Control access to resources by using RAM users - Security| Alibaba Cloud Documentation Center

In scenarios where multiple users simultaneously access resources, you can create multiple RAM users and grant the RAM users permissions based on their roles so that different RAM users can access and manage different resources. This can improve management efficiency and reduce the risk of information leaks. This topic describes how to create a RAM user and attach a policy to the RAM user to control access to Elastic Compute Service (ECS) resources.

Procedure

Create a RAM user.
For more information, see Create a RAM user.
Optional:Create a custom policy.
Alibaba Cloud provides system policies that allow RAM users to access ECS resources. For more information, see Example system policies. If system policies cannot meet your requirements, you can create custom policies. For more information, see Create a custom policy.
If you set Configuration Mode to Script when you create a custom policy on the Create Custom Policy page in the Resource Access Management (RAM) console, you must specify the Action and Resource parameters in Statement. For information about the values of these parameters, see Authentication rules. For information about the values of other parameters, see Policy structure and syntax.
- The following sample policy created by using the code editor allows a RAM user to create pay-as-you-go ECS instances:
```
{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                    "ecs:DescribeImages", 
                  "vpc:DescribeVpcs", 
                  "vpc:DescribeVSwitches", 
                  "ecs:DescribeSecurityGroups", 
                  "ecs:DescribeKeyPairs",
                  "ecs:DescribeTags", 
                  "ecs:RunInstances"
          ],
            "Resource": "*"
        }
    ],
    "Version": "1"
}
```
- The following sample policy created by using the code editor allows a RAM user to create subscription ECS instances. bss-related API operations can be called to query and pay for subscription orders, and the corresponding system policy is AliyunBSSOrderAccess.
```
{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                    "ecs:DescribeImages", 
                  "vpc:DescribeVpcs", 
                  "vpc:DescribeVSwitches", 
                  "ecs:DescribeSecurityGroups", 
                  "ecs:DescribeKeyPairs",
                  "ecs:DescribeTags", 
                  "ecs:RunInstances",
                  "bss:DescribeOrderList",
                  "bss:DescribeOrderDetail",
                  "bss:PayOrder",
                  "bss:CancelOrder"
          ],
            "Resource": "*"
        }
    ],
    "Version": "1"
}
```
- The following sample policy created by using the code editor allows a RAM user to query instance and disk information after the user creates an ECS instance:
```
{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                    "ecs:DescribeInstances", 
                    "ecs:DescribeDisks"
          ],
            "Resource": "*"
        }
    ],
    "Version": "1"
}
```
Attach the policy to the RAM user to grant the user permissions to access ECS resources.
For more information, see Grant permissions to a RAM user.

What to do next

After permissions are granted to the RAM user, the permissions immediately take effect. The RAM user can log on to the RAM console to manage the applicable resources. For more information, see Log on to the console as a RAM user.