If the available system policies do not meet your requirements, you can create custom policies to achieve least privilege. Custom policies enable fine-grained permission management and are an effective way to improve resource access security. This topic describes scenarios for using custom policies with Elastic Compute Service (ECS) and provides policy examples.
Background information
For information about how to create a custom policy, see Create custom policies.
When you create a policy, you must follow the basic syntax and structure. For more information, see Policy elements and Policy structure and syntax.
To learn more about how multiple policies are evaluated, see Policy evaluation process.
Sample custom policies
Grant a RAM user permissions to create pay-as-you-go instances
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeImages",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"ecs:DescribeSecurityGroups",
"ecs:DescribeKeyPairs",
"ecs:DescribeTags",
"ecs:RunInstances"
],
"Resource": "*"
}
],
"Version": "1"
}
Grant a RAM user permissions to create subscription instances
You can call BSS-related API operations to view and pay for subscription orders. The corresponding system policy is AliyunBSSOrderAccess.
If you set autoPay to true when you call the RunInstances operation to create a subscription instance, you do not need the permissions to call BSS-related API operations.
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeImages",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"ecs:DescribeSecurityGroups",
"ecs:DescribeKeyPairs",
"ecs:DescribeTags",
"ecs:RunInstances",
"bss:DescribeOrderList",
"bss:DescribeOrderDetail",
"bss:PayOrder",
"bss:CancelOrder"
],
"Resource": "*"
}
],
"Version": "1"
}
Grant a RAM user permissions to restart an ECS instance
The following policy indicates that the authorized RAM user can restart ECS instances. The ECS instances can be restarted only when MFA is enabled for the RAM user and the RAM user uses MFA to log on. In this case, the acs:MFAPresent condition key in the Condition element is set to true.
{
"Statement": [
{
"Action": "ecs:RebootInstance",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"Bool": {
"acs:MFAPresent": "true"
}
}
}
],
"Version": "1"
}Grant a RAM user permissions to manage a specific ECS instance
The following policy indicates that the authorized RAM user can view all ECS instances under an Alibaba Cloud account, but the user can manage only the i-001 ECS instance.
{
"Statement": [
{
"Action": "ecs:*",
"Effect": "Allow",
"Resource": "acs:ecs:*:*:instance/i-001"
},
{
"Action": "ecs:Describe*",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "1"
}Grant a RAM user permissions to connect to a specific ECS instance using Workbench
The following policy lets you view all ECS instances and resources, but you can connect only to instance i-001 using Workbench.
{
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ecs-workbench:LoginInstance",
"Resource": "acs:ecs-workbench:*:*:workbench/i-001"
}
],
"Version": "1"
}Prohibit a RAM user from connecting to an ECS instance using VNC
The following policy prevents you from using Virtual Network Computing (VNC) to connect to all ECS instances.
{
"Statement": [
{
"Effect": "Deny",
"Action": "ecs:DescribeInstanceVncUrl",
"Resource": "*"
}
],
"Version": "1"
}Grant a RAM user permissions to view ECS instances in a specific region
The following policy indicates that the authorized RAM user can view ECS instances in the China (Qingdao) region, but cannot view disks or snapshots in this region.
{
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:Describe*",
"Resource": "acs:ecs:cn-qingdao:*:instance/*"
}
],
"Version": "1"
}Grant a RAM user permissions to manage the ECS security groups of an Alibaba Cloud account
The following policy specifies that the authorized RAM user can manage ECS security groups within an Alibaba Cloud account.
{
"Version": "1",
"Statement": [
{
"Action": "ecs:*SecurityGroup*",
"Resource": "*",
"Effect": "Allow"
}
]
}Grant a RAM user permissions to create an instance RAM role
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs: CreateInstance",
"ecs: AttachInstanceRamRole",
"ecs: DetachInstanceRAMRole"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "*"
}
]
}
Grant a RAM user permissions to query information about instances and disks
{
"Statement": [
{
"Effect": "Allow",
"Action": ["ecs:DescribeInstances", "ecs:DescribeDisks"],
"Resource": "*"
}
],
"Version": "1"
}
Grant a RAM user permissions to purchase a savings plan
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "bssapi:CreateSavingsPlansInstance",
"Resource": "*"
}
]
}Restrict a RAM user from creating a default VPC when creating an ECS instance
ECS lets you use RAM users to isolate operations between different businesses. By default, RAM users that are granted the AliyunECSFullAccess permission can perform operations on ECS resources, such as creating, viewing, and restarting ECS instances. If you want to deny a RAM user the permission to create a default VPC when the RAM user creates an ECS instance in a region where no VPCs are available, while retaining other permissions for the RAM user, you can configure a custom policy.
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"vpc:CreateDefaultVpc": ["true"]
}
}
}
]
}
Grant a RAM user permissions to use a prefix list
{
"Statement": [
{
"Action": [
"ecs:CreatePrefixList",
"ecs:ModifyPrefixList",
"ecs:DescribePrefixLists",
"ecs:DescribePrefixListAssociations",
"ecs:DescribePrefixListAttributes",
"ecs:DeletePrefixList"
],
"Resource": "*",
"Effect": "Allow"
}
],
"Version": "1"
}
Grant a RAM user permissions to use Cloud Assistant
For more information, see Sample custom policies for Cloud Assistant.
