Resource Management Control Policies in Alibaba Cloud
Posted on 6 March 2021 by Alberto Roura.
alibaba cloudramsecurityaccess controlgovernanceResource Access Management (RAM) Control Policies provide powerful mechanisms to enforce account-level access restrictions and governance policies in Alibaba Cloud. These policies enable organizations to implement fine-grained access controls, compliance requirements, and security best practices across their cloud infrastructure.
Understanding RAM Control Policies
RAM Control Policies are JSON-based policies that define permissions and restrictions for RAM users, roles, and groups. They enable organizations to:
- Enforce least privilege access
- Implement compliance requirements
- Control resource creation and modification
- Manage multi-account environments
Policy Structure
Basic Policy Format
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:Describe*",
"Resource": "*"
}
]
}
Policy Elements
- Version: Policy language version (typically “1”)
- Statement: Array of permission statements
- Effect: “Allow” or “Deny”
- Action: API actions to allow or deny
- Resource: Resources the policy applies to
- Condition: Optional conditions for policy enforcement
Account-Level Restrictions
Restrict Region Access
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"acs:Region": ["cn-hangzhou", "cn-shanghai"]
}
}
}
]
}
Restrict Resource Creation
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:CreateInstance",
"ecs:RunInstances"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ecs:InstanceType": ["ecs.t5-lc1m1.small", "ecs.t5-lc1m2.small"]
}
}
},
{
"Effect": "Deny",
"Action": [
"ecs:CreateInstance",
"ecs:RunInstances"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"ecs:InstanceType": ["ecs.t5-lc1m1.small", "ecs.t5-lc1m2.small"]
}
}
}
]
}
Require Resource Tagging
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:CreateInstance",
"Resource": "*",
"Condition": {
"StringEquals": {
"ecs:tag/Environment": ["production", "staging"]
}
}
},
{
"Effect": "Deny",
"Action": "ecs:CreateInstance",
"Resource": "*",
"Condition": {
"Null": {
"ecs:tag/Environment": "true"
}
}
}
]
}
Common Control Policies
Prevent Deletion of Critical Resources
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ecs:DeleteInstance",
"rds:DeleteDBInstance",
"oss:DeleteBucket"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ecs:tag/Critical": "true"
}
}
}
]
}
Enforce MFA for Sensitive Operations
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ram:CreateUser",
"ram:DeleteUser",
"ram:AttachPolicyToUser"
],
"Resource": "*",
"Condition": {
"Bool": {
"acs:MFAPresent": "false"
}
}
}
]
}
Restrict Root Account Usage
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:PrincipalType": "Root"
}
}
}
]
}
Enforce Encryption
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:PutObject",
"ecs:CreateDisk"
],
"Resource": "*",
"Condition": {
"Bool": {
"oss:x-oss-server-side-encryption": "false"
}
}
}
]
}
Implementing Control Policies
Attach Policy to RAM User
# Create policy
aliyun ram CreatePolicy \
--PolicyName "restrict-regions" \
--PolicyDocument file://restrict-regions-policy.json \
--Description "Restrict resource creation to specific regions"
# Attach to user
aliyun ram AttachPolicyToUser \
--PolicyName "restrict-regions" \
--PolicyType "Custom" \
--UserName "developer"
Attach Policy to RAM Group
# Attach policy to group
aliyun ram AttachPolicyToGroup \
--PolicyName "restrict-regions" \
--PolicyType "Custom" \
--GroupName "developers"
Attach Policy to RAM Role
# Attach policy to role
aliyun ram AttachPolicyToRole \
--PolicyName "restrict-regions" \
--PolicyType "Custom" \
--RoleName "ecs-role"
Policy Evaluation Logic
Evaluation Order
- Explicit Deny: Deny statements take precedence
- Explicit Allow: Allow statements grant permissions
- Implicit Deny: Default deny if no explicit allow
Multiple Policies
When multiple policies apply:
- All policies are evaluated
- Any explicit deny results in denial
- At least one explicit allow is required for access
Best Practices
Policy Design
- Start Restrictive: Begin with deny-all, then add specific allows
- Use Conditions: Leverage conditions for fine-grained control
- Document Policies: Include clear descriptions
- Test Policies: Test in non-production environments first
Security
- Least Privilege: Grant minimum necessary permissions
- Regular Audits: Review policies regularly
- MFA Enforcement: Require MFA for sensitive operations
- Tag Enforcement: Require proper resource tagging
Management
- Version Control: Store policies in version control
- Policy Templates: Create reusable policy templates
- Automation: Automate policy deployment
- Monitoring: Monitor policy violations and access attempts
Monitoring and Auditing
View Policy Attachments
# List policies attached to user
aliyun ram ListPoliciesForUser \
--UserName "developer"
# List users with specific policy
aliyun ram ListEntitiesForPolicy \
--PolicyName "restrict-regions" \
--PolicyType "Custom"
Audit Logs
- ActionTrail: Track all API calls
- RAM Logs: Monitor RAM-related activities
- CloudMonitor: Set up alerts for policy violations
Common Use Cases
Multi-Account Governance
- Enforce consistent policies across accounts
- Implement organizational standards
- Control resource provisioning
Compliance Requirements
- Enforce encryption requirements
- Require resource tagging
- Restrict data residency
Cost Control
- Limit instance types
- Restrict region usage
- Enforce resource limits
Conclusion
RAM Control Policies provide powerful mechanisms for implementing account-level access restrictions and governance in Alibaba Cloud. By leveraging these policies, organizations can enforce security best practices, compliance requirements, and operational standards across their cloud infrastructure.
Effective use of control policies requires careful design, regular auditing, and continuous refinement to balance security requirements with operational needs while maintaining the flexibility required for agile cloud operations.