This topic describes example system policies to help you understand the details and operations of common system policies used for Elastic Compute Service (ECS) and create custom policies based on your needs.

AliyunECSFullAccess

System policy that grants the permissions to manage ECS resources
{
    "Version": "1",
    "Statement": [
        {
            "Action": "ecs:*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

AliyunECSReadOnlyAccess

System policy that grants the permissions to view ECS resources
{
    "Version": "1",
    "Statement": [
        {
            "Action": "ecs:Describe*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ecs:List*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

AliyunECSNetworkInterfaceManagementAccess

System policy that grants the permissions to manage elastic network interfaces (ENIs)
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "vpc:DescribeVSwitchAttributes"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:DeleteNetworkInterfacePermission"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

AliyunECSAssistantFullAccess

System policy that grants the permissions to manage Cloud Assistant commands
{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DescribeInstances",
                "ecs:DescribeTag*",
                "ecs:*Command",
                "ecs:DescribeCommand*",
                "ecs:DescribeInvocation*",
                "ecs:StopInvocation",
                "ecs:*CloudAssistant*",
                "ecs:SendFile",
                "ecs:DescribeSendFileResults",
                "ecs:*ManagedInstance",
                "ecs:DescribeManagedInstances",
                "ecs:*Activation",
                "ecs:DescribeActivations"
            ],
            "Resource": [
                "acs:ecs:*:*:instance/*",
                "acs:ecs:*:*:command/*",
                "acs:ecs:*:*:activation/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "archiving.ecs.aliyuncs.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:ListServiceSettings",
                "ecs:UpdateServiceSettings"
            ],
            "Resource": [
                "acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings"
            ]
        }
    ]
}

AliyunECSAssistantReadonlyAccess

System policy that grants the permissions to view Cloud Assistant commands
{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DescribeInstances",
                "ecs:DescribeTag*",
                "ecs:DescribeCommand*",
                "ecs:DescribeInvocation*",
                "ecs:DescribeCloudAssistant*",
                "ecs:DescribeSendFileResults",
                "ecs:DescribeManagedInstances",
                "ecs:DescribeActivations"
            ],
            "Resource": [
                "acs:ecs:*:*:instance/*",
                "acs:ecs:*:*:command/*",
                "acs:ecs:*:*:activation/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:ListServiceSettings"
            ],
            "Resource": [
                "acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings"
            ]
        }
    ]
}

AliyunECSImageExportRolePolicy

System policy that grants the permissions required to export images
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:GetObject",
                "oss:PutObject",
                "oss:DeleteObject",
                "oss:GetBucketLocation",
                "oss:AbortMultipartUpload",
                "oss:ListMultipartUploads",
                "oss:ListParts",
                "oss:GetBucketInfo",
                "oss:GetBucketUserQos"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

AliyunECSImageImportRolePolicy

System policy that grants the permissions required to import images
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:GetObject",
                "oss:GetBucketLocation",
                "oss:GetBucketInfo"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

AliyunECSInstanceForYundunSysTrustRolePolicy

System policy that grants the permissions required for security-enhanced instances to use the Alibaba Cloud trusted system
{
    "Statement": [
        {
            "Action": [
                "yundun-systrust:GenerateNonce",
                "yundun-systrust:GenerateAikcert",
                "yundun-systrust:RegisterMessage",
                "yundun-systrust:PutMessage"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ],
    "Version": "1"
}

AliyunECSDiskEncryptRolePolicy

System policy that grants the permissions required to encrypt disks
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "kms:List*",
                "kms:DescribeKey",
                "kms:TagResource",
                "kms:UntagResource"
            ],
            "Resource": [
                "acs:kms:*:*:*",
                "acs:kms:*:*:*/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": [
                "acs:kms:*:*:*/*"
            ],
            "Effect": "Allow"
        }
    ]
}

