Custom policies can be created as a supplement to the system policies of EIP. For the actions supported for custom policies, see Permissions Policies and Supported Actions.
You can create custom policies in either of the following ways:
For details, see Creating a Custom Policy. The following section contains examples of common EIP custom policies.
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"
vpc:publicIps:create,
vpc:publicIps:list
"
]
}
]
}
A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.
Assume that you want to grant the permissions of the VPC FullAccess policy to a user but want to prevent them from releasing EIPs. You can create a custom policy for denying EIP release, and attach both policies to the user. As an explicit deny in any policy overrides any allows, the user can perform all operations on EIPs except releasing them. Example policy denying EIP release:
{
"Version": "1.1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"vpc:publicIps:delete"
]
}
]
}
A custom policy can contain the actions of one or multiple services that are of the same type (global or project-level). Example policy containing multiple actions:
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"vpc:publicIps:update",
"vpc:publicIps:create"
]
},
{
"Effect": "Deny",
"Action": [
"vpc:publicIps:delete"
]
}
]
}