如果系统权限策略不能满足您的要求,您可以创建自定义权限策略实现最小授权。使用自定义权限策略有助于实现权限的精细化管控,是提升资源访问安全的有效手段。本文介绍云服务器ECS使用自定义权限策略的场景和策略示例。
什么是自定义权限策略
在基于RAM的访问控制体系中,自定义权限策略是指在系统权限策略之外,您可以自主创建、更新和删除的权限策略。自定义权限策略的版本更新需由您来维护。
创建自定义权限策略后,需为RAM用户、用户组或RAM角色绑定权限策略,这些RAM身份才能获得权限策略中指定的访问权限。
已创建的权限策略支持删除,但删除前需确保该策略未被引用。如果该权限策略已被引用,您需要在该权限策略的引用记录中移除授权。
自定义权限策略支持版本控制,您可以按照RAM规定的版本管理机制来管理您创建的自定义权限策略版本。
操作文档
授权信息参考
使用自定义权限策略,您需要了解业务的权限管控需求,并了解云服务器ECS的授权信息。更多信息,请参见授权信息。
常见自定义权限策略示例
授权RAM用户创建按量付费实例
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeImages",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"ecs:DescribeSecurityGroups",
"ecs:DescribeKeyPairs",
"ecs:DescribeTags",
"ecs:RunInstances"
],
"Resource": "*"
}
],
"Version": "1"
}授权RAM用户创建包年包月实例
其中bss相关API主要用于查看并支付包年包月订单,其对应的系统策略为AliyunBSSOrderAccess。
通过RunInstances创建包年包月实例时,若传入autoPay=true(创建实例时自动支付),则不需要授权bss相关API。
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeImages",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"ecs:DescribeSecurityGroups",
"ecs:DescribeKeyPairs",
"ecs:DescribeTags",
"ecs:RunInstances",
"bss:DescribeOrderList",
"bss:DescribeOrderDetail",
"bss:PayOrder",
"bss:CancelOrder"
],
"Resource": "*"
}
],
"Version": "1"
}授权RAM用户重启ECS实例
以下策略表示:仅被授予此策略的RAM用户启用MFA并使用MFA登录时,才具有重启ECS实例的权限。您可以通过设置Condition下acs:MFAPresent的值为true来实现。
{
"Statement": [
{
"Action": "ecs:RebootInstance",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"Bool": {
"acs:MFAPresent": "true"
}
}
}
],
"Version": "1"
}授权RAM用户管理指定的ECS实例
以下策略表示:您可以查看所有ECS实例及资源,但只能操作其中一个实例i-001。
{
"Statement": [
{
"Action": "ecs:*",
"Effect": "Allow",
"Resource": "acs:ecs:*:*:instance/i-001"
},
{
"Action": "ecs:Describe*",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "1"
}授权RAM用户查看指定地域ECS实例
以下策略表示:仅允许您查看青岛的ECS实例,但不允许查看磁盘及快照。
{
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:Describe*",
"Resource": "acs:ecs:cn-qingdao:*:instance/*"
}
],
"Version": "1"
}授权RAM用户管理阿里云账号下ECS安全组
下述策略表示:您拥有管理阿里云账号下ECS安全组的权限。
{
"Version": "1",
"Statement": [
{
"Action": "ecs:*SecurityGroup*",
"Resource": "*",
"Effect": "Allow"
}
]
}授权RAM用户创建实例RAM角色
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs: CreateInstance",
"ecs: AttachInstanceRamRole",
"ecs: DetachInstanceRAMRole"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "*"
}
]
}授权RAM用户创建ECS实例后查询实例和块存储信息
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeDisks"
],
"Resource": "*"
}
],
"Version": "1"
}授权RAM用户购买节省计划
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "savingsplans:*",
"Resource": "*"
}
]
}限制RAM用户创建ECS实例时创建Default VPC
云服务器ECS提供了RAM用户来实现不同业务之间的隔离操作,被赋予AliyunECSFullAccess(管理ECS)权限的RAM用户默认拥有创建ECS、查看ECS、重启ECS等权限。如果您需要限制RAM用户在当前地域没有VPC时禁止创建Default VPC并创建ECS的权限,同时保留其他权限,可通过访问控制RAM自定义策略来实现。
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"vpc:CreateDefaultVpc": [
"true"
]
}
}
}
]
}授权RAM用户使用前缀列表
{
"Statement": [
{
"Action": [
"ecs:CreatePrefixList",
"ecs:ModifyPrefixList",
"ecs:DescribePrefixLists",
"ecs:DescribePrefixListAssociations",
"ecs:DescribePrefixListAttributes",
"ecs:DeletePrefixList"
],
"Resource": "*",
"Effect": "Allow"
}
],
"Version": "1"
}授权RAM用户使用云助手
详细信息,可参见云助手自定义策略示例。
授权RAM用户对OSS Bucket的读权限
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetObject",
"oss:GetBucketLocation",
"oss:GetBucketInfo"
],
"Resource": "*",
"Effect": "Allow"
}
]
}授权RAM用户对OSS Bucket的读写权限
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetObject",
"oss:GetBucketLocation",
"oss:GetBucketInfo",
"oss:PutObject",
"oss:DeleteObject",
"oss:AbortMultipartUpload",
"oss:ListMultipartUploads",
"oss:ListParts"
],
"Resource": "*",
"Effect": "Allow"
}
]
}授权RAM用户只允许通过HTTPS协议访问ECS资源
{
"Statement": [
{
