All Products
Search
Document Center

Cloud Config

Last Updated: Sep 30, 2021

Resource Access Management (RAM) users or RAM roles must be granted permissions before they can access cloud resources. RAM uses policies to define permissions. A cloud service defines elements that can be used in a policy statement, such as Action, Resource, and Condition. This topic describes the permissions on Cloud Config.

The code (RamCode) in RAM that is used to indicate Cloud Config is config. You can grant permissions on Cloud Config at the operation level.

Action

The following table describes the values that you can use in the Action element of a policy statement. The values are defined by Config. The following list describes the columns in the table:
  • Action: the value that you can use in the Action element to specify the operation on a resource.

  • API: the API operation that you can call to perform the action. In most cases, only one API operation of a cloud service is required to perform an action. In some cases, multiple API operations must be called to perform an action, or an API operation can be called to perform multiple actions.

  • Access level: the access level of each action. The levels are read, write, and list.

  • Resource type: the type of the resource on which you can authorize a RAM user or a RAM role to perform the operation. Take note of the following items:

    • The required resource types are displayed in bold characters.

    • If the permissions cannot be granted at the resource level, All resources is used in the Resource type column of the action.

  • Condition key: the condition keys that are defined by a cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Policy elements.

  • Dependent action: other actions that a RAM user or a RAM role must have permissions to perform the action. To successfully call the action, a RAM user or a RAM role must have the permissions to perform the dependent action.

Actions

APIs

Access level

Resource types

Condition keys

Dependent actions

config:ActiveAggregateConfigRules

ActiveAggregateConfigRules

Write


All resources


acs:config::{#accountId}:*


N/A

N/A

config:ActiveConfigRules

ActiveConfigRules

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:CreateAggregateCompliancePack

CreateAggregateCompliancePack

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:CreateAggregateConfigRule

CreateAggregateConfigRule

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:CreateAggregateRemediation

CreateAggregateRemediation

Write


All resources


acs:config::{#accountId}:*


N/A

N/A

config:CreateAggregator

CreateAggregator

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:CreateCompliancePack

CreateCompliancePack

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:CreateConfigRule

CreateConfigRule

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:CreateRemediation

CreateRemediation

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:DeactiveAggregateConfigRules

DeactiveAggregateConfigRules

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:DeactiveConfigRules

DeactiveConfigRules

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:DeleteAggregateCompliancePacks

DeleteAggregateCompliancePacks

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:DeleteAggregateConfigRules

DeleteAggregateConfigRules

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:DeleteAggregateRemediations

DeleteAggregateRemediations

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:DeleteAggregators

DeleteAggregators

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:DeleteCompliancePacks

DeleteCompliancePacks

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:DeleteConfigRules

DeleteConfigRules

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:DeleteRemediations

DeleteRemediations

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:DescribeCompliance

DescribeCompliance

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:DescribeComplianceSummary

DescribeComplianceSummary

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:DescribeConfigRule

DescribeConfigRule

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:DescribeConfigurationRecorder

DescribeConfigurationRecorder

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:DescribeDeliveryChannels

DescribeDeliveryChannels

List


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:DescribeDiscoveredResource

DescribeDiscoveredResource

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:DescribeEvaluationResults

DescribeEvaluationResults

List


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:DescribeProductComplianceSummary

N/A

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GenerateAggregateCompliancePackReport

GenerateAggregateCompliancePackReport

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GenerateAggregateConfigRulesReport

GenerateAggregateConfigRulesReport

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GenerateCompliancePackReport

GenerateCompliancePackReport

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GenerateConfigRulesReport

GenerateConfigRulesReport

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetAggregateAccountComplianceByPack

GetAggregateAccountComplianceByPack

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetAggregateCompliancePack

GetAggregateCompliancePack

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetAggregateCompliancePackReport

GetAggregateCompliancePackReport

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetAggregateConfigRule

GetAggregateConfigRule

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetAggregateConfigRuleComplianceByPack

GetAggregateConfigRuleComplianceByPack

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetAggregateConfigRuleSummaryByRiskLevel

GetAggregateConfigRuleSummaryByRiskLevel

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetAggregateConfigRulesReport

GetAggregateConfigRulesReport

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetAggregateDiscoveredResource

GetAggregateDiscoveredResource

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetAggregateResourceComplianceByConfigRule

GetAggregateResourceComplianceByConfigRule

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetAggregateResourceComplianceByPack

GetAggregateResourceComplianceByPack

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetAggregateResourceComplianceTimeline

GetAggregateResourceComplianceTimeline

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetAggregateResourceConfigurationTimeline

GetAggregateResourceConfigurationTimeline

List


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetAggregateResourceCountsGroupByRegion

GetAggregateResourceCountsGroupByRegion

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetAggregateResourceCountsGroupByResourceType

GetAggregateResourceCountsGroupByResourceType

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetAggregator

GetAggregator

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetCompliancePack

GetCompliancePack

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetCompliancePackReport

GetCompliancePackReport

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetConfigRule

GetConfigRule

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetConfigRuleComplianceByPack

GetConfigRuleComplianceByPack

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetConfigRuleSummaryByRiskLevel

GetConfigRuleSummaryByRiskLevel

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetConfigRulesReport

GetConfigRulesReport

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetDiscoveredResourceCounts

GetDiscoveredResourceCounts

List


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetDiscoveredResourceCountsGroupByRegion

GetDiscoveredResourceCountsGroupByRegion

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetDiscoveredResourceCountsGroupByResourceType

GetDiscoveredResourceCountsGroupByResourceType

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetDiscoveredResourceCountsSummary

N/A

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetDiscoveredResourceSummary

GetDiscoveredResourceSummary

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetManagedRule

N/A

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetResourceComplianceByConfigRule

GetResourceComplianceByConfigRule

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetResourceComplianceByPack

GetResourceComplianceByPack

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetResourceConfigurationTimeline

GetResourceConfigurationTimeline

List


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetServiceQuota

N/A

Read


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:GetSupportedResourceTypes

GetSupportedResourceTypes

List


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:ListAggregateCompliancePacks

ListAggregateCompliancePacks

List


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:ListAggregateConfigRuleEvaluationResults

ListAggregateConfigRuleEvaluationResults

List


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:ListAggregateConfigRules

ListAggregateConfigRules

List


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:ListAggregateDiscoveredResourceRelations

N/A

List


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:ListAggregateDiscoveredResources

ListAggregateDiscoveredResources

List


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:ListAggregateRemediations

ListAggregateRemediations

List


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:ListAggregateResourceEvaluationResults

ListAggregateResourceEvaluationResults

List


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:ListAggregators

ListAggregators

List


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:ListCompliancePackTemplates

ListCompliancePackTemplates

List


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:ListCompliancePacks

ListCompliancePacks

List


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:ListConfigRuleEvaluationResults

ListConfigRuleEvaluationResults

List


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:ListConfigRules

ListConfigRules

List


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:ListDiscoveredResourceRelations

N/A

List


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:ListDiscoveredResources

ListDiscoveredResources

List


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:ListManagedRules

N/A

List


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:ListRemediationTemplates

ListRemediationTemplates

List


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:ListRemediations

ListRemediations

List


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:ListResourceEvaluationResults

ListResourceEvaluationResults

List


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:ListServiceQuotas

N/A

List


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:PutConfigRule

PutConfigRule

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:PutConfigurationRecorder

PutConfigurationRecorder

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:PutDeliveryChannel

PutDeliveryChannel

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:PutEvaluations

PutEvaluations

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:StartAggregateConfigRuleEvaluation

StartAggregateConfigRuleEvaluation

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:StartAggregateRemediation

StartAggregateRemediation

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:StartConfigRuleEvaluation

StartConfigRuleEvaluation

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:StartConfigurationRecorder

StartConfigurationRecorder

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:StartRemediation

StartRemediation

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:StopConfigRules

StopConfigRules

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:UpdateAggregateCompliancePack

UpdateAggregateCompliancePack

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:UpdateAggregateConfigRule

UpdateAggregateConfigRule

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:UpdateAggregateRemediation

UpdateAggregateRemediation

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:UpdateAggregator

UpdateAggregator

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:UpdateCompliancePack

UpdateCompliancePack

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:UpdateConfigRule

UpdateConfigRule

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

config:UpdateRemediation

UpdateRemediation

Write


All resources


acs:config:*:{#accountId}:*


N/A

N/A

Resource

You cannot specify an Alibaba Cloud Resource Name (ARN) in the Resource element in a policy statement for Cloud Config. If you want to authorize a RAM user or a RAM role to access ActionTrail, specify "Resource":"*" in the policy statement.

Condition

Cloud Config does not define service-specific condition keys. For more information about common condition keys that are defined by Alibaba Cloud, see Policy elements.