This topic uses an example policy to demonstrate how to authorize a RAM user to restart ECS instances.

The following policy indicates that the authorized RAM user can restart ECS instances. The ECS instances can be restarted only when MFA is enabled for the RAM user and the RAM user uses MFA to log on. In this case, the acs:SecureTransport condition key in the Condition element is set to true.

{
  "Statement": [
    {
      "Action": "ecs:RebootInstance",
      "Effect": "Allow",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "acs:MFAPresent": "true"
        }
      }
    }
  ],
  "Version": "1"
}
Note The Condition element applies only to the actions that are specified in the policy. You can set the acs:MFAPresent condition key to true or false.