Cloud Config - Resource Access Management - Alibaba Cloud Documentation Center

Resource Access Management (RAM) users or RAM roles must be granted permissions before they can access cloud resources. RAM uses policies to define permissions. A cloud service defines elements that can be used in a policy statement, such as Action, Resource, and Condition. This topic describes the permissions on Cloud Config.

The code (RamCode) in RAM that is used to indicate Cloud Config is config. You can grant permissions on Cloud Config at the operation level.

Action

The following table describes the values that you can use in the Action element of a policy statement. The values are defined by Config. The following list describes the columns in the table:

Action: the value that you can use in the Action element to specify the operation on a resource.
API: the API operation that you can call to perform the action. In most cases, only one API operation of a cloud service is required to perform an action. In some cases, multiple API operations must be called to perform an action, or an API operation can be called to perform multiple actions.
Access level: the access level of each action. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize a RAM user or a RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All resources is used in the Resource type column of the action.
Condition key: the condition keys that are defined by a cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Policy elements.
Dependent action: other actions that a RAM user or a RAM role must have permissions to perform the action. To successfully call the action, a RAM user or a RAM role must have the permissions to perform the dependent action.

Actions	APIs	Access level	Resource types	Condition keys	Dependent actions
config:ActiveAggregateConfigRules	ActiveAggregateConfigRules	Write	All resources acs:config::{#accountId}:*	N/A	N/A
config:ActiveConfigRules	ActiveConfigRules	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:CreateAggregateCompliancePack	CreateAggregateCompliancePack	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:CreateAggregateConfigRule	CreateAggregateConfigRule	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:CreateAggregateRemediation	CreateAggregateRemediation	Write	All resources acs:config::{#accountId}:*	N/A	N/A
config:CreateAggregator	CreateAggregator	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:CreateCompliancePack	CreateCompliancePack	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:CreateConfigRule	CreateConfigRule	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:CreateRemediation	CreateRemediation	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:DeactiveAggregateConfigRules	DeactiveAggregateConfigRules	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:DeactiveConfigRules	DeactiveConfigRules	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:DeleteAggregateCompliancePacks	DeleteAggregateCompliancePacks	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:DeleteAggregateConfigRules	DeleteAggregateConfigRules	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:DeleteAggregateRemediations	DeleteAggregateRemediations	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:DeleteAggregators	DeleteAggregators	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:DeleteCompliancePacks	DeleteCompliancePacks	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:DeleteConfigRules	DeleteConfigRules	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:DeleteRemediations	DeleteRemediations	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:DescribeCompliance	DescribeCompliance	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:DescribeComplianceSummary	DescribeComplianceSummary	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:DescribeConfigRule	DescribeConfigRule	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:DescribeConfigurationRecorder	DescribeConfigurationRecorder	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:DescribeDeliveryChannels	DescribeDeliveryChannels	List	All resources acs:config::{#accountId}:	N/A	N/A
config:DescribeDiscoveredResource	DescribeDiscoveredResource	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:DescribeEvaluationResults	DescribeEvaluationResults	List	All resources acs:config::{#accountId}:	N/A	N/A
config:DescribeProductComplianceSummary	N/A	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:GenerateAggregateCompliancePackReport	GenerateAggregateCompliancePackReport	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:GenerateAggregateConfigRulesReport	GenerateAggregateConfigRulesReport	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:GenerateCompliancePackReport	GenerateCompliancePackReport	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:GenerateConfigRulesReport	GenerateConfigRulesReport	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:GetAggregateAccountComplianceByPack	GetAggregateAccountComplianceByPack	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:GetAggregateCompliancePack	GetAggregateCompliancePack	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:GetAggregateCompliancePackReport	GetAggregateCompliancePackReport	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:GetAggregateConfigRule	GetAggregateConfigRule	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:GetAggregateConfigRuleComplianceByPack	GetAggregateConfigRuleComplianceByPack	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:GetAggregateConfigRuleSummaryByRiskLevel	GetAggregateConfigRuleSummaryByRiskLevel	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:GetAggregateConfigRulesReport	GetAggregateConfigRulesReport	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:GetAggregateDiscoveredResource	GetAggregateDiscoveredResource	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:GetAggregateResourceComplianceByConfigRule	GetAggregateResourceComplianceByConfigRule	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:GetAggregateResourceComplianceByPack	GetAggregateResourceComplianceByPack	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:GetAggregateResourceComplianceTimeline	GetAggregateResourceComplianceTimeline	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:GetAggregateResourceConfigurationTimeline	GetAggregateResourceConfigurationTimeline	List	All resources acs:config::{#accountId}:	N/A	N/A