AliyunServiceRolePolicyForECSAutoProvisioning

System policy that grants the permissions on Auto Provisioning
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:CreateInstance",
                "ecs:RunInstances",
                "ecs:StartInstance",
                "ecs:AllocatePublicIpAddress",
                "ecs:StopInstance",
                "ecs:DeleteInstance",
                "ecs:DescribeInstances",
                "ecs:DescribeInstanceAttribute",
                "ecs:ModifyInstanceAttribute",
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:DescribeImages",
                "ecs:DescribeSnapshots",
                "ecs:DescribeKeyPairs",
                "ecs:CreateLaunchTemplate",
                "ecs:DescribeLaunchTemplates",
                "ecs:DescribeLaunchTemplateVersions",
                "ecs:DescribeSecurityGroups",
                "ecs:DescribeHpcClusters",
                "ecs:DescribeImageFromFamily",
                "slb:DescribeLoadBalancerAttribute",
                "slb:RemoveBackendServers",
                "slb:DescribeHealthStatus",
                "slb:AddBackendServers",
                "slb:SetBackendServers",
                "slb:DescribeLoadBalancers",
                "slb:DescribeVServerGroups",
                "slb:DescribeVServerGroupAttribute",
                "slb:AddVServerGroupBackendServers",
                "slb:RemoveVServerGroupBackendServers",
                "slb:DescribeMasterSlaveServerGroupAttribute",
                "slb:DescribeMasterSlaveServerGroups",
                "slb:SetVServerGroupAttribute",
                "slb:DescribeLoadBalancerUDPListenerAttribute",
                "slb:DescribeLoadBalancerHTTPListenerAttribute",
                "slb:DescribeLoadBalancerHTTPSListenerAttribute",
                "slb:DescribeLoadBalancerTCPListenerAttribute",
                "rds:ModifySecurityIps",
                "rds:DescribeDBInstanceAttribute",
                "rds:DescribeTaskInfo",
                "rds:DescribeDBInstanceIPArrayList",
                "oos:GetTemplate",
                "oos:StartExecution",
                "ecs:DescribeUserData",
                "ecs:DescribeInstanceRamRole",
                "ecs:DescribeDisks",
                "ecs:DescribeAutoSnapshotPolicyEx",
                "ecs:DescribeDedicatedHosts",
                "ecs:DescribeDedicatedHostTypes"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "mns:ListTopic",
                "mns:ListQueue",
                "mns:SendMessage",
                "mns:PublishMessage"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cms:NodeInstall",
                "cms:NodeStatusList",
                "cms:QueryCustomMetricList",
                "cms:ProfileSet",
                "cms:CreateAlert",
                "cms:DeleteAlert",
                "cms:QueryAlert",
                "cms:UpdateAlert",
                "cms:DisableAlert",
                "cms:EnableAlert",
                "cms:CreateAction",
                "cms:GetAction",
                "cms:CreateDimensions",
                "cms:QueryDimensions",
                "cms:UpdateDimensions",
                "cms:QueryMetricList",
                "cms:ListAlarmHistory"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:PassRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "acs:Service": [
                        "ecs.aliyuncs.com",
                        "oos.aliyuncs.com"
                    ]
                }
            }
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "autoprovisioning.ecs.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRolePolicyForECSImageBuilder

System policy that grants the permissions on Image Builder
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oos:CreateTemplate",
                "oos:StartExecution",
                "oos:CancelExecution",
                "oos:ListExecutions",
                "oos:ListTaskExecutions",
                "oos:ListExecutionLogs",
                "oos:DeleteTemplate"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "ecs:DescribeAvailableResource",
                "ecs:DescribeInstances",
                "ecs:DescribeCloudAssistantStatus",
                "ecs:DescribeImages",
                "ecs:DescribeInvocations",
                "ecs:DescribeInvocationResults",
                "ecs:CreateSecurityGroup",
                "ecs:DescribeSecurityGroups",
                "ecs:CancelCopyImage",
                "ecs:RunInstances",
                "ecs:CopyImage",
                "ecs:DeleteSnapshot"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "ecs:RebootInstance",
                "ecs:DeleteInstance",
                "ecs:DeleteImage",
                "ecs:DescribeImageSharePermission",
                "ecs:DeleteSecurityGroup",
                "ecs:ModifyImageSharePermission",
                "ecs:InstallCloudAssistant",
                "ecs:RunCommand",
                "ecs:StopInstance",
                "ecs:CreateImage"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "ecs:tag/imagepipelineid": "*"
                }
            }
        },
        {
            "Action": [
                "vpc:DescribeVSwitches",
                "vpc:DescribeVpcs",
                "vpc:CreateVpc",
                "vpc:CreateVSwitch",
                "vpc:DeleteVSwitch",
                "vpc:DeleteVpc"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "imagebuilder.ecs.aliyuncs.com"
                }
            }
        }
    ]
}