Unencrypted cloud disks on ECS instances can lead to data leakage. For enterprises with high security and compliance requirements, you can use a custom RAM policy to prohibit RAM users from creating unencrypted cloud disks, which helps protect data confidentiality.
Background
Data on a cloud disk can include sensitive information, such as business secrets, user data, or financial records. Without encryption, this data is vulnerable to theft or unauthorized access during storage and transmission. Encrypting a cloud disk protects your data by preventing unauthorized access at the virtualization or physical layer. Even if a physical disk is compromised, the data remains unreadable. Encryption also ensures data integrity by preventing tampering, thereby protecting user privacy.
Many industries, such as finance, healthcare, and government, are subject to strict data protection regulations that mandate encryption for sensitive data. Encrypting cloud disks helps your organization meet compliance requirements and shows that your data storage practices align with security standards.
Procedure
This example shows how to require a RAM user named Alice to encrypt cloud disks when creating an ECS instance or a standalone cloud disk.
In the RAM console, create a RAM user named Alice.
For more information, see Create a RAM user.
In the RAM console, create a RAM policy named ecs-disk-encrypt-control. Select Script Editor and enter the following policy content.
NoteThis policy prevents the creation of an ECS instance or a standalone cloud disk if its system disk or data disks are not encrypted.
{ "Version": "1", "Statement": [ { "Action": [ "ecs:RunInstances", "ecs:CreateInstance" ], "Resource": "*", "Condition": { "StringLike": { "ecs:IsDiskEncrypted": "*false*" } }, "Effect": "Deny" }, { "Action": [ "ecs:RunInstances", "ecs:CreateInstance" ], "Resource": "*", "Condition": { "StringEquals": { "ecs:IsSystemDiskEncrypted": "false" } }, "Effect": "Deny" }, { "Action": "ecs:CreateDisk", "Resource": "*", "Condition": { "StringLike": { "ecs:IsDiskEncrypted": "*false*" } }, "Effect": "Deny" } ] }Create another RAM policy named ecs-admin. Select Script Editor and enter the following policy content.
NoteThis policy grants permissions to manage ECS, including creating, managing, and viewing ECS instances. In this example, this policy simulates an ECS administrator role. You can modify the policy to meet your specific needs.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:*", "ecs-workbench:*", "vpc:CheckCanAllocateVpcPrivateIpAddress", "vpc:DescribeVpcs", "vpc:DescribeVSwitches", "bss:ModifyAgreementRecord", "bss:DescribeOrderList", "bss:DescribeOrderDetail", "bss:PayOrder", "bss:CancelOrder" ], "Resource": "*" } ] }In the RAM console, grant permissions to the RAM user named Alice.
For the authorization scope, select Account, select the RAM user named Alice as the principal, and attach the custom policies that you created (ecs-disk-encrypt-control and ecs-admin). For more information, see Grant permissions to a RAM user.

Verification
Log in to the Alibaba Cloud Management Console as the RAM user Alice.
For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.


