If system policies do not meet your requirements, you can create a custom policy to implement the principle of least privilege. Custom policies offer fine-grained permission control and are an effective way to secure your resources. This topic describes scenarios and provides sample policies for using custom policies with ECS.
Background information
To learn how to create a custom policy, see Create a custom policy.
When creating a policy, follow its basic syntax and structure. For more information, see Policy elements and Policy structure and syntax.
To learn how multiple policies are evaluated to determine the final permissions, see Policy evaluation logic.
Sample custom policies
Allow creating pay-as-you-go instances
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeImages",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"ecs:DescribeSecurityGroups",
"ecs:DescribeKeyPairs",
"ecs:DescribeTags",
"ecs:RunInstances"
],
"Resource": "*"
}
],
"Version": "1"
}
Allow creating subscription instances
The bss-related API operations are used to view and pay for subscription orders. The corresponding system policy is AliyunBSSOrderAccess.
When you create a subscription instance by calling the RunInstances operation, if you set autoPay to true to enable automatic payment, you do not need bss-related API permissions.
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeImages",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"ecs:DescribeSecurityGroups",
"ecs:DescribeKeyPairs",
"ecs:DescribeTags",
"ecs:RunInstances",
"bss:DescribeOrderList",
"bss:DescribeOrderDetail",
"bss:PayOrder",
"bss:CancelOrder"
],
"Resource": "*"
}
],
"Version": "1"
}
Allow restarting an ECS instance
The following policy indicates that the authorized RAM user can restart ECS instances. The ECS instances can be restarted only when MFA is enabled for the RAM user and the RAM user uses MFA to log on. In this case, the acs:MFAPresent condition key in the Condition element is set to true.
{
"Statement": [
{
"Action": "ecs:RebootInstance",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"Bool": {
"acs:MFAPresent": "true"
}
}
}
],
"Version": "1"
}Allow managing a specific ECS instance
The following policy allows you to view all ECS instances and resources but manage only the instance i-001.
{
"Statement": [
{
"Action": "ecs:*",
"Effect": "Allow",
"Resource": "acs:ecs:*:*:instance/i-001"
},
{
"Action": "ecs:Describe*",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "1"
}Allow connecting to a specific instance via Workbench
The following policy allows you to view all ECS instances and resources but connect to only the instance i-001 by using Workbench.
{
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ecs-workbench:LoginInstance",
"Resource": "acs:ecs-workbench:*:*:workbench/i-001"
}
],
"Version": "1"
}Prohibit connecting to instances via VNC
The following policy prevents you from connecting to any ECS instances by using Virtual Network Computing (VNC).
{
"Statement": [
{
"Effect": "Deny",
"Action": "ecs:DescribeInstanceVncUrl",
"Resource": "*"
}
],
"Version": "1"
}Allow viewing instances in a specific region
The following policy indicates that the authorized RAM user can view ECS instances in the China (Qingdao) region, but cannot view disks or snapshots in this region.
{
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:Describe*",
"Resource": "acs:ecs:cn-qingdao:*:instance/*"
}
],
"Version": "1"
}Allow managing ECS security groups
The following policy specifies that the authorized RAM user can manage ECS security groups within an Alibaba Cloud account.
{
"Version": "1",
"Statement": [
{
"Action": "ecs:*SecurityGroup*",
"Resource": "*",
"Effect": "Allow"
}
]
}Allow creating an instance RAM role
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:CreateInstance",
"ecs:AttachInstanceRamRole",
"ecs:DetachInstanceRAMRole"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "*"
}
]
}
Allow querying instance and block storage information
{
"Statement": [
{
"Effect": "Allow",
"Action": ["ecs:DescribeInstances", "ecs:DescribeDisks"],
"Resource": "*"
}
],
"Version": "1"
}
Allow purchasing a Savings Plan
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "bssapi:CreateSavingsPlansInstance",
"Resource": "*"
}
]
}Restrict creating a default VPC
To prevent a RAM user from creating a default Virtual Private Cloud (VPC) when creating an ECS instance in a region without a VPC, while retaining their other permissions, create a custom policy in Access Control.
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"vpc:CreateDefaultVpc": ["true"]
}
}
}
]
}
Allow using prefix lists
{
"Statement": [
{
"Action": [
"ecs:CreatePrefixList",
"ecs:ModifyPrefixList",
"ecs:DescribePrefixLists",
"ecs:DescribePrefixListAssociations",
"ecs:DescribePrefixListAttributes",
"ecs:DeletePrefixList"
],
"Resource": "*",
"Effect": "Allow"
}
],
"Version": "1"
}
Allow using Cloud Assistant
For more information, see Sample custom policies for Cloud Assistant.
