文档

自定义管控策略示例

更新时间:

本文为您介绍自定义管控策略的常用示例。

禁止修改和删除RAM用户、RAM用户组、RAM角色

策略内容:

{
    "Statement": [
        {
            "Action": [
                "ram:Attach*",
                "ram:Detach*",
                "ram:BindMFADevice",
                "ram:CreateAccessKey",
                "ram:CreateLoginProfile",
                "ram:CreatePolicyVersion",
                "ram:DeleteAccessKey",
                "ram:DeleteGroup",
                "ram:DeleteLoginProfile",
                "ram:DeletePolicy",
                "ram:DeletePolicyVersion",
                "ram:DeleteRole",
                "ram:DeleteUser",
                "ram:DisableVirtualMFA",
                "ram:AddUserToGroup",
                "ram:RemoveUserFromGroup",
                "ram:SetDefaultPolicyVersion",
                "ram:UnbindMFADevice",
                "ram:UpdateAccessKey",
                "ram:UpdateGroup",
                "ram:UpdateLoginProfile",
                "ram:UpdateRole",
                "ram:UpdateUser"
            ],
            "Resource": "*",
            "Effect": "Deny",         
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN":"acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
               }
           }
        }
    ],
    "Version": "1"
}

本策略禁止修改和删除RAM用户、RAM用户组、RAM角色,包括禁止修改其权限。

说明

本策略只允许资源目录默认用来访问成员的角色ResourceDirectoryAccountAccessRole执行此操作。您可以删除该Condition,禁止所有RAM用户和RAM角色执行此操作。您也可以添加或修改PrincipalARN的值,自定义限制条件。

禁止修改ResourceDirectoryAccountAccessRole角色及其权限

策略内容:

{
   "Version": "1",
   "Statement": [
       {
           "Effect": "Deny",
           "Action": [
               "ram:UpdateRole",
               "ram:DeleteRole",
               "ram:AttachPolicyToRole",
               "ram:DetachPolicyFromRole"
           ],
           "Resource": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
       }
   ]
}

禁止修改和删除指定的RAM用户

策略内容:

{
    "Version": "1",
    "Statement": [{
        "Action": [
            "ram:AttachPolicyToUser",
            "ram:DetachPolicyFromUser",
            "ram:AddUserToGroup",
            "ram:RemoveUserFromGroup",
            "ram:UpdateUser",
            "ram:DeleteUser",
            "ram:CreateLoginProfile",
            "ram:UpdateLoginProfile",
            "ram:DeleteLoginProfile",
            "ram:CreateAccessKey",
            "ram:DeleteAccessKey",
            "ram:UpdateAccessKey",
            "ram:BindMFADevice",
            "ram:UnbindMFADevice",
            "ram:DisableVirtualMFA"
        ],
        "Resource": [
            "acs:ram:*:*:user/Alice"
        ],
        "Effect": "Deny",
        "Condition": {
            "StringNotLike": {
                "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
            }
        }
    }]
}

本策略禁止修改和删除指定的RAM用户(例如:Alice),包括禁止修改其权限。您也可以明确指定Alice所在的具体阿里云账号,例如:acs:ram:*:18299873****:user/Alice

说明

本策略只允许资源目录默认用来访问成员的角色ResourceDirectoryAccountAccessRole执行此操作。您可以删除该Condition,禁止所有RAM用户和RAM角色执行此操作。您也可以添加或修改PrincipalARN的值,自定义限制条件。

禁止开启任何已存在RAM用户的控制台登录

策略内容:

{
    "Statement": [
        {
            "Action": [
                "ram:CreateLoginProfile",
                "ram:UpdateLoginProfile"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ],
    "Version": "1"
}

本策略禁止开启任何已存在RAM用户的控制台登录。本策略仅针对已存在的RAM用户生效,不影响创建RAM用户时开启控制台登录的操作。

说明

本策略只允许资源目录默认用来访问成员的角色ResourceDirectoryAccountAccessRole执行此操作。您可以删除该Condition,禁止所有RAM用户和RAM角色执行此操作。您也可以添加或修改PrincipalARN的值,自定义限制条件。

删除某些资源时RAM用户或RAM角色必须使用多因素认证(MFA)

策略内容:

{
  "Statement": [
    {
      "Action": "ecs:DeleteInstance",
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "acs:MFAPresent": "false"
        }
      }
    }
  ],
  "Version": "1"
}

本策略以删除ECS实例时RAM用户或RAM角色必须使用多因素认证(MFA)为例。如需删除其它资源,请将策略中的Action部分修改为相应资源的操作。

禁止修改用户SSO配置

策略内容:

