DocsICP FilingConsole
官方文档
首页

Stack policy

更新时间:
复制 MD 格式
产品详情
我的收藏

You can use a stack policy to prevent stack resources from being unintentionally updated or deleted during a stack update. This topic describes what a stack policy is, and how to set and update it.

Background information

A stack policy is a JSON- or YAML-formatted document that defines the update actions that can be performed on specified resources. When you create a stack, any user with permission to update the stack can update all its resources. Some updates may require resource interruption. After a stack policy is set, ROS protects all resources in the stack. You can then add explicit Allow statements to the policy to permit updates on specific resources.

Note

  • You can define only one stack policy for each stack, but a single policy can protect multiple resources.

  • During a stack update, ROS automatically updates resources that depend on other updated resources. For example, ROS automatically updates a resource that references another updated resource. However, if these resources are associated with a stack policy, you must have the required permissions to update them.

A stack policy applies only during stack updates. Unlike a RAM policy, it does not provide access control. A stack policy functions as a failsafe to prevent accidental updates to specific stack resources.

Define a stack policy

If you create a stack without a stack policy, all update actions are allowed on all its resources. To prevent update operations on stack resources, you can define a stack policy and apply it to the stack. You can set a stack policy during stack creation by providing the policy in a text file or by entering it directly. After a stack policy is set for a stack, any update that is not explicitly allowed is denied by default.

You can define a stack policy with five elements: Effect, Action, Principal, Resource, and Condition.

Statement:
  - Effect: Deny_or_Allow
    Action: update_actions
    Principal: '*'
    Resource: LogicalResourceId/resource_logical_ID
    Condition:
      StringEquals_or_StringLike:
        ResourceType:
          - resource_type
          - ...

The following describes each element:

  • Effect

    Determines whether to allow or deny the specified actions on the specified resources. You can specify only Deny or Allow. Example:

    Effect: Deny
    Note

    If a stack policy contains overlapping statements (which allow and deny an update on the same resource), the Deny statement always overrides the Allow statement. To ensure that a resource is protected, use a Deny statement for that resource.

  • Action

    The update actions that are allowed or denied:

    • Update:Modify

      Update operations that modify a resource, which may or may not cause an interruption.

    • Update:Delete

      This action is required when an update to a stack template removes a resource.

    • Update:*

      All update operations. The asterisk (*) is a wildcard that represents all update operations.

    Note

    You can also specify Update:Replace for the Action element. This feature is reserved and is not supported.

    The following example shows how to specify only modify and delete operations:

    Action:
  - Update:Modify
  - Update:Delete

    To allow all update operations except a specific one, use NotAction. For example, to allow all update operations except Update:Delete, use NotAction.

    Statement:
  - Effect: Allow
    NotAction: Update:Delete
    Principal: '*'
    Resource: '*'

  • Principal

    The entity to which the policy applies. Only the asterisk (*) is supported, which indicates that the policy applies to all principals.

  • Resource

    The logical ID of the resource to which the policy applies. To specify a resource type, use the Condition element.

    To specify a resource, use its logical ID. Example:

    Resource: - LogicalResourceId/myECS

    You can use an asterisk (*) in the logical ID. For example, if related resources share a common logical ID prefix, you can use the prefix followed by a wildcard (*) to specify all of them.

    Resource: - LogicalResourceId/Prefix*

    You can also use the Not element for resources. For example, to allow updates on all resources except one, use the NotResource element to specify the protected resource.

    Statement:
  - Effect: Allow
    Action: Update:*
    Principal: '*'
    NotResource: LogicalResourceId/WebServers

    When you set a stack policy, any update that is not explicitly allowed is denied. By allowing updates to all resources except for the WebServers resource, updates to the WebServers resource are denied.

  • Condition

    The resource type to which the policy applies. To specify the logical ID of a specific resource, use the Resource element.

    You can specify resource types, such as all ECS and ApsaraDB RDS instances.

    Statement:
  - Effect: Deny
    Principal: '*'
    Action: Update:*
    Resource: '*'
    Condition:
      StringEquals:
        ResourceType:
          - ALIYUN::ECS::Instance
          - ALIYUN::RDS::DBInstance
  - Effect: Allow
    Principal: '*'
    Action: Update:*
    Resource: '*'

    The Allow statement grants update permissions on all resources, while the Deny statement denies updates on ECS and ApsaraDB RDS instances. The Deny statement always overrides Allow statements.