Grant read-only permissions for an OSS bucket
{
"Version": "1",
"Statement": [
{
"Action": ["oss:GetObject", "oss:GetBucketLocation", "oss:GetBucketInfo"],
"Resource": "*",
"Effect": "Allow"
}
]
}
Grant read and write permissions for OSS buckets
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetObject",
"oss:GetBucketLocation",
"oss:GetBucketInfo",
"oss:PutObject",
"oss:DeleteObject",
"oss:AbortMultipartUpload",
"oss:ListMultipartUploads",
"oss:ListParts"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
Allow accessing ECS resources only over HTTPS
{
"Statement": [
{
"Action": "ecs:*",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"Bool": {
"acs:SecureTransport": "true"
}
}
}
],
"Version": "1"
}Restrict creating unencrypted cloud disks
Enterprises with high security and compliance requirements may need to enforce data encryption for all RAM users. To do this, configure a custom policy to restrict RAM users to creating only encrypted cloud disks.
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ecs:IsDiskEncrypted": "*false*"
}
},
"Effect": "Deny"
},
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ecs:IsSystemDiskEncrypted": "false"
}
},
"Effect": "Deny"
},
{
"Action": "ecs:CreateDisk",
"Resource": "*",
"Condition": {
"StringLike": {
"ecs:IsDiskEncrypted": "*false*"
}
},
"Effect": "Deny"
}
]
}Restrict creation to cloud disks encrypted by a CMK
You can use the following policy to require that all new instances and data disks are encrypted with a customer master key (CMK).
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ecs:IsDiskByokEncrypted": "*false*"
}
},
"Effect": "Deny"
},
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ecs:IsSystemDiskByokEncrypted": "false"
}
},
"Effect": "Deny"
},
{
"Action": "ecs:CreateDisk",
"Resource": "*",
"Condition": {
"StringLike": {
"ecs:IsDiskByokEncrypted": "*false*"
}
},
"Effect": "Deny"
}
]
}Restrict instance creation to custom images
When you create an instance, you can use the following policy to ensure that instances are created only from a custom image.
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Effect": "Deny",
"Resource": "acs:ecs:<region-id>:*:instance/*",
"Condition": {
"StringNotEquals": {
"ecs:ImageSource": "Custom"
}
}
}
]
}Prohibit root logon to ECS instances
This policy prevents a RAM user from logging on as the root user when creating an instance, replacing a system disk, attaching a system disk, or resetting an instance password online.
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance",
"ecs:CreateOrder",
"ecs:ReplaceSystemDisk",
"ecs:AttachDisk",
"ecs:InvokeCommand"
],
"Resource": "*",
"Condition": {
"Bool": {
"ecs:LoginAsNonRoot": [
"false"
]
}
},
"Effect": "Deny"
}
]
}Prohibit password-based logon to ECS instances
This policy prevents a RAM user from using a password to log on when creating an instance, replacing a system disk, attaching a system disk, or resetting an instance password. With this policy, users can log on to the ECS instance only by using a key pair or Session Manager.
You can use the ecs:ImagePlatform condition key in the Condition element of a policy statement to deny password-based logon for specific operating systems. For example, setting ecs:ImagePlatform=linux denies password logon for Linux instances but still allows it for Windows instances.
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance",
"ecs:CreateOrder",
"ecs:ReplaceSystemDisk"
],
"Resource": "*",
"Condition": {
"Bool": {
"ecs:PasswordCustomized": [
"true"
]
},
"StringEquals": {
"ecs:ImagePlatform": "linux"
}
},
"Effect": "Deny"
},
{
"Action": [
"ecs:ModifyInstanceAttribute",
"ecs:InvokeCommand",
"ecs:AttachDisk"
],
"Resource": "*",
"Condition": {
"Bool": {
"ecs:PasswordCustomized": [
"true"
]
}
},
"Effect": "Deny"
}
]
}Prohibit using the password preset in an image to log on to an ECS instance
When creating an instance or replacing a system disk, you can use the following policy to prevent a RAM user from logging on with the password preset in the image.
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance",
"ecs:CreateOrder",
"ecs:ReplaceSystemDisk"
],
"Resource": "*",
"Condition": {
"Bool": {
"ecs:PasswordInherit": [
"true"
]
}
},
"Effect": "Deny"
}
]
}Prohibit security group rules containing 0.0.0.0/0
A security group rule that allows access from 0.0.0.0/0 exposes the ECS instance to any external IP address, increasing security risks. We recommend that you prohibit RAM users from adding security group rules that contain 0.0.0.0/0 and from using the default security group when they create an ECS instance.
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ecs:AuthorizeSecurityGroup",
"ecs:ConfigureSecurityGroupPermissions",
"ecs:ModifySecurityGroupRule"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringLike": {
"ecs:SecurityGroupIpProtocols": [
"TCP"
]
},
"ForAnyValue:StringLike": {
"ecs:SecurityGroupSourceCidrIps": [
"0.0.0.0/0"
]
}
}
},
{
"Effect": "Deny",
"Action": [
"ecs:CreateInstance",
"ecs:RunInstances"
],
"Resource": "*",
"Condition": {
"Bool": {
"ecs:NotSpecifySecureGroupId": [
"true"
]
}
}
}
]
}Restrict metadata access to security-hardened mode
You can use the following policy to require that RAM users access instance metadata only in Security Hardening Mode when calling the RunInstances, CreateInstance, or ModifyInstanceMetadataOptions API operations.
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance",
"ecs:ModifyInstanceMetadataOptions"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ecs:SecurityHardeningMode": ["false"]
}
}
}
]
}