edit-icon download-icon

RAM for CloudMonitor

Last Updated: Nov 16, 2017

CloudMonitor supports RAM. This allows you to control permissions for Cloud Service Monitoring metric data, alarm rule management, alarm contact and alarm contact group management through subaccounts.

Note: Currently, metric data queries are supported for the following cloud products:

  • ECS

  • RDS

  • Server Load Balancer

  • OSS

  • CDN

  • EIP

  • ApsaraDB for Redis

  • Message Service

  • Log Service

Permission description


In RAM system permissions, the Read-only CloudMonitor access permission only authorizes subaccounts to view the metric data. If you want to authorize subaccounts to apply alarm rules, see the following Alarm management section to know how to create or modify new authorizations.

Authentication type

Besides basic subaccount permission control, RAM currently supports time, MFA, and IP authentication.

Resource description

Currently, RAM does not support fine-grained resource descriptions. Only the “*” wildcard is used for resource authorization.

Operation description

Metric data

Data query actions are divided into two groups: Product instance list display and CloudMonitor metric data queries. When authorizing a subaccount to log on to the CloudMonitor portal and view metric data, you must also grant the subaccount permissions for the corresponding product’s instance list and metric data query.

For metric data authorization, access the RAM product’s system authorization policy and select Read-only CloudMonitor access permission.

Metric data query action: Query*.

Product instance list display actions are as follows.

Product name Action
ECS DescribeInstances
RDS DescribeDBInstances
SLB DescribeLoadBalancer*
OSS ListBuckets
EIP DescribeEipAddresses
ApsaraDB for Redis DescribeInstances
Message Service ListQueue
CDN DescribeUserDomains

Alarm management

Currently, alarm management does not support fine-grained operations. After being granted the following permissions, a subaccount can add, delete, query, and modify alarm rules, alarm contacts, and alarm contact groups.

To allow a subaccount to use the alarm functions, add the following permissions:

  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Action": [
  6. "cms:*"
  7. ],
  8. "Resource": "*",
  9. "Effect": "Allow"
  10. }
  11. ]
  12. }
Thank you! We've received your feedback.