如果火山引擎提供的系统预设策略不满足您的需求，您可通过创建自定义策略，遵循最小授权原则，进行更精细化的权限管控，以提升IAM身份对主账号下资源的安全访问。本文为您介绍日常场景中常见的云服务器ECS相关的自定义策略示例，供您参考。 ## 背景信息 * 创建自定义策略的具体操作，请参见[新建自定义策略](https://www.volcengine.com/docs/6257/1158323)。 * 创建自定义策略需要遵循基本的结构和语法，关于策略元素配置的详细介绍，请参见[策略语法](https://www.volcengine.com/docs/6257/1134322)。 * [通用自定义策略示例](https://www.volcengine.com/docs/6257/1253728)一文中提供了多种常见的自定义策略语法示例，供您参考。 * 下述示例中Action下列举的API操作名称，请从[API列表](https://www.volcengine.com/docs/6396/70454)中获取。 * ECS可授权的资源TRN格式请参见[资源（Resource）](https://www.volcengine.com/docs/6257/1134319)。 ## 自定义策略示例 ### 允许访问特定项目下的资源 ```JSON { "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeInstances" ], "Resource": [ "trn:ecs:*:210005****:instance/*", "trn:iam::210005****:project/default" ] } ] } ``` 该策略表示允许对210005\*\*\*\*账号下属于“default”项目的实例进行查看操作。按项目授权时，您还需要在原有的添加策略授权的基础上，额外选择项目范围，从而将权限限定在指定的项目中。 ![图片](https://portal.volccdn.com/obj/volcfe/cloud-universal-doc/upload_3d250f31cd603f27ba4670ec38cfc237.png =430x) ### 拒绝删除ECS实例 :::tip Deny的优先级高于Allow，当身份对某些操作存在Deny权限时，再次赋予这些操作的Allow权限将无法生效，需要将相应的Deny声明去除或更改为Allow。 ::: #### 拒绝删除全部实例 ```json { "Statement": [ { "Effect": "Deny", "Action": [ "ecs:DeleteInstance", "ecs:DeleteInstances" ], "Resource": [ "*" ] } ] } ``` #### 拒绝删除200000000X账号下实例ID为i\-yczzpbpgqoqc6ilc\*\*\*\*、i\-yczv4tg64gqc6iks\*\*\*\*的ECS资源 ```json { "Statement": [ { "Effect": "Deny", "Action": [ "ecs:Delete*" ], "Resource": [ "trn:ecs:*:200000000X:instance/i-yczzpbpgqoqc6ilc****,i-yczv4tg64gqc6iks****" ] } ] } ``` ### 允许创建ECS实例 ```json { "Statement": [ { "Effect": "Allow", "Action": [ "ecs:RunInstances" ], "Resource": [ "*" ] } ] } ``` ### 拒绝修改ECS实例信息 ```json { "Statement": [ { "Effect": "Deny", "Action": [ "ecs:ModifyInstanceAttribute" ], "Resource": [ "*" ] } ] } ``` ### 限制访问ECS实例 #### 允许操作200000000X账号下实例ID为i\-yczzpbpgqoqc6ilc\*\*\*\*的ECS实例 ```json { "Statement": [ { "Effect": "Allow", "Action": [ "ecs:*" ], "Resource": [ "trn:ecs:*:200000000X:instance/i-yczzpbpgqoqc6ilc****" ] } ] } ``` #### 允许查看ECS资源 ```json { "Statement": [ { "Effect": "Allow", "Action": [ "ecs:Desceibe*" ], "Resource": [ "*" ] } ] } ``` ### 通过指定的IP地址访问ECS ```json { "Statement": [ { "Effect": "Allow", "Action": [ "ecs:*" ], "Resource": [ "*" ], "Condition": { "IpAddress": { "volc:SourceIp": [ "210.22.XX.XX" ] } } } ] } ``` ### 仅允许访问标签键为“ecs”，且条件值为“use”的ECS资源 ```json { "Statement": [ { "Effect": "Allow", "Action": [ "ecs:*" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "volc:ResourceTag/ecs": [ "use" ] } } } ] } ``` ### 允许使用标签功能 ```json { "Statement": [ { "Effect": "Allow", "Action": [ "ecs:CreateTags", "ecs:DeleteTags", "ecs:DescribeTags" ], "Resource": [ "*" ] } ] } ``` ### 拒绝删除密钥对 ```json { "Statement": [ { "Effect": "Deny", "Action": [ "ecs:DeleteKeyPairs" ], "Resource": [ "*" ] } ] } ``` ### 仅允许流程编排任务申请、查询及绑定公网IP ```json { "Statement":[ { "Effect":"Allow", "Action":[ "vpc:AllocateEipAddress", "vpc:DescribeEipAddresses", "vpc:AssociateEipAddress" ], "Resource":["*"] } ] } ``` ### 限制仅部分子账号可以使用目标自定义命令 ```json { "Statement": [ { "Effect": "Allow", "Action": [ "ecs:Describe*", "ecs:ModifyCommand", "ecs:InvokeCommand" ], "Resource": [ "trn:ecs:cn-beijing:210001*****:command/cmd-ycn5dc9qf9l8j0v*****", "trn:ecs:cn-beijing:210001*****:command/cmd-tsx0gy9rslp90k3z*****" ] } ] } ``` ##