Updated on 2025-06-26 GMT+08:00

Adding a Security Policy

Scenario

Security policies are used to quickly prevent attacks. You can select a block type based on the alert source to block attackers.

This topic describes how to add a security policy.

Limitations and Constraints

  • In a workspace you have, you can add up to 300 security policies that support block aging, and a maximum of 2,500 security policies in total. Limits on blocked objects you can add are as follows:
    • For a policy to be delivered to WAF, each time a maximum of 500 IP addresses can be added as blocked objects by each account.
    • For a policy to be delivered to VPC, every minute a maximum of 500 IP addresses can be added once as blocked objects by each account.
  • If an IP address is added to the blacklist, VPC or WAF will block requests from that IP address without checking whether the requests are malicious.
  • To ensure system stability, a maximum of five security policy tasks can be executed at the same time. If there are already five ongoing tasks, no more security policies can be added, retried, or edited.
  • After a security policy is added, its blocked object type and blocked objects, such as IP addresses and IP address ranges, cannot be modified.
  • After a security policy is added, its policy object, policy type, object type, and selected operation connections cannot be modified.

Adding a Security Policy

  1. Log in to the management console.
  2. Click in the upper part of the page and choose Security > SecMaster.
  3. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
  4. In the navigation pane on the left, choose Risk Prevention > Security Policies to go to the Emergency Policies page.
  5. On the Policy View tab displayed by default, click Add Policy. The page for adding a policy slides out from the right of the page.
  6. On the displayed page, configure policy information.

    Table 1 Policy parameters

    Parameter

    Description

    Policy Type

    Type of the policy. You can select Block or Allow.

    • If Block is selected, the access from the policy object will be denied.
    • Allow: The access from the policy object will be allowed.

    Object Type

    If Policy Type is set to Block, Object Type can be set to IP, Account, or Domain name.

    If Policy Type is set to Allow, Object Type can be set to IP or Domain name.

    Select an object type based on your needs.

    • If IP is selected, the operation object of the policy is an IP address or IP address range.
    • If Domain name is selected, the operation object of the policy is a domain name.
    • If Account is selected, the policy is applied to a cloud service account (IAM user).

    Policy Object

    Enter one or more policy objects.

    • If Object Type is set to IP, enter IP addresses or IP address ranges. Enter one or more IP addresses or IP address ranges and separate them with commas (,).

      Example: IPv4: 192.168.0.0 or 192.168.0.0/12; IPv6: 0:0:0:0:0:0:0:0 or 0:0:0:0:0:0:0:0/128.

    • If Object Type is set to Domain name, enter domain names. Enter one or more domain names. If there are multiple domain names, separate them with commas (,). Enter a maximum of 63 characters. Only letters, digits, hyphens (-), underscores (_), and periods (.) are allowed.
    • If Policy type is set to Block and Object Type is set to Account, set Policy Object to the cloud service account (IAM user). Enter one or more cloud service accounts (IAM usernames). If there are multiple cloud service accounts (IAM usernames), separate them with commas (,).

    Policy Application Scope

    Select Current region and enterprise project or All regions and enterprise projects based on your needs.

    Operation Connection

    Asset connections associated with the emergency policy process. Select the operation connection of the policy based on your needs.

    • If Policy Type is set to Block and Object Type is set to IP, you can select VPC and WAF operation connections.
    • If Policy Type is set to Allow and Object Type is set to IP, you can select WAF operation connections.

    Auto Expiration

    Auto expiration configured for the policy.

    • If you select Yes, set the policy expiration time.
    • If you select No, the policy is always valid.

    Tag (Optional)

    Tag of the custom emergency policy.

    Policy Description (Optional)

    Description of the custom policy.

  7. Click OK.
  8. After adding a security policy, go to the Security Policies page to check new policy information.