👉点击这里申请火山引擎VIP帐号,立即体验火山引擎产品>>>
如果火山引擎提供的系统预设策略不满足您的需求,您可通过创建自定义策略,遵循最小授权原则,进行更精细化的权限管控,以提升IAM身份对主账号下资源的安全访问。本文为您介绍日常场景中常见的云服务器ECS相关的自定义策略示例,供您参考。
背景信息
创建自定义策略的具体操作,请参见新建自定义策略。
创建自定义策略需要遵循基本的结构和语法,关于策略元素配置的详细介绍,请参见策略语法。
通用自定义策略示例一文中提供了多种常见的自定义策略语法示例,供您参考。
下述示例中Action下列举的API操作名称,请从API列表中获取。
ECS可授权的资源TRN格式请参见资源(Resource)。
自定义策略示例
允许访问特定项目下的资源
{"Statement": [{"Effect": "Allow","Action": ["ecs:DescribeInstances"],"Resource": ["trn:ecs:*:210005****:instance/*","trn:iam::210005****:project/default"]}]}
该策略表示允许对210005****账号下属于“default”项目的实例进行查看操作。按项目授权时,您还需要在原有的添加策略授权的基础上,额外选择项目范围,从而将权限限定在指定的项目中。
拒绝删除ECS实例
说明
Deny的优先级高于Allow,当身份对某些操作存在Deny权限时,再次赋予这些操作的Allow权限将无法生效,需要将相应的Deny声明去除或更改为Allow。
拒绝删除全部实例
{"Statement": [{"Effect": "Deny","Action": ["ecs:DeleteInstance","ecs:DeleteInstances"],"Resource": ["*"]}]}
拒绝删除200000000X账号下实例ID为i-yczzpbpgqoqc6ilc****、i-yczv4tg64gqc6iks****的ECS资源
{"Statement": [{"Effect": "Deny","Action": ["ecs:Delete*"],"Resource": ["trn:ecs:*:200000000X:instance/i-yczzpbpgqoqc6ilc****,i-yczv4tg64gqc6iks****"]}]}
允许创建ECS实例
{"Statement": [{"Effect": "Allow","Action": ["ecs:RunInstances"],"Resource": ["*"]}]}
拒绝修改ECS实例信息
{"Statement": [{"Effect": "Deny","Action": ["ecs:ModifyInstanceAttribute"],"Resource": ["*"]}]}
限制访问ECS实例
允许操作200000000X账号下实例ID为i-yczzpbpgqoqc6ilc****的ECS实例
{"Statement": [{"Effect": "Allow","Action": ["ecs:*"],"Resource": ["trn:ecs:*:200000000X:instance/i-yczzpbpgqoqc6ilc****"]}]}
允许查看ECS资源
{"Statement": [{"Effect": "Allow","Action": ["ecs:Desceibe*"],"Resource": ["*"]}]}
通过指定的IP地址访问ECS
{"Statement": [{"Effect": "Allow","Action": ["ecs:*"],"Resource": ["*"],"Condition": {"IpAddress": {"volc:SourceIp": ["210.22.XX.XX"]}}}]}
仅允许访问标签键为“ecs”,且条件值为“use”的ECS资源
{"Statement": [{"Effect": "Allow","Action": ["ecs:*"],"Resource": ["*"],"Condition": {"StringEquals": {"volc:ResourceTag/ecs": ["use"]}}}]}
允许使用标签功能
{"Statement": [{"Effect": "Allow","Action": ["ecs:CreateTags","ecs:DeleteTags","ecs:DescribeTags"],"Resource": ["*"]}]}
拒绝删除密钥对
{"Statement": [{"Effect": "Deny","Action": ["ecs:DeleteKeyPairs"],"Resource": ["*"]}]}
仅允许流程编排任务申请、查询及绑定公网IP
{"Statement":[{"Effect":"Allow","Action":["vpc:AllocateEipAddress","vpc:DescribeEipAddresses","vpc:AssociateEipAddress"],"Resource":["*"]}]}
限制仅部分子账号可以使用目标自定义命令
{"Statement": [{"Effect": "Allow","Action": ["ecs:Describe*","ecs:ModifyCommand","ecs:InvokeCommand"],"Resource": ["trn:ecs:cn-beijing:210001*****:command/cmd-ycn5dc9qf9l8j0v*****","trn:ecs:cn-beijing:210001*****:command/cmd-tsx0gy9rslp90k3z*****"]}]}