    You can use an asterisk (*) for resource types. For example, you can use an asterisk (*) to deny update permissions for all ECS resources, such as instances, security groups, and subnets.

    Condition:
  StringLike:
    ResourceType:
      - ALIYUN::ECS::*
    Note

    When you use a wildcard (*), you must use the StringLike condition.

Set a stack policy

You can apply a stack policy during stack creation by using the ROS console or Alibaba Cloud CLI. To apply a policy to an existing stack, you must use Alibaba Cloud CLI. Once a policy is applied, it cannot be removed from the stack but can be updated by using the CLI.

  • Set a stack policy during stack creation (console)

    1. Log on to the ROS console.

    2. In the navigation pane on the left, click Stacks.

    3. In the top navigation bar, select a region from the region drop-down list, such as China (Hangzhou).

    4. On the Stacks page, click Create Stack, and then select Use ROS from the drop-down list.

    5. In the Create Stack wizard, on the Select Template page, select a template and click Next.

    6. In the Create Stack wizard, on the Configure Parameters page, configure the Stack Name and the template parameters.

    7. In the Configure Stack Settings section, set Stack Policy to Input Stack Policy.

    8. Configure the stack policy and click Next.

      • Input Stack Policy: Enter the stack policy directly.

      • Upload File: Upload a JSON or YAML file that contains the stack policy.

    9. On the Compliance Precheck page, complete the compliance check and click Next.

      Note

      The Compliance Precheck feature is available only for some resources. For more information, see Compliance Precheck.

      1. In the Detection Rule section, add detection rules.

        You can select the detection rules based on the cloud resources in the ROS template.

      2. Click Check.

        You can modify the template based on the suggested remediation solutions for non-compliant resources to ensure resource compliance.

    10. Follow the prompts to finish creating the stack.

  • Set a stack policy during stack creation (CLI)

    You can use one of the following two methods to set a stack policy:

    • Call the CreateStack operation

      Use the aliyun ros CreateStack command with the --StackPolicyBody parameter to provide the policy directly, or use the aliyun ros CreateStack command with the --StackPolicyURL parameter to specify a file that contains the policy.

    • Call the CreateChangeSet operation

      Use the aliyun ros CreateChangeSet command with the --StackPolicyBody parameter to provide the policy directly, or use the aliyun ros CreateChangeSet command with the --StackPolicyURL parameter to specify a file that contains the policy.

  • Set a stack policy on an existing stack (CLI only)

    Use the aliyun ros SetStackPolicy command with the --StackPolicyBody parameter to provide the policy directly, or use the aliyun ros SetStackPolicy command with the --StackPolicyURL parameter to specify a file that contains the policy.

    Note

    To add a policy to an existing stack, you must have permissions for the SetStackPolicy operation.

Update protected resources

To update protected resources, you can create a temporary policy that overrides the stack policy and allows updates to those resources. The override policy does not permanently change the stack policy.

To update protected resources, you must have permissions for the SetStackPolicy operation. For information about how to set ROS permissions, see Use RAM to control resource access.

  • Update protected resources (console)

    1. Log on to the ROS console.

    2. In the navigation pane on the left, click Stacks.

    3. In the top navigation bar, select a region from the region drop-down list, such as China (Hangzhou).

    4. On the Stacks page, find the target stack and click Update in the Actions column.

    5. In the Configure Stack Settings section, select Input Stack Policy as prompted.

    6. Configure a temporary stack policy.

      Specify a temporary stack policy that applies only to the current update. The override policy must specify an Allow statement for the protected resources that you want to update. For example, to update all protected resources, you can specify a temporary override policy that allows all updates.

      Statement:
  - Effect: Allow
    Action: Update:*
    Principal: '*'
    Resource: '*'

    7. Follow the prompts to finish updating the stack.

  • Update protected resources (CLI)

    You can use one of the following two methods to update protected resources:

    • Call the UpdateStack operation

      Use the aliyun ros UpdateStack command with the --StackPolicyDuringUpdateBody parameter to provide the policy directly, or use the aliyun ros UpdateStack command with the --StackPolicyDuringUpdateURL parameter to specify a file that contains the policy.

    • Call the CreateChangeSet operation

      Use the aliyun ros CreateChangeSet command with the --StackPolicyDuringUpdateBody parameter to provide the policy directly, or use the aliyun ros CreateChangeSet command with the --StackPolicyDuringUpdateURL parameter to specify a file that contains the policy.