config:GetAggregateResourceCountsGroupByRegion	GetAggregateResourceCountsGroupByRegion	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:GetAggregateResourceCountsGroupByResourceType	GetAggregateResourceCountsGroupByResourceType	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:GetAggregator	GetAggregator	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:GetCompliancePack	GetCompliancePack	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:GetCompliancePackReport	GetCompliancePackReport	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:GetConfigRule	GetConfigRule	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:GetConfigRuleComplianceByPack	GetConfigRuleComplianceByPack	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:GetConfigRuleSummaryByRiskLevel	GetConfigRuleSummaryByRiskLevel	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:GetConfigRulesReport	GetConfigRulesReport	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:GetDiscoveredResourceCounts	GetDiscoveredResourceCounts	List	All resources acs:config::{#accountId}:	N/A	N/A
config:GetDiscoveredResourceCountsGroupByRegion	GetDiscoveredResourceCountsGroupByRegion	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:GetDiscoveredResourceCountsGroupByResourceType	GetDiscoveredResourceCountsGroupByResourceType	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:GetDiscoveredResourceCountsSummary	N/A	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:GetDiscoveredResourceSummary	GetDiscoveredResourceSummary	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:GetManagedRule	N/A	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:GetResourceComplianceByConfigRule	GetResourceComplianceByConfigRule	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:GetResourceComplianceByPack	GetResourceComplianceByPack	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:GetResourceConfigurationTimeline	GetResourceConfigurationTimeline	List	All resources acs:config::{#accountId}:	N/A	N/A
config:GetServiceQuota	N/A	Read	All resources acs:config::{#accountId}:	N/A	N/A
config:GetSupportedResourceTypes	GetSupportedResourceTypes	List	All resources acs:config::{#accountId}:	N/A	N/A
config:ListAggregateCompliancePacks	ListAggregateCompliancePacks	List	All resources acs:config::{#accountId}:	N/A	N/A
config:ListAggregateConfigRuleEvaluationResults	ListAggregateConfigRuleEvaluationResults	List	All resources acs:config::{#accountId}:	N/A	N/A
config:ListAggregateConfigRules	ListAggregateConfigRules	List	All resources acs:config::{#accountId}:	N/A	N/A
config:ListAggregateDiscoveredResourceRelations	N/A	List	All resources acs:config::{#accountId}:	N/A	N/A
config:ListAggregateDiscoveredResources	ListAggregateDiscoveredResources	List	All resources acs:config::{#accountId}:	N/A	N/A
config:ListAggregateRemediations	ListAggregateRemediations	List	All resources acs:config::{#accountId}:	N/A	N/A
config:ListAggregateResourceEvaluationResults	ListAggregateResourceEvaluationResults	List	All resources acs:config::{#accountId}:	N/A	N/A
config:ListAggregators	ListAggregators	List	All resources acs:config::{#accountId}:	N/A	N/A
config:ListCompliancePackTemplates	ListCompliancePackTemplates	List	All resources acs:config::{#accountId}:	N/A	N/A
config:ListCompliancePacks	ListCompliancePacks	List	All resources acs:config::{#accountId}:	N/A	N/A
config:ListConfigRuleEvaluationResults	ListConfigRuleEvaluationResults	List	All resources acs:config::{#accountId}:	N/A	N/A
config:ListConfigRules	ListConfigRules	List	All resources acs:config::{#accountId}:	N/A	N/A
config:ListDiscoveredResourceRelations	N/A	List	All resources acs:config::{#accountId}:	N/A	N/A
config:ListDiscoveredResources	ListDiscoveredResources	List	All resources acs:config::{#accountId}:	N/A	N/A
config:ListManagedRules	N/A	List	All resources acs:config::{#accountId}:	N/A	N/A
config:ListRemediationTemplates	ListRemediationTemplates	List	All resources acs:config::{#accountId}:	N/A	N/A
config:ListRemediations	ListRemediations	List	All resources acs:config::{#accountId}:	N/A	N/A
config:ListResourceEvaluationResults	ListResourceEvaluationResults	List	All resources acs:config::{#accountId}:	N/A	N/A
config:ListServiceQuotas	N/A	List	All resources acs:config::{#accountId}:	N/A	N/A
config:PutConfigRule	PutConfigRule	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:PutConfigurationRecorder	PutConfigurationRecorder	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:PutDeliveryChannel	PutDeliveryChannel	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:PutEvaluations	PutEvaluations	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:StartAggregateConfigRuleEvaluation	StartAggregateConfigRuleEvaluation	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:StartAggregateRemediation	StartAggregateRemediation	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:StartConfigRuleEvaluation	StartConfigRuleEvaluation	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:StartConfigurationRecorder	StartConfigurationRecorder	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:StartRemediation	StartRemediation	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:StopConfigRules	StopConfigRules	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:UpdateAggregateCompliancePack	UpdateAggregateCompliancePack	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:UpdateAggregateConfigRule	UpdateAggregateConfigRule	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:UpdateAggregateRemediation	UpdateAggregateRemediation	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:UpdateAggregator	UpdateAggregator	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:UpdateCompliancePack	UpdateCompliancePack	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:UpdateConfigRule	UpdateConfigRule	Write	All resources acs:config::{#accountId}:	N/A	N/A
config:UpdateRemediation	UpdateRemediation	Write	All resources acs:config::{#accountId}:	N/A	N/A

Resource

You cannot specify an Alibaba Cloud Resource Name (ARN) in the Resource element in a policy statement for Cloud Config. If you want to authorize a RAM user or a RAM role to access ActionTrail, specify "Resource":"*" in the policy statement.

Condition

Cloud Config does not define service-specific condition keys. For more information about common condition keys that are defined by Alibaba Cloud, see Policy elements.