{
    "Statement": [
        {
            "Action": [
                "ram:SetSamlSsoSettings"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ],
    "Version": "1"
}
说明

本策略只允许资源目录默认用来访问成员的角色ResourceDirectoryAccountAccessRole执行此操作。您可以删除该Condition,禁止所有RAM用户和RAM角色执行此操作。您也可以添加或修改PrincipalARN的值,自定义限制条件。

禁止修改角色SSO配置

策略内容:

{
    "Statement": [
        {
            "Action": [
                "ram:CreateSAMLProvider",
                "ram:DeleteSAMLProvider",
                "ram:UpdateSAMLProvider"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ],
    "Version": "1"
}
说明

本策略只允许资源目录默认用来访问成员的角色ResourceDirectoryAccountAccessRole执行此操作。您可以删除该Condition,禁止所有RAM用户和RAM角色执行此操作。您也可以添加或修改PrincipalARN的值,自定义限制条件。

禁止修改操作审计的投递地址、禁止关闭投递功能

策略内容:

{
    "Statement": [
        {
            "Action": [
                "actiontrail:UpdateTrail",
                "actiontrail:DeleteTrail",
                "actiontrail:StopLogging"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ],
    "Version": "1"
}
说明

本策略只允许资源目录默认用来访问成员的角色ResourceDirectoryAccountAccessRole执行此操作。您可以删除该Condition,禁止所有RAM用户和RAM角色执行此操作。您也可以添加或修改PrincipalARN的值,自定义限制条件。

禁止访问部分网络服务

策略内容:

{
    "Statement": [
        {
            "Action": [
                "vpc:*HaVip*",
                "vpc:*RouteTable*",
                "vpc:*VRouter*",
                "vpc:*RouteEntry*",
                "vpc:*VSwitch*",
                "vpc:*Vpc*",
                "vpc:*Cen*",           
                "vpc:*NetworkAcl*"
            ],
            "Resource": "*",
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        },
        {
            "Action": [
                "vpc:*VpnGateway*",
                "vpc:*VpnConnection*",
                "vpc:*CustomerGateway*",
                "vpc:*SslVpnServer*",
                "vpc:*SslVpnClientCert*",
                "vpc:*VpnRoute*",
                "vpc:*VpnPbrRoute*"
            ],
            "Resource": "*",
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ],
    "Version": "1"
}

本策略以禁止访问VPC和VPN网关为例。如需禁止访问其它网络云服务,请将策略中的Action部分修改为相应云服务的操作。

说明

本策略只允许资源目录默认用来访问成员的角色ResourceDirectoryAccountAccessRole执行此操作。您可以删除该Condition,禁止所有RAM用户和RAM角色执行此操作。您也可以添加或修改PrincipalARN的值,自定义限制条件。

禁止创建具有公网访问能力的网络资源,包括EIP和NAT网关

策略内容:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "vpc:AllocateEipAddress",
                "vpc:AllocateEipAddressPro",
                "vpc:AllocateEipSegmentAddress",
                "vpc:CreateNatGateway"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ]
}
说明

本策略只允许资源目录默认用来访问成员的角色ResourceDirectoryAccountAccessRole执行此操作。您可以删除该Condition,禁止所有RAM用户和RAM角色执行此操作。您也可以添加或修改PrincipalARN的值,自定义限制条件。

禁止访问连接云下资源的网络服务

策略内容:

{
    "Statement": [
       {
            "Action": [
                "vpc:*PhysicalConnection*",
                "vpc:*VirtualBorderRouter*",
                "cen:*",
                "vpc:*VpnGateway*",
                "vpc:*VpnConnection*",
                "vpc:*CustomerGateway*",
                "vpc:*SslVpnServer*",
                "vpc:*SslVpnClientCert*",
                "vpc:*VpnRoute*",
                "vpc:*VpnPbrRoute*",
                "smartag:*"
            ],
            "Resource": "*",
            "Effect": "Deny"         
        }
    ],
    "Version": "1"
}

本策略禁止访问连接云下资源的网络服务,包括:高速通道的物理专线和边界路由器、云企业网、VPN网关、智能接入网关。

禁止访问费用中心的部分功能

策略内容:

{
    "Statement": [
       {
            "Action": [
                "bss:DescribeOrderList",
                "bss:DescribeOrderDetail",
                "bss:PayOrder",
                "bss:CancelOrder"
            ],
            "Resource": "*",
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ],
    "Version": "1"
}

