如果火山引擎提供的系统预设策略不满足您的需求，您可通过创建自定义策略，遵循最小授权原则，进行更精细化的权限管控，以提升IAM身份对主账号下资源的安全访问。本文为您介绍日常场景中常见的云服务器ECS相关的自定义策略示例，供您参考。

• 创建自定义策略的具体操作，请参见新建自定义策略。
• 自定义策略语法中策略元素配置的详细介绍，请参见策略语法。

自定义策略示例

拒绝删除ECS实例

拒绝删除全部实例

{
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "ecs:DeleteInstance",
                "ecs:DeleteInstances"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

拒绝删除200000000X账号下实例ID为i-yczzpbpgqoqc6ilc****、i-yczv4tg64gqc6iks****的ECS资源

{
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "ecs:Delete*"
            ],
            "Resource": [
                "trn:ecs:*:200000000X:instance/i-yczzpbpgqoqc6ilc****,i-yczv4tg64gqc6iks****"
            ]
        }
    ]
}

允许创建ECS实例

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:RunInstances"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

拒绝修改ECS实例信息

{
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "ecs:ModifyInstanceAttribute"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

限制访问ECS实例

允许操作200000000X账号下实例ID为i-yczzpbpgqoqc6ilc****的ECS实例

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:*"
            ],
            "Resource": [
			        "trn:ecs:*:200000000X:instance/i-yczzpbpgqoqc6ilc****"
      ]
        }
    ]
}

允许查看ECS资源

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:Desceibe*"
            ],
            "Resource": [
			        "*"
      ]
        }
    ]
}

通过指定的IP地址访问ECS

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:*"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "IpAddress": {
                    "volc:SourceIp": [
                        "210.22.XX.XX"
                    ]
                }
            }
        }
    ]
}

仅允许访问标签键为“ecs”，且条件值为“use”的ECS资源

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:*"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "volc:ResourceTag/ecs": [
                        "use"
                    ]
                }
            }
        }
    ]
}

允许使用标签功能

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:CreateTags",
                "ecs:DeleteTags",
                "ecs:DescribeTags"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

拒绝删除密钥对

{
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "ecs:DeleteKeyPairs"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

仅允许流程编排任务申请、查询及绑定公网IP

{
  "Statement":[
    {
      "Effect":"Allow",
      "Action":[
        "vpc:AllocateEipAddress",
        "vpc:DescribeEipAddresses",
        "vpc:AssociateEipAddress"
      ],
      "Resource":["*"]
    }
  ]
}

限制仅部分子账号可以使用目标自定义命令

{
 "Statement": [
   {
       "Effect": "Allow",
       "Action": [
           "ecs:Describe*",
           "ecs:ModifyCommand",
           "ecs:InvokeCommand"
       ],
       "Resource": [
           "trn:ecs:cn-beijing:210001*****:command/cmd-ycn5dc9qf9l8j0v*****",
           "trn:ecs:cn-beijing:210001*****:command/cmd-tsx0gy9rslp90k3z*****"
       ]
   }
 ]
}