turbot/alicloud
steampipe plugin install alicloud

Table: alicloud_ram_policy - Query Alicloud RAM Policies using SQL

Alicloud RAM Policy is a service within Alibaba Cloud that allows you to manage access permissions to your Alicloud resources. It provides a centralized way to set up and manage policies for various Alicloud resources, including ECS instances, databases, web applications, and more. Alicloud RAM Policy helps you control who has authorization to access and manage your Alicloud resources.

Table Usage Guide

The alicloud_ram_policy table provides insights into RAM policies within Alibaba Cloud Resource Access Management (RAM). As a security administrator, delve into policy-specific details through this table, including policy names, types, descriptions, and creation times. Utilize it to uncover information about policies, such as those with specific permissions, the resources they apply to, and when they were created.

Examples

Basic info

Explore the various policies in your Alicloud RAM to understand their types, descriptions, and default versions. This can be beneficial in managing and reviewing your security settings.

select
policy_name,
policy_type,
description,
default_version,
policy_document
from
alicloud_ram_policy;
select
policy_name,
policy_type,
description,
default_version,
policy_document
from
alicloud_ram_policy;

List system policies

Determine the areas in which system policies are implemented for better understanding of the default versions and descriptions. This can aid in assessing the elements within your Alicloud RAM policy, offering insights into your system's security configuration.

select
policy_name,
policy_type,
description,
default_version,
policy_document
from
alicloud_ram_policy
where
policy_type = 'System';
select
policy_name,
policy_type,
description,
default_version,
policy_document
from
alicloud_ram_policy
where
policy_type = 'System';

List custom policies

Explore which custom policies are in place within your system. This allows you to gain insights into the policy name, type, description, default version, and policy document, helping you better manage and understand your system's security measures.

select
policy_name,
policy_type,
description,
default_version,
policy_document
from
alicloud_ram_policy
where
policy_type = 'Custom';
select
policy_name,
policy_type,
description,
default_version,
policy_document
from
alicloud_ram_policy
where
policy_type = 'Custom';

List policies with statements granting full access

Determine the areas in which policies are granting full access. This is useful for assessing potential security vulnerabilities and ensuring that access permissions align with your organization's security protocols.

select
policy_name,
policy_type,
action,
s ->> 'Effect' as effect
from
alicloud_ram_policy,
jsonb_array_elements(policy_document_std -> 'Statement') as s,
jsonb_array_elements_text(s -> 'Action') as action
where
action in ('*', '*:*')
and s ->> 'Effect' = 'Allow';
select
policy_name,
policy_type,
action.value as action,
json_extract(s.value, '$.Effect') as effect
from
alicloud_ram_policy,
json_each(policy_document_std, '$.Statement') as s,
json_each(s.value, '$.Action') as action
where
action.value in ('*', '*:*')
and json_extract(s.value, '$.Effect') = 'Allow';

Schema for alicloud_ram_policy

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The Alicloud Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
attachment_countbigintThe number of references to the policy.
create_datetimestamp with time zonePolicy creation date
default_versiontextDeafult version of the policy
descriptiontextThe policy description
policy_documentjsonbContains the details about the policy.
policy_document_stdjsonbContains the policy document in a canonical form for easier searching.
policy_nametext=The name of the policy.
policy_typetext=The type of the policy. Valid values: System and Custom.
regiontextThe Alicloud region in which the resource is located.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
titletextTitle of the resource.
update_datetimestamp with time zoneLast time when policy got updated

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- alicloud

You can pass the configuration to the command with the --config argument:

steampipe_export_alicloud --config '<your_config>' alicloud_ram_policy