This document describes how to use custom policy to restrict sub-accounts’ access IPs. After setting the policy, the set IPs will control the sub-accounts’ access to the root account resources.
The product must support limiting access via IP. For more information, see FAQs.
In the following example, the user must be in the 10.217.182.3/24 or 111.21.33.72/24 IP ranges to invoke the cos:PutObject Cloud API call. This is shown in the following figure:
The policy syntax is as follows:
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": "cos:PutObject",
"resource": "*",
"condition": {
"ip_equal": {
"qcs:ip": [
"10.217.182.3/24",
"111.21.33.72/24"
]
}
}
}
]
}
Was this page helpful?