP addresses or CIDR ranges. After creating the policy, specify a name and description to identify it.Grant the custom policy to the RAM user created in step 2. The RAM user's AccessKey can now call AI Guardrails API operations only from the specified IP addresses.