This topic describes example system policies to help you understand the details and operations of common system policies used for Elastic Compute Service (ECS) and create custom policies based on your needs.
AliyunECSFullAccess
System policy that grants the permissions to manage ECS resources
{
"Version": "1",
"Statement": [
{
"Action": "ecs:*",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
AliyunECSReadOnlyAccess
System policy that grants the permissions to view ECS resources
{
"Version": "1",
"Statement": [
{
"Action": "ecs:Describe*",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ecs:List*",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
AliyunECSNetworkInterfaceManagementAccess
System policy that grants the permissions to manage elastic network interfaces (ENIs)
{
"Version": "1",
"Statement": [
{
"Action": [
"vpc:DescribeVSwitchAttributes"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DeleteNetworkInterfacePermission"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
AliyunECSAssistantFullAccess
System policy that grants the permissions to manage Cloud Assistant commands
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeTag*",
"ecs:*Command",
"ecs:DescribeCommand*",
"ecs:DescribeInvocation*",
"ecs:StopInvocation",
"ecs:*CloudAssistant*",
"ecs:SendFile",
"ecs:DescribeSendFileResults",
"ecs:*ManagedInstance",
"ecs:DescribeManagedInstances",
"ecs:*Activation",
"ecs:DescribeActivations"
],
"Resource": [
"acs:ecs:*:*:instance/*",
"acs:ecs:*:*:command/*",
"acs:ecs:*:*:activation/*"
]
},
{
"Effect": "Allow",
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"archiving.ecs.aliyuncs.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ecs:ListServiceSettings",
"ecs:UpdateServiceSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings"
]
}
]
}
AliyunECSAssistantReadonlyAccess
System policy that grants the permissions to view Cloud Assistant commands
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeTag*",
"ecs:DescribeCommand*",
"ecs:DescribeInvocation*",
"ecs:DescribeCloudAssistant*",
"ecs:DescribeSendFileResults",
"ecs:DescribeManagedInstances",
"ecs:DescribeActivations"
],
"Resource": [
"acs:ecs:*:*:instance/*",
"acs:ecs:*:*:command/*",
"acs:ecs:*:*:activation/*"
]
},
{
"Effect": "Allow",
"Action": [
"ecs:ListServiceSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings"
]
}
]
}
AliyunECSImageExportRolePolicy
System policy that grants the permissions required to export images
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetObject",
"oss:PutObject",
"oss:DeleteObject",
"oss:GetBucketLocation",
"oss:AbortMultipartUpload",
"oss:ListMultipartUploads",
"oss:ListParts",
"oss:GetBucketInfo",
"oss:GetBucketUserQos"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
AliyunECSImageImportRolePolicy
System policy that grants the permissions required to import images
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetObject",
"oss:GetBucketLocation",
"oss:GetBucketInfo"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
AliyunECSInstanceForYundunSysTrustRolePolicy
System policy that grants the permissions required for security-enhanced instances
to use the Alibaba Cloud trusted system
{
"Statement": [
{
"Action": [
"yundun-systrust:GenerateNonce",
"yundun-systrust:GenerateAikcert",
"yundun-systrust:RegisterMessage",
"yundun-systrust:PutMessage"
],
"Resource": "*",
"Effect": "Allow"
}
],
"Version": "1"
}
AliyunECSDiskEncryptRolePolicy
System policy that grants the permissions required to encrypt disks
{
"Version": "1",
"Statement": [
{
"Action": [
"kms:List*",
"kms:DescribeKey",
"kms:TagResource",
"kms:UntagResource"
],
"Resource": [
"acs:kms:*:*:*",
"acs:kms:*:*:*/*"
],
"Effect": "Allow"
},
{
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"acs:kms:*:*:*/*"