"Action": "ecs:*",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"Bool": {
"acs:SecureTransport": "true"
}
}
}
],
"Version": "1"
}限制RAM用户只能创建加密的云盘
对于部分高安全合规要求的企业,针对企业账号下所有RAM子账号可能要求必须使用加密以保护数据的机密性。ECS支持配置自定义权限策略限制RAM子账号只能创建加密的云盘。
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ecs:IsDiskEncrypted": "*false*"
}
},
"Effect": "Deny"
},
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ecs:IsSystemDiskEncrypted": "false"
}
},
"Effect": "Deny"
},
{
"Action": "ecs:CreateDisk",
"Resource": "*",
"Condition": {
"StringLike": {
"ecs:IsDiskEncrypted": "*false*"
}
},
"Effect": "Deny"
}
]
}限制RAM用户只能创建主密钥的加密云盘
如果您在新购实例、创建数据盘时需要限制创建主密钥的加密云盘,可以配置如下权限策略。配置后,您只能选用主密钥加密云盘。
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ecs:IsDiskByokEncrypted": "*false*"
}
},
"Effect": "Deny"
},
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ecs:IsSystemDiskByokEncrypted": "false"
}
},
"Effect": "Deny"
},
{
"Action": "ecs:CreateDisk",
"Resource": "*",
"Condition": {
"StringLike": {
"ecs:IsDiskByokEncrypted": "*false*"
}
},
"Effect": "Deny"
}
]
}限制RAM用户只能使用自定义镜像创建ECS实例
如果您在新购实例时需要限制只能使用自定义镜像创建ECS实例,可以配置如下权限策略。
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Effect": "Deny",
"Resource": "acs:ecs:<地域ID>:*:instance/*",
"Condition": {
"StringNotEquals": {
"ecs:ImageSource": "Custom"
}
}
}
]
}禁止RAM用户使用root登录ECS实例
如果您在新购实例、更换系统盘、挂载系统盘、在线重置实例密码时需要限制使用root登录ECS实例,可以配置如下权限策略。配置后,您不能使用root登录ECS实例。
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance",
"ecs:CreateOrder",
"ecs:ReplaceSystemDisk",
"ecs:AttachDisk",
"ecs:InvokeCommand"
],
"Resource": "*",
"Condition": {
"Bool": {
"ecs:LoginAsNotRoot": [
"false"
]
}
},
"Effect": "Deny"
}
]
}禁止RAM用户使用账号密码登录ECS实例
如果您在新购实例、更换系统盘、挂载系统盘、在线或离线重置实例密码时需要限制使用账号密码方式登录ECS实例,可以配置如下权限策略。配置后,您只能使用密钥对或会话管理免密登录ECS实例。
您可以在权限策略语句的Condition元素中使用ecs:ImagePlatform字段限制创建实例时禁止使用账号密码登录实例的范围,例如设置ecs:ImagePlatform=linux表示仅限制Linux操作系统禁止使用账号密码登录,Windows操作系统可以正常使用账号密码登录。
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance",
"ecs:CreateOrder",
"ecs:ReplaceSystemDisk"
],
"Resource": "*",
"Condition": {
"Bool": {
"ecs:PasswordCustomized": [
"true"
]
},
"StringEquals": {
"ecs:ImagePlatform": "linux"
}
},
"Effect": "Deny"
},
{
"Action": [
"ecs:ModifyInstanceAttribute",
"ecs:InvokeCommand",
"ecs:AttachDisk"
],
"Resource": "*",
"Condition": {
"Bool": {
"ecs:PasswordCustomized": [
"true"
]
}
},
"Effect": "Deny"
}
]
}禁止RAM用户使用镜像预设密码登录ECS实例
如果您在新购实例、更换系统盘时需要限制使用镜像预设密码登录ECS实例,可以配置如下权限策略。配置后,您不能使用镜像中预设的密码登录ECS实例。
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance",
"ecs:CreateOrder",
"ecs:ReplaceSystemDisk"
],
"Resource": "*",
"Condition": {
"Bool": {
"ecs:PasswordInherit": [
"true"
]
}
},
"Effect": "Deny"
}
]
}禁止RAM用户创建包含0.0.0.0/0的安全组规则
当安全组规则允许使用 0.0.0.0/0 表示允许所有外部IP均可以访问ECS,这样做可能会增加安全风险。建议您禁止RAM用户添加0.0.0.0/0的安全组规则,并禁止创建ECS实例时使用默认安全组。
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ecs:AuthorizeSecurityGroup",
"ecs:ConfigureSecurityGroupPermissions",
"ecs:ModifySecurityGroupRule"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ecs:SecurityGroupIpProtocols": [
"TCP"
]
},
"CIDRInRange": {
"ecs:SecurityGroupSourceCidrIps": [
"0.0.0.0/0"
]
}
}
},
{
"Effect": "Deny",
"Action": [
"ecs:CreateInstance",
"ecs:RunInstances"
],
"Resource": "*",
"Condition": {
"Bool": {
"ecs:NotSpecifySecureGroupId": [
"true"
]
}
}
}
]
}限制RAM用户仅能通过加固模式获取实例元数据
阿里云账号可以通过以下权限策略,实现所有RAM用户(子账号)在通过API接口RunInstances、CreateInstance创建实例或ModifyInstanceMetadataOptions修改已有实例元数据信息时,只能通过仅加固模式访问实例元数据服务器获取数据。权限策略内容如下:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance",
"ecs:ModifyInstanceMetadataOptions"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ecs:SecurityHardeningMode": [
"false"
]
}
}
}
]
}