本策略以禁止访问费用中心的订单功能为例。如需禁止访问其它功能,请将策略中的Action部分修改为相应的操作。

说明

本策略只允许资源目录默认用来访问成员的角色ResourceDirectoryAccountAccessRole执行此操作。您可以删除该Condition,禁止所有RAM用户和RAM角色执行此操作。您也可以添加或修改PrincipalARN的值,自定义限制条件。

禁止修改云监控配置

策略内容:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "cms:Put*",
                "cms:Update*",
                "cms:Create*",
                "cms:Modify*",
                "cms:Disable*",
                "cms:Enable*",
                "cms:Delete*",
                "cms:Send*",
                "cms:Subscribe*",
                "cms:Unsubscribe*",
                "cms:Remove*",
                "cms:CreateAction",
                "cms:Pause*",
                "cms:Stop*",
                "cms:Start*",
                "cms:BatchCreate*",
                "cms:ProfileSet",
                "cms:ApplyMonitoringTemplate"
            ],
            "Resource": "*",
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
                }
            }
        }
    ]
}
说明

本策略只允许资源目录默认用来访问成员的角色ResourceDirectoryAccountAccessRole执行此操作。您可以删除该Condition,禁止所有RAM用户和RAM角色执行此操作。您也可以添加或修改PrincipalARN的值,自定义限制条件。

禁止购买预留实例券

策略内容:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:PurchaseReservedInstancesOffering"
            ],
            "Resource": "*",
            "Effect": "Deny"
        }
    ]
}

禁止在非指定VPC下创建ECS实例

策略内容:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:CreateInstance",
                "ecs:RunInstances"
            ],
            "Resource": "*",
            "Effect": "Deny",
            "Condition": {
                "StringNotLike": {
                    "vpc:VPC": "acs:vpc:cn-shenzhen:*:vpc/vpc-wz95ya85js0avrkabc****"
                }
            }
        }
    ]
}

本策略的示例中指定VPC为acs:vpc:cn-shenzhen:*:vpc/vpc-wz95ya85js0avrkabc****,实际使用时请替换为自己的VPC信息。

禁止购买域名

策略内容:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "domain:CreateOrderActivate"
            ],
            "Resource": "*",
            "Effect": "Deny"
        }
    ]
}

禁止访问工单系统

策略内容:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "support:*",
                "workorder:*"
            ],
            "Resource": "*",
            "Effect": "Deny"
        }
    ]
}

禁止访问特定地域的ECS服务

策略内容:

{
    "Version": "1",
    "Statement": [{
        "Effect": "Deny",
        "Action": [
            "ecs:*"
        ],
        "Resource": "acs:ecs:us-east-1:*:*"
    }]
}

本策略禁止在美国东部(弗吉尼亚)地域使用ECS服务。

禁止组织外资源共享

策略内容:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "resourcesharing:CreateResourceShare",
                "resourcesharing:UpdateResourceShare"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "resourcesharing:RequestedAllowExternalTargets": "true"
                }
            }
        }
    ]
}

通过本策略可以防止用户创建允许共享给组织外账号的共享单元。

禁止将资源共享给预期外的账号

策略内容:

{
    "Version": "1",
    "Statement": [
      {
        "Effect": "Deny",
            "Action": [
                "resourcesharing:AssociateResourceShare",
                "resourcesharing:CreateResourceShare"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotLike": {
                    "resourcesharing:Target": [
                        "rd-3G****/r-Wm****/*",
                        "rd-3G****/r-Wm****",
                        "192796193830****"
                    ]
                }
            }
        }
    ]
}

本策略仅允许将资源共享给账号192796193830****、资源夹rd-3G****/r-Wm****下的所有成员,禁止共享给其他账号。请替换成您自己的目标账号。

禁止用户接受组织外账号的资源共享邀请

策略内容:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "resourcesharing:AcceptResourceShareInvitation",
            "Resource": "*"
        }
    ]
}

本策略会阻止用户接受组织外账号的资源共享邀请。与共享账号属于同一资源目录时不会产生共享邀请,因此不受此策略的影响。

禁止共享预期外资源的类型

策略内容:

{
  "Version":  "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "resourcesharing:CreateResourceShare",
        "resourcesharing:UpdateResourceShare",
        "resourcesharing:AssociateResourceShare"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "resourcesharing:RequestedResourceType": ["VSwitch","Image","Snapshot"]
        }
      }
    }
  ]
}

本策略仅允许共享交换机VSwitch、镜像Image和快照Snapshot,禁止共享除这些资源类型以外的资源。