],
"Effect": "Allow"
}
]
}
AliyunServiceRolePolicyForECSAutoProvisioning
System policy that grants the permissions on Auto Provisioning
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:CreateInstance",
"ecs:RunInstances",
"ecs:StartInstance",
"ecs:AllocatePublicIpAddress",
"ecs:StopInstance",
"ecs:DeleteInstance",
"ecs:DescribeInstances",
"ecs:DescribeInstanceAttribute",
"ecs:ModifyInstanceAttribute",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeImages",
"ecs:DescribeSnapshots",
"ecs:DescribeKeyPairs",
"ecs:CreateLaunchTemplate",
"ecs:DescribeLaunchTemplates",
"ecs:DescribeLaunchTemplateVersions",
"ecs:DescribeSecurityGroups",
"ecs:DescribeHpcClusters",
"ecs:DescribeImageFromFamily",
"slb:DescribeLoadBalancerAttribute",
"slb:RemoveBackendServers",
"slb:DescribeHealthStatus",
"slb:AddBackendServers",
"slb:SetBackendServers",
"slb:DescribeLoadBalancers",
"slb:DescribeVServerGroups",
"slb:DescribeVServerGroupAttribute",
"slb:AddVServerGroupBackendServers",
"slb:RemoveVServerGroupBackendServers",
"slb:DescribeMasterSlaveServerGroupAttribute",
"slb:DescribeMasterSlaveServerGroups",
"slb:SetVServerGroupAttribute",
"slb:DescribeLoadBalancerUDPListenerAttribute",
"slb:DescribeLoadBalancerHTTPListenerAttribute",
"slb:DescribeLoadBalancerHTTPSListenerAttribute",
"slb:DescribeLoadBalancerTCPListenerAttribute",
"rds:ModifySecurityIps",
"rds:DescribeDBInstanceAttribute",
"rds:DescribeTaskInfo",
"rds:DescribeDBInstanceIPArrayList",
"oos:GetTemplate",
"oos:StartExecution",
"ecs:DescribeUserData",
"ecs:DescribeInstanceRamRole",
"ecs:DescribeDisks",
"ecs:DescribeAutoSnapshotPolicyEx",
"ecs:DescribeDedicatedHosts",
"ecs:DescribeDedicatedHostTypes"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"mns:ListTopic",
"mns:ListQueue",
"mns:SendMessage",
"mns:PublishMessage"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cms:NodeInstall",
"cms:NodeStatusList",
"cms:QueryCustomMetricList",
"cms:ProfileSet",
"cms:CreateAlert",
"cms:DeleteAlert",
"cms:QueryAlert",
"cms:UpdateAlert",
"cms:DisableAlert",
"cms:EnableAlert",
"cms:CreateAction",
"cms:GetAction",
"cms:CreateDimensions",
"cms:QueryDimensions",
"cms:UpdateDimensions",
"cms:QueryMetricList",
"cms:ListAlarmHistory"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:PassRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:Service": [
"ecs.aliyuncs.com",
"oos.aliyuncs.com"
]
}
}
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "autoprovisioning.ecs.aliyuncs.com"
}
}
}
]
}
AliyunServiceRolePolicyForECSImageBuilder
System policy that grants the permissions on Image Builder
{
"Version": "1",
"Statement": [
{
"Action": [
"oos:CreateTemplate",
"oos:StartExecution",
"oos:CancelExecution",
"oos:ListExecutions",
"oos:ListTaskExecutions",
"oos:ListExecutionLogs",
"oos:DeleteTemplate"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ecs:DescribeAvailableResource",
"ecs:DescribeInstances",
"ecs:DescribeCloudAssistantStatus",
"ecs:DescribeImages",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:CreateSecurityGroup",
"ecs:DescribeSecurityGroups",
"ecs:CancelCopyImage",
"ecs:RunInstances",
"ecs:CopyImage",
"ecs:DeleteSnapshot"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ecs:RebootInstance",
"ecs:DeleteInstance",
"ecs:DeleteImage",
"ecs:DescribeImageSharePermission",
"ecs:DeleteSecurityGroup",
"ecs:ModifyImageSharePermission",
"ecs:InstallCloudAssistant",
"ecs:RunCommand",
"ecs:StopInstance",
"ecs:CreateImage"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringLike": {
"ecs:tag/imagepipelineid": "*"
}
}
},
{
"Action": [
"vpc:DescribeVSwitches",
"vpc:DescribeVpcs",
"vpc:CreateVpc",
"vpc:CreateVSwitch",
"vpc:DeleteVSwitch",
"vpc:DeleteVpc"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": "imagebuilder.ecs.aliyuncs.com"
}
}
}
]
}