This week I got very exciting news: Alibaba Cloud is planning to launch Control Policies for the Resource Management product. It is a feature that I have been waiting for a long time and multiple customers I have been working with as well. For those who don’t know what Resource Management service does, I wrote a very detailed blog post explaining it.
Although this feature is currently in the testing phase and is not publicly available, I got access to it, so I will share whit you my first impressions.
What are the Control Policies?
Control Policies are a type of resource organization policy that you can use to manage permissions in your resource organization. Essentially, Control Policies offer central control over the maximum available permissions for all accounts in your organization. In other words, using control policies you can restrict access on an account level and ensure your member accounts stay within your organization’s access control guidelines. Thus, control policies add an extra layer of security to your cloud environment.
How do Control Policies work?
After an enterprise has created a Resource Directory and created member accounts for each department, if the behavior of each member account is not controlled, it will break the operation and maintenance rules, causing security risks and cost waste. The Control Policies provide management and control strategy functions. Enterprises can centrally formulate management rules through the master account and apply these management rules to the organizational structure (folders and member accounts) at all levels to control the access in each member account to ensure safety compliance and cost control. For example: prohibit member accounts from applying for domain names, prohibit member accounts from deleting log records, etc.
The control strategy has the characteristics of downward inheritance, for example: set control strategy A for the parent resource folder and set control strategy B for the child resource folder, then both Control Policy A and Control Policy B will take effect in the child resource folder and the member accounts under it.
When a RAM user or RAM role in a member account accesses Alibaba Cloud services, Alibaba Cloud will first check the control policy, and then check the RAM permissions in the account.
How to configure Control Policies?
Let’s take a look now at the Alibaba Cloud Console. After enabling Resource Directory for you account, you will get access to different features including Create Member Account, Invite Member, Control Policy and Configure, as you can see in the picture below:
1. Create Policy
The first step is to create the Control Policies your organization require since by default all folders and member accounts in the Resource Directory are bound to the system policy FullAliyunAccess, which allows you to perform any operations on all resources on Alibaba Cloud.
You can create up to 1.500 Control Policies and each node (folder, member account) allows up to 10 Control Policies that can be attached.
2. Attach Policy
After the Control Policies are successfully created, you need to attach the Control Policies to the folders or member accounts to take effect. You can detach or modified it at any time.
Control Policy examples
Below are some examples of control policies. You can find more examples in the following Github repository.
1) It is forbidden to modify and delete RAM users, RAM user groups, and RAM roles
{
"Statement": [
{
"Action": [
"ram:Attach*",
"ram:Detach*",
"ram:BindMFADevice",
"ram:CreateAccessKey",
"ram:CreateLoginProfile",
"ram:CreatePolicyVersion",
"ram:DeleteAccessKey",
"ram:DeleteGroup",
"ram:DeleteLoginProfile",
"ram:DeletePolicy",
"ram:DeletePolicyVersion",
"ram:DeleteRole",
"ram:DeleteUser",
"ram:DisableVirtualMFA",
"ram:AddUserToGroup",
"ram:RemoveUserFromGroup",
"ram:SetDefaultPolicyVersion",
"ram:UnbindMFADevice",
"ram:UpdateAccessKey",
"ram:UpdateGroup",
"ram:UpdateLoginProfile",
"ram:UpdateRole",
"ram:UpdateUser"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN":"acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}2) It is forbidden to create network resources with public network access capabilities, including EIP and NAT gateways
{
"Version": "1",
"Statement": [
{
"Action": [
"vpc:AllocateEipAddress",
"vpc:AllocateEipAddressPro",
"vpc:AllocateEipSegmentAddress",
"vpc:CreateNatGateway"
],
"Resource": [
"*"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
]
}3) Forbid access to some functions of the cost center
{
"Statement": [
{
"Action": [
"bss:DescribeOrderList",
"bss:DescribeOrderDetail",
"bss:PayOrder",
"bss:CancelOrder"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}4) It is forbidden to modify user SSO configuration
{
"Statement": [
{
"Action": [
"ram:SetSamlSsoSettings"
],
"Resource": [
"*"
],
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}5) RAM users or RAM roles must use multi-factor authentication (MFA) when deleting certain resources
{
"Statement": [
{
"Action": "ecs:DeleteInstance",
"Effect": "Deny",
"Resource": "*",
"Condition": {
"Bool": {
"acs:MFAPresent": "false"
}
}
}
],
"Version": "1"
}About Roopu Cloud
If you have any questions or concerns about Alibaba Cloud, you can contact us. We are experts in building and implementing cloud solutions in the Alibaba Cloud platform as well as in other Chinese cloud platforms. Let us help you!
