Prohibit RAM users from creating unencrypted cloud disks

更新时间:
复制 MD 格式

Unencrypted cloud disks on ECS instances can lead to data leakage. For enterprises with high security and compliance requirements, you can use a custom RAM policy to prohibit RAM users from creating unencrypted cloud disks, which helps protect data confidentiality.

Background

Data on a cloud disk can include sensitive information, such as business secrets, user data, or financial records. Without encryption, this data is vulnerable to theft or unauthorized access during storage and transmission. Encrypting a cloud disk protects your data by preventing unauthorized access at the virtualization or physical layer. Even if a physical disk is compromised, the data remains unreadable. Encryption also ensures data integrity by preventing tampering, thereby protecting user privacy. 

Many industries, such as finance, healthcare, and government, are subject to strict data protection regulations that mandate encryption for sensitive data. Encrypting cloud disks helps your organization meet compliance requirements and shows that your data storage practices align with security standards.

Procedure

This example shows how to require a RAM user named Alice to encrypt cloud disks when creating an ECS instance or a standalone cloud disk.

  1. In the RAM console, create a RAM user named Alice.

    For more information, see Create a RAM user.

  2. In the RAM console, create a RAM policy named ecs-disk-encrypt-control. Select Script Editor and enter the following policy content.

    Note

    This policy prevents the creation of an ECS instance or a standalone cloud disk if its system disk or data disks are not encrypted.

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "ecs:RunInstances",
            "ecs:CreateInstance"
          ],
          "Resource": "*",
          "Condition": {
            "StringLike": {
              "ecs:IsDiskEncrypted": "*false*"
            }
          },
          "Effect": "Deny"
        },
        {
          "Action": [
            "ecs:RunInstances",
            "ecs:CreateInstance"
          ],
          "Resource": "*",
          "Condition": {
            "StringEquals": {
              "ecs:IsSystemDiskEncrypted": "false"
            }
          },
          "Effect": "Deny"
        },
        {
          "Action": "ecs:CreateDisk",
          "Resource": "*",
          "Condition": {
            "StringLike": {
              "ecs:IsDiskEncrypted": "*false*"
            }
          },
          "Effect": "Deny"
        }
      ]
    }

    Extended policy: Enforce encryption with CMKs

    Alibaba Cloud Key Management Service (KMS) provides service keys free of charge. These keys are managed by Alibaba Cloud and may be shared across multiple services or resources. If a service key is compromised, it can affect multiple resources. Additionally, you cannot directly control the lifecycle of a service key.

    When you encrypt cloud disks, we recommend using a more secure and controllable customer master key (CMK). CMKs provide independent encryption keys for different resources, which mitigates the risks of sharing a single key. You have full control over CMKs and can define a custom key rotation policy to meet your business needs. However, this also means you are responsible for key management tasks, such as key storage, rotation, and backup.

    If you want to enforce the use of CMKs for encryption, use the following policy:

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "ecs:RunInstances",
            "ecs:CreateInstance"
          ],
          "Resource": "*",
          "Condition": {
            "StringLike": {
              "ecs:IsDiskByokEncrypted": "*false*"
            }
          },
          "Effect": "Deny"
        },
        {
          "Action": [
            "ecs:RunInstances",
            "ecs:CreateInstance"
          ],
          "Resource": "*",
          "Condition": {
            "StringEquals": {
              "ecs:IsSystemDiskByokEncrypted": "false"
            }
          },
          "Effect": "Deny"
        },
        {
          "Action": "ecs:CreateDisk",
          "Resource": "*",
          "Condition": {
            "StringLike": {
              "ecs:IsDiskByokEncrypted": "*false*"
            }
          },
          "Effect": "Deny"
        }
      ]
    }
  3. Create another RAM policy named ecs-admin. Select Script Editor and enter the following policy content.

    Note

    This policy grants permissions to manage ECS, including creating, managing, and viewing ECS instances. In this example, this policy simulates an ECS administrator role. You can modify the policy to meet your specific needs.

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "ecs:*",
            "ecs-workbench:*",
            "vpc:CheckCanAllocateVpcPrivateIpAddress",
            "vpc:DescribeVpcs",
            "vpc:DescribeVSwitches",
            "bss:ModifyAgreementRecord",
            "bss:DescribeOrderList",
            "bss:DescribeOrderDetail",
            "bss:PayOrder",
            "bss:CancelOrder"
          ],
          "Resource": "*"
        }
      ]
    }
  4. In the RAM console, grant permissions to the RAM user named Alice.

    For the authorization scope, select Account, select the RAM user named Alice as the principal, and attach the custom policies that you created (ecs-disk-encrypt-control and ecs-admin). For more information, see Grant permissions to a RAM user.

    image

Verification

Log in to the Alibaba Cloud Management Console as the RAM user Alice.

For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.

Verification 1: Create an unencrypted instance

  1. Go to the instance buy page.

  2. Click the Custom Launch tab.

  3. Configure parameters such as the billing method, region, instance type, and image. Do not select the Encrypt checkbox for the system disk and data disk. For more information, see Create an instance by using the wizard.image

  4. After you confirm the order, the creation fails.

Verification 2: Create an unencrypted standalone disk

  1. Go to ECS console - Block Storage.

  2. On the Disks page, click Create Disk.

  3. On the Create Disk page, configure the disk parameters but do not select the Encrypt checkbox. For more information, see Create an empty data disk.image

  4. After you confirm the order, the creation fails.

    image