通过自定义权限策略授权RAM用户使用ECS

如果系统权限策略不能满足您的要求,您可以创建自定义权限策略实现最小授权。使用自定义权限策略有助于实现权限的精细化管控,是提升资源访问安全的有效手段。本文介绍云服务器ECS使用自定义权限策略的场景和策略示例。

什么是自定义权限策略

在基于RAM的访问控制体系中,自定义权限策略是指在系统权限策略之外,您可以自主创建、更新和删除的权限策略。自定义权限策略的版本更新需由您来维护。

  • 创建自定义权限策略后,需为RAM用户、用户组或RAM角色绑定权限策略,这些RAM身份才能获得权限策略中指定的访问权限。

  • 已创建的权限策略支持删除,但删除前需确保该策略未被引用。如果该权限策略已被引用,您需要在该权限策略的引用记录中移除授权。

  • 自定义权限策略支持版本控制,您可以按照RAM规定的版本管理机制来管理您创建的自定义权限策略版本。

操作文档

授权信息参考

使用自定义权限策略,您需要了解业务的权限管控需求,并了解云服务器ECS的授权信息。更多信息,请参见授权信息

常见自定义权限策略示例

授权RAM用户创建按量付费实例

{
   "Statement": [
       {
           "Effect": "Allow",
           "Action": [
                   "ecs:DescribeImages",
                 "vpc:DescribeVpcs",
                 "vpc:DescribeVSwitches",
                 "ecs:DescribeSecurityGroups",
                 "ecs:DescribeKeyPairs",
                 "ecs:DescribeTags",
                 "ecs:RunInstances"
         ],
           "Resource": "*"
       }
   ],
   "Version": "1"
}

授权RAM用户创建包年包月实例

其中bss相关API主要用于查看并支付包年包月订单,其对应的系统策略为AliyunBSSOrderAccess

重要

通过RunInstances创建包年包月实例时,若传入autoPay=true(创建实例时自动支付),则不需要授权bss相关API。

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                    "ecs:DescribeImages", 
                  "vpc:DescribeVpcs", 
                  "vpc:DescribeVSwitches", 
                  "ecs:DescribeSecurityGroups", 
                  "ecs:DescribeKeyPairs",
                  "ecs:DescribeTags", 
                  "ecs:RunInstances",
                  "bss:DescribeOrderList",
                  "bss:DescribeOrderDetail",
                  "bss:PayOrder",
                  "bss:CancelOrder"
          ],
            "Resource": "*"
        }
    ],
    "Version": "1"
}

授权RAM用户重启ECS实例

以下策略表示:仅被授予此策略的RAM用户启用MFA并使用MFA登录时,才具有重启ECS实例的权限。您可以通过设置Conditionacs:MFAPresent的值为true来实现。

{
  "Statement": [
    {
      "Action": "ecs:RebootInstance",
      "Effect": "Allow",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "acs:MFAPresent": "true"
        }
      }
    }
  ],
  "Version": "1"
}

授权RAM用户管理指定的ECS实例

以下策略表示:您可以查看所有ECS实例及资源,但只能操作其中一个实例i-001

{
  "Statement": [
    {
      "Action": "ecs:*",
      "Effect": "Allow",
      "Resource": "acs:ecs:*:*:instance/i-001"
    },
    {
      "Action": "ecs:Describe*",
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "1"
}

授权RAM用户查看指定地域ECS实例

以下策略表示:仅允许您查看青岛的ECS实例,但不允许查看磁盘及快照。

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ecs:Describe*",
      "Resource": "acs:ecs:cn-qingdao:*:instance/*"
    }
  ],
  "Version": "1"
}

授权RAM用户管理阿里云账号下ECS安全组

下述策略表示:您拥有管理阿里云账号下ECS安全组的权限。

{
  "Version": "1",
  "Statement": [
    {
      "Action": "ecs:*SecurityGroup*",
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

授权RAM用户创建实例RAM角色

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs: CreateInstance",
                "ecs: AttachInstanceRamRole",
                "ecs: DetachInstanceRAMRole"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "ram:PassRole",
            "Resource": "*"
        }
    ]
}

授权RAM用户创建ECS实例后查询实例和块存储信息

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                    "ecs:DescribeInstances", 
                    "ecs:DescribeDisks"
          ],
            "Resource": "*"
        }
    ],
    "Version": "1"
}

授权RAM用户购买节省计划

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "savingsplans:*",
      "Resource": "*"
    }
  ]
}

限制RAM用户创建ECS实例时创建Default VPC

云服务器ECS提供了RAM用户来实现不同业务之间的隔离操作,被赋予AliyunECSFullAccess(管理ECS)权限的RAM用户默认拥有创建ECS、查看ECS、重启ECS等权限。如果您需要限制RAM用户在当前地域没有VPC时禁止创建Default VPC并创建ECS的权限,同时保留其他权限,可通过访问控制RAM自定义策略来实现。

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "vpc:CreateDefaultVpc": [
                        "true"
                    ]
                }
            }
        }
    ]
}

授权RAM用户使用前缀列表

{
    "Statement": [
        {
            "Action": [
                "ecs:CreatePrefixList",
                "ecs:ModifyPrefixList",
                "ecs:DescribePrefixLists",
                "ecs:DescribePrefixListAssociations",
                "ecs:DescribePrefixListAttributes",
                "ecs:DeletePrefixList"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ],
    "Version": "1"
}

授权RAM用户使用云助手

详细信息,可参见云助手自定义策略示例

授权RAM用户对OSS Bucket的读权限

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:GetObject",
                "oss:GetBucketLocation",
                "oss:GetBucketInfo"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

授权RAM用户对OSS Bucket的读写权限

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:GetObject",
                "oss:GetBucketLocation",
                "oss:GetBucketInfo",
                "oss:PutObject",
                "oss:DeleteObject",
                "oss:AbortMultipartUpload",
                "oss:ListMultipartUploads",
                "oss:ListParts"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

授权RAM用户只允许通过HTTPS协议访问ECS资源

{
  "Statement": [
    {
      "Action": "ecs:*",
      "Effect": "Allow",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "acs:SecureTransport": "true"
        }
      }
    }
  ],
  "Version": "1"
}

限制RAM用户仅支持创建加密云盘

对于部分高安全合规要求的企业,针对企业账号下所有RAM子账号可能要求必须使用加密以保护数据的机密性。ECS支持配置自定义权限策略限制RAM子账号仅支持创建加密云盘。

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:RunInstances",
        "ecs:CreateInstance"
      ],
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "ecs:IsDiskEncrypted": "*false*"
        }
      },
      "Effect": "Deny"
    },
    {
      "Action": [
        "ecs:RunInstances",
        "ecs:CreateInstance"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ecs:IsSystemDiskEncrypted": "false"
        }
      },
      "Effect": "Deny"
    },
    {
      "Action": "ecs:CreateDisk",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "ecs:IsDiskEncrypted": "*false*"
        }
      },
      "Effect": "Deny"
    }
  ]
}

限制RAM用户只能使用自定义镜像创建ECS实例

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:RunInstances",
                "ecs:CreateInstance"
            ],
            "Effect": "Deny",
            "Resource": "acs:ecs:<地域ID>:*:instance/*",
            "Condition": {
                "StringNotEquals": {
                    "ecs:ImageSource": "Custom"
                }
            }
        }
    ]
}