Before a RAM user calls the CloudMonitor API, the Alibaba Cloud account to which the RAM user belongs must attach policies to the RAM user.

Resource description

In CloudMonitor, you can grant permissions only by action rather than by resource. You can describe resources only by using the wildcard character (*).

Action description

The actions on CloudMonitor are divided into two types: the actions on monitoring data and the actions on the instances of the cloud services that CloudMonitor monitors. The RAM user must have the permissions to perform both types of actions because the monitoring data in CloudMonitor is collected from the monitored instances of the cloud services. If the RAM user does not have the permissions to perform the actions on the monitored instances, the RAM user cannot query the monitored instances, query the monitoring data collected from the instances, and configure alerts based on the monitoring data.

If you have no special requirements, we recommend that you use the default system policies provided by Resource Access Management (RAM): AliyunCloudMonitorFullAccess and AliyunCloudMonitorReadOnlyAccess. These two system policies contain the permissions to read and manage CloudMonitor data and the permissions to read data about the monitored instances.

If system policies cannot meet your requirements, you can customize a policy. When you customize a policy, use the wildcard character (*) to describe resources. Example: cms:Describe*.
  • Action for managing CloudMonitor permissions is cms:*.
  • The following actions can be used to grant the read-only permissions on CloudMonitor.
    • cms:Get*
    • cms:List*
    • cms:Query*
    • cms:BatchQuery*
    • cms:Describe*
  • The following table describes the actions for querying the instances in Alibaba Cloud services that CloudMonitor monitors.
    Note The number of cloud services that CloudMonitor can monitor continually increases. Therefore, the following table lists only the actions for querying instances in main cloud services.
    Alibaba Cloud service Action
    Elastic Compute Service (ECS) ecs:DescribeInstances
    ApsaraDB RDS rds:DescribeDBInstances
    rds:DescribeReplicas
    Server Load Balancer (SLB) DescribeLoadBalancer*
    Virtual Private Cloud (VPC) vpc:DescribeEipAddresses
    vpc:DescribeRouterInterfaces
    vpc:DescribeGlobalAccelerationInstances
    vpc:DescribeVpnGateways
    vpc:DescribeNatGateways
    vpc:DescribeBandwidthPackages
    vpc:DescribeCommonBandwidthPackages
    Object Storage Service (OSS) oss:ListBuckets
    Log Service log:ListProject
    Alibaba Cloud CDN cdn:DescribeUserDomains
    Message Service (MNS) mns:ListQueue
    mns:ListTopic
    Auto Scaling (ESS) ess:DescribeScalingGroups
    ApsaraDB for Memcache ocs:DescribeInstances
    ApsaraDB for Redis kvstore:DescribeInstances
    kvstore:DescribeLogicInstanceTopology
    ApsaraDB for HBase hbase:DescribeClusterList
    Time Series Database (TSDB) hitsdb:DescribeHiTSDBInstanceList
    HybridDB for MySQL petadata:DescribeInstances
    petadata:DescribeDatabases
    AnalyticDB for PostgreSQL gpdb:DescribeDBInstances
    E-MapReduce emr:ListClusters
    OpenSearch opensearch:ListApps
    Elasticsearch elasticsearch:ListInstance
    ApsaraDB for MongoDB mongodb:DescribeDBInstances
    NAT Gateway netgateway:DescribeNatGateways
    Anti-DDoS Pro and Anti-DDoS Premium ddos:DescribeInstancePage
    Cloud Enterprise Network (CEN) cen:DescribeCens
    cen:DescribeCenAttachedChildInstances
    Message Queue for Apache Kafka kafka:GetKafkaInstanceList
    Secure CDN (SCDN) scdn:DescribeScdnUserDomains
    Dynamic Route for CDN (DCDN) dcdn:DescribeDcdnUserDomains
    PolarDB polardb:DescribeDBInstances