Grant a RAM user read permissions on an OSS bucket
{
"Version": "1",
"Statement": [
{
"Action": ["oss:GetObject", "oss:GetBucketLocation", "oss:GetBucketInfo"],
"Resource": "*",
"Effect": "Allow"
}
]
}
Grant a RAM user read and write permissions on an OSS bucket
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetObject",
"oss:GetBucketLocation",
"oss:GetBucketInfo",
"oss:PutObject",
"oss:DeleteObject",
"oss:AbortMultipartUpload",
"oss:ListMultipartUploads",
"oss:ListParts"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
Grant a RAM user permissions to access ECS resources only over HTTPS
{
"Statement": [
{
"Action": "ecs:*",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"Bool": {
"acs:SecureTransport": "true"
}
}
}
],
"Version": "1"
}Restrict a RAM user to creating only encrypted disks
For enterprises with high security compliance requirements, data encryption may be required for all RAM users to ensure data confidentiality. You can attach this custom policy to a RAM user to grant the permission to create only encrypted disks for ECS instances.
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ecs:IsDiskEncrypted": "*false*"
}
},
"Effect": "Deny"
},
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ecs:IsSystemDiskEncrypted": "false"
}
},
"Effect": "Deny"
},
{
"Action": "ecs:CreateDisk",
"Resource": "*",
"Condition": {
"StringLike": {
"ecs:IsDiskEncrypted": "*false*"
}
},
"Effect": "Deny"
}
]
}Restrict a RAM user to creating only disks that are encrypted using master keys
When you purchase an instance or create a data disk, you can configure the following policy to allow a RAM user to create only disks that are encrypted with master keys. After you configure the policy, the RAM user can use only master keys to encrypt disks.
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ecs:IsDiskByokEncrypted": "*false*"
}
},
"Effect": "Deny"
},
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ecs:IsSystemDiskByokEncrypted": "false"
}
},
"Effect": "Deny"
},
{
"Action": "ecs:CreateDisk",
"Resource": "*",
"Condition": {
"StringLike": {
"ecs:IsDiskByokEncrypted": "*false*"
}
},
"Effect": "Deny"
}
]
}Restrict a RAM user to creating an ECS instance using only a custom image
When you purchase an ECS instance, you can configure the following policy to allow a RAM user to create the instance using only a custom image.
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Effect": "Deny",
"Resource": "acs:ecs:<region ID>:*:instance/*",
"Condition": {
"StringNotEquals": {
"ecs:ImageSource": "Custom"
}
}
}
]
}Prohibit a RAM user from logging on to an ECS instance as the root user
You can configure the following policy to prevent a RAM user from logging on to an ECS instance as the root user. This restriction applies when the user purchases an instance, replaces a system disk, attaches a system disk, or resets an instance password online.
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance",
"ecs:CreateOrder",
"ecs:ReplaceSystemDisk",
"ecs:AttachDisk",
"ecs:InvokeCommand"
],
"Resource": "*",
"Condition": {
"Bool": {
"ecs:LoginAsNonRoot": [
"false"
]
}
},
"Effect": "Deny"
}
]
}Prohibit a RAM user from using a username and password to log on to an ECS instance
You can configure the following policy to prohibit a RAM user from using a username and password to log on to the instance. This restriction applies when you purchase an instance, replace a system disk, attach a system disk, or reset an instance password online or offline. After you configure the policy, the RAM user can log on to the instance only using a key pair or Session Manager.
In the Condition element of the policy statement, you can use the ecs:ImagePlatform field to limit the restriction to specific operating systems. For example, if you set ecs:ImagePlatform to `linux`, the restriction applies only to Linux instances. You can still use a username and password to log on to Windows instances.
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance",
"ecs:CreateOrder",
"ecs:ReplaceSystemDisk"
],
"Resource": "*",
"Condition": {
"Bool": {
"ecs:PasswordCustomized": [
"true"
]
},
"StringEquals": {
"ecs:ImagePlatform": "linux"
}
},
"Effect": "Deny"
},
{
"Action": [
"ecs:ModifyInstanceAttribute",
"ecs:InvokeCommand",
"ecs:AttachDisk"
],
"Resource": "*",
"Condition": {
"Bool": {
"ecs:PasswordCustomized": [
"true"
]
}
},
"Effect": "Deny"
}
]
}Prohibit a RAM user from using an image's preset password to log on to an ECS instance
You can configure the following policy to prevent a RAM user from using the password that is preset in an image to log on to an instance. This restriction applies when the user purchases an instance or replaces a system disk.
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance",
"ecs:CreateOrder",
"ecs:ReplaceSystemDisk"
],
"Resource": "*",
"Condition": {
"Bool": {
"ecs:PasswordInherit": [
"true"
]
}
},
"Effect": "Deny"
}
]
}Prohibit a RAM user from creating security group rules that contain 0.0.0.0/0
A security group rule that allows access from 0.0.0.0/0 allows all external IP addresses to access the ECS instances, which increases security risks. The following policy prohibits a RAM user from adding security group rules that contain 0.0.0.0/0 or from using the default security group when creating an ECS instance.
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ecs:AuthorizeSecurityGroup",
"ecs:ConfigureSecurityGroupPermissions",
"ecs:ModifySecurityGroupRule"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringLike": {
"ecs:SecurityGroupIpProtocols": [
"TCP"
]
},
"ForAnyValue:StringLike": {
"ecs:SecurityGroupSourceCidrIps": [
"0.0.0.0/0"
]
}
}
},
{
"Effect": "Deny",
"Action": [
"ecs:CreateInstance",
"ecs:RunInstances"
],
"Resource": "*",
"Condition": {
"Bool": {
"ecs:NotSpecifySecureGroupId": [
"true"
]
}
}
}
]
}Restrict a RAM user to accessing instance metadata only in security-hardened mode
You can use the following policy to require all RAM users to access instance metadata only in Security-hardened Mode. This restriction applies when a RAM user creates an instance by calling the RunInstances or CreateInstance API operation, or modifies instance metadata by calling the ModifyInstanceMetadataOptions API operation. The policy document is as follows:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance",
"ecs:ModifyInstanceMetadataOptions"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ecs:SecurityHardeningMode": ["false"]
}
}
}
]
}