    Note

    ROS applies the override policy for the current update only; it does not permanently change the stack policy.

Update a stack policy

You can update a stack policy to protect additional resources or remove protection from existing ones. For example, when you add a database that you want to protect to a stack, add a Deny statement for the database to the stack policy. To update the policy, you must have permissions for the SetStackPolicy operation.

  • Update a stack policy (console)

    1. Log on to the ROS console.

    2. In the navigation pane on the left, click Stacks.

    3. In the top navigation bar, select a region from the region drop-down list, such as China (Hangzhou).

    4. On the Stacks page, click the ID of the target stack in the Stack Name column.

    5. On the Stack Information tab, in the Stack Policy section, click Edit.

    6. In the Modify resource stack policy dialog box, enter the stack policy.

    7. Click OK.

  • Update a stack policy (CLI)

    Use the aliyun ros SetStackPolicy command with the --StackPolicyBody parameter to provide the policy directly, or use the aliyun ros SetStackPolicy command with the --StackPolicyURL parameter to specify a file that contains the policy.

    The following policy allows all updates to all resources:

    Statement:
  - Effect: Allow
    Action: Update:*
    Principal: '*'
    Resource: '*'

  • Update a stack policy during a stack update (CLI)

    Use the aliyun ros UpdateStack command with the --StackPolicyBody parameter to provide the policy directly, or use the aliyun ros UpdateStack command with the --StackPolicyURL parameter to specify a file that contains the policy.

    Use the aliyun ros CreateChangeSet command with the --StackPolicyBody parameter to provide the policy directly, or use the aliyun ros CreateChangeSet command with the --StackPolicyURL parameter to specify a file that contains the policy.

Sample stack policies

The following sample policies show how to prevent updates to all stack resources, specific resources, and specific types of updates.

  • Prevent updates to all stack resources

    To prevent updates to all stack resources, the following policy specifies a Deny statement for all update actions on all resources. 

    Statement:
  - Effect: Deny
    Action: Update:*
    Principal: '*'
    Resource: '*'

  • Prevent updates to a single resource (WebServers)

    • Example 1: Use a Deny statement to prevent updates to the WebServers resource.

      Statement:
  - Effect: Allow
    Action: Update:*
    Principal: '*'
    Resource: '*'
  - Effect: Deny
    Action: Update:*
    Principal: '*'
    Resource: LogicalResourceId/WebServers

      This policy consists of the following statements:

      • Allow: Allows all update actions on all resources.

      • Deny: Denies all update actions for the resource with the logical ID WebServers.

      • Principal: The entity to which the policy applies. Only the asterisk (*) is supported, which indicates that the policy applies to all entities.

    • Example 2: Use an Allow statement to allow updates to all resources except WebServers.

      Statement:
  - Effect: Allow
    Action: Update:*
    Principal: '*'
    NotResource: LogicalResourceId/WebServers
      Note

      • When you set a stack policy, unless explicitly allowed, updates to a resource are denied by default.

      • Relying on a default deny can be risky. If your policy has a broad Allow statement elsewhere, such as an Allow statement that uses a wildcard, you might accidentally grant update permissions to a resource. Because an explicit Deny statement overrides any Allow statement, using a Deny statement is the safest way to ensure that a resource is protected.

  • Prevent updates to all instances of a resource type

    The following policy denies all update actions for the ApsaraDB RDS instance resource type. It uses an Allow statement to permit all update actions on all other stack resources. The Allow statement does not apply to ApsaraDB RDS instance resources because the Deny statement always overrides Allow statements.

    Statement:
  - Effect: Deny
    Action: Update:*
    Principal: '*'
    Resource: '*'
    Condition:
      StringEquals:
        ResourceType:
          - ALIYUN::RDS::DBInstance
  - Effect: Allow
    Action: Update:*
    Principal: '*'
    Resource: '*'

  • Prevent updates to nested stacks

    The following policy denies all update actions for the ROS stack resource type, which represents a nested stack. It uses an Allow statement to permit all update actions on all other stack resources. The Allow statement does not apply to the ROS stack resources because the Deny statement always overrides an Allow statement. 

    Statement:
  - Effect: Deny
    Action: Update:*
    Principal: '*'
    Resource: '*'
    Condition:
      StringEquals:
        ResourceType:
          - ALIYUN::ROS::Stack
  - Effect: Allow
    Action: Update:*
    Principal: '*'
    Resource: '*'
Previous:Use nested stacksNext:Event notifications