Configure custom policies for Cloud Config

更新时间:
复制 MD 格式

If system policies cannot meet your requirements, you can create custom policies to achieve fine-grained access control and improve resource security. This topic provides custom policy examples for Cloud Config.

What is a custom policy?

Resource Access Management (RAM) policies are classified into system policies and custom policies. You can manage custom policies based on your business requirements.

  • After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.

  • You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, before you can delete the RAM policy you must detach the RAM policy from the principal.

  • Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.

References

Sample custom policies

  • Grant a Resource Access Management (RAM) user the permissions to query global resources:

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "config:ListDiscoveredResources",
          "Resource": "*"
        }
      ]
    }
  • Grant a RAM user the advanced query permissions on global resources:

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "config:ListResourcesByAdvancedSearch",
          "Resource": "*"
        }
      ]
    }

Authorization information

Before you create a custom policy, make sure that you understand your permission requirements and the authorization information of Cloud Config. For more information, see RAM authorization.