Create custom policies to enforce least-privilege access when built-in system policies for EventBridge do not meet your requirements. Custom policies give you fine-grained control over which Resource Access Management (RAM) users, user groups, or RAM roles can perform specific actions on specific EventBridge resources.
How custom policies work
RAM supports two types of policies:
System policies -- Predefined by Alibaba Cloud. These cover common access patterns but cannot be modified.
Custom policies -- Created and maintained by you. These define exactly which EventBridge actions are allowed or denied on which resources.
After you create a custom policy, attach it to a RAM user, user group, or RAM role to grant the specified permissions. You can directly delete a custom policy that is not attached to any principal. If a custom policy is attached to a principal, you must detach it from the principal before you can delete the policy.
Custom policies support version control through the RAM version management mechanism, allowing you to track and roll back policy changes.
Policy structure
Each custom policy is a JSON document with the following structure:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eventbridge:<action-name>"
],
"Resource": "<resource-arn>"
}
]
}| Field | Description |
|---|---|
| Version | Policy version. Set to "1". |
| Statement | An array of permission statements. Each statement defines one permission rule. |
| Effect | Whether the statement allows or denies access. Valid values: Allow, Deny. |
| Action | One or more EventBridge API operations to allow or deny. Supports wildcards (eventbridge:*). |
| Resource | The EventBridge resources that the policy applies to, specified as Alibaba Cloud Resource Name (ARN) patterns. |
Resource ARN patterns
| Resource type | ARN pattern |
|---|---|
| All event buses | acs:eventbridge:*:*:eventbus/* |
| A specific event bus | acs:eventbridge:*:*:eventbus/<bus-name> |
| All event streams | acs:eventbridge:*:*:eventstreaming/* |
| A specific event stream | acs:eventbridge:*:*:eventstreaming/<stream-name> |
Sample policies
Grant event bus management permissions
Allow a RAM principal to create, view, delete, and list all event buses:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eventbridge:CreateEventBus",
"eventbridge:GetEventBus",
"eventbridge:DeleteEventBus",
"eventbridge:ListEventBuses"
],
"Resource": "acs:eventbridge:*:*:eventbus/*"
}
]
}Grant event stream management permissions
Allow a RAM principal to perform full lifecycle management on all event streams, including create, start, pause, update, view, delete, and list:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eventbridge:CreateEventStreaming",
"eventbridge:StartEventStreaming",
"eventbridge:PauseEventStreaming",
"eventbridge:UpdateEventStreaming",
"eventbridge:GetEventStreaming",
"eventbridge:DeleteEventStreaming",
"eventbridge:ListEventStreamings"
],
"Resource": "acs:eventbridge:*:*:eventstreaming/*"
}
]
}Authorization information
For the complete list of EventBridge API actions and their required permissions, see RAM authorization. Use this reference to identify the exact action strings for your custom policies.
Manage custom policies
| Task | Documentation |
|---|---|
| Create a custom policy | Create a custom policy |
| Edit a custom policy | Modify the document and description of a custom policy |
| Delete a custom policy | Delete a custom policy |
| Manage policy attachments | Manage policy references |
| Manage policy versions | Manage custom policy versions |