Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. You can use RAM to prevent RAM users from sharing the AccessKey pairs of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. RAM uses policies to define permissions.
This topic describes the elements, such as Action, Resource, and Condition, which are defined by ECS. You can use the elements to create policies in RAM. The code (RamCode) in RAM that is used to indicate ECS is ecs、vpc. You can grant permissions on ECS at the RESOURCE.
General structure of a policy
Policies can be stored as JSON files. The following code provides an example on the general structure of a policy:
{
"Version": "1",
"Statement": [
{
"Effect": "<Effect>",
"Action": "<Action>",
"Resource": "<Resource>",
"Condition": {
"<Condition_operator>": {
"<Condition_key>": [
"<Condition_value>"
]
}
}
}
]
}
- Effect: specifies the authorization effect. Valid values: Allow, Deny.
- Action: specifies one or more API operations that are allowed or denied. For more information, see the Action section of this topic.
- Resource: specifies one or more resources to which the policy applies. You can use an Alibaba Cloud Resource Name (ARN) to specify a resource. For more information, see the Resource section of this topic.
- Condition: specifies one or more conditions that are required for the policy to take effect. This is an optional field. For more information, see the Condition section of this topic.
- Condition_operator: specifies the conditional operators. Different types of conditions support different conditional operators. For more information, see Policy elements.
- Condition_key: specifies the condition keys.
- Condition_value: specifies the condition values.
Action
ECS defines the values that you can use in theAction
element of a policy statement. The following table describes the values.- Operation: the value that you can use in the Action element to specify the operation on a resource.
- API operation: the API operation that you can call to perform the operation.
- Access level: the access level of each operation. The levels are read, write, and list.
- Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- For mandatory resource types, indicate with a prefix of * .
- If the permissions cannot be granted at the resource level,
All Resources
is used in the Resource type column of the operation.
- Condition key: the condition keys that are defined by the Alibaba Cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Generic Condition Keyword.
- Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
Actions | API operation | Access level | Resource type | Condition key | Associated operation |
---|---|---|---|---|---|
ecs:AcceptInquiredSystemEvent | AcceptInquiredSystemEvent | update | *All Resources * | None | None |
ecs:AllocateDedicatedHosts | AllocateDedicatedHosts | create | *DedicatedHost acs:ecs:{#regionId}:{#accountId}:ddh/* | None | None |
ecs:AllocatePublicIpAddress | AllocatePublicIpAddress | create | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:ApplyAutoSnapshotPolicy | ApplyAutoSnapshotPolicy | update | *Disk acs:ecs:{#regionId}:{#accountId}:disk/{#diskId} *AutoSnapshotPolicy acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/{#snapshotpolicyId} | None | None |
ecs:AssignIpv6Addresses | AssignIpv6Addresses | create | *NetworkInterface acs:ecs:{#regionId}:{#accountId}:eni/{#eniId} | None | None |
ecs:AssignPrivateIpAddresses | AssignPrivateIpAddresses | create | *NetworkInterface acs:ecs:{#regionId}:{#accountId}:eni/{#eniId} | None | None |
ecs:AttachClassicLinkVpc | AttachClassicLinkVpc | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} *VPC acs:vpc:{#regionId}:{#accountId}:vpc/{#vpcId} | vpc:tag | None |
ecs:AttachDisk | AttachDisk | update | *Disk acs:ecs:{#regionId}:{#accountId}:disk/{#diskId} *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | ecs:LoginAsNonRoot ecs:PasswordCustomized | None |
ecs:AttachInstanceRamRole | AttachInstanceRamRole | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} *Role acs:ram:{#regionId}:{#accountId}:role/{#roleName} | None | None |
ecs:AttachKeyPair | AttachKeyPair | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} *KeyPair acs:ecs:{#regionId}:{#accountId}:keypair/{#keypairName} | None | None |
ecs:AttachNetworkInterface | AttachNetworkInterface | update | *NetworkInterface acs:ecs:{#regionId}:{#accountId}:eni/{#eniId} *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:AuthorizeSecurityGroup | AuthorizeSecurityGroup | create | *All Resources * | ecs:SecurityGroupIpProtocols ecs:SecurityGroupSourceCidrIps | None |
ecs:AuthorizeSecurityGroupEgress | AuthorizeSecurityGroupEgress | create | *All Resources * | ecs:SecurityGroupIpProtocols ecs:SecurityGroupSourceCidrIps | None |
ecs:CancelAutoSnapshotPolicy | CancelAutoSnapshotPolicy | update | *Disk acs:ecs:{#regionId}:{#accountId}:disk/{#diskId} AutoSnapshotPolicy acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/{#snapshotpolicyId} | None | None |
ecs:CancelCopyImage | CancelCopyImage | update | *Image acs:ecs:{#regionId}:{#accountId}:image/{#imageId} | None | None |
ecs:CancelImagePipelineExecution | CancelImagePipelineExecution | update | *ImagePipeline acs:ecs:{#regionId}:{#accountId}:imagepipeline/{#imagepipelineId} | None | None |
ecs:CancelSimulatedSystemEvents | CancelSimulatedSystemEvents | update | *All Resources * | None | None |
ecs:CancelTask | CancelTask | update | *All Resources * | None | None |
ecs:ConvertNatPublicIpToEip | ConvertNatPublicIpToEip | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:CopyImage | CopyImage | update | *Image acs:ecs:{#regionId}:{#accountId}:image/* | None | None |
ecs:CopySnapshot | CopySnapshot | create | *Snapshot acs:ecs:{#regionId}:{#accountId}:snapshot/{#snapshotId} | None | None |
ecs:CreateActivation | CreateActivation | create | *Activation acs:ecs:{#regionId}:{#accountId}:activation/* | None | None |
ecs:CreateAutoProvisioningGroup | CreateAutoProvisioningGroup | create | *All Resources * | None | None |
ecs:CreateAutoSnapshotPolicy | CreateAutoSnapshotPolicy | create | *AutoSnapshotPolicy acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/* | None | None |
ecs:CreateCapacityReservation | CreateCapacityReservation | create | *CapacityReservation acs:ecs:{#regionId}:{#accountId}:capacityreservation/* | None | None |
ecs:CreateCommand | CreateCommand | create | *Command acs:ecs:{#regionId}:{#accountId}:command/* | None | None |
ecs:CreateDedicatedHostCluster | CreateDedicatedHostCluster | create | *All Resources * | None | None |
ecs:CreateDeploymentSet | CreateDeploymentSet | create | *All Resources * | None | None |
ecs:CreateDiagnosticMetricSet | CreateDiagnosticMetricSet | create | *All Resources * | None | None |
ecs:CreateDiagnosticReport | CreateDiagnosticReport | create | *All Resources * | None | None |
ecs:CreateDisk | CreateDisk | create | Disk acs:ecs:{#regionId}:{#accountId}:disk/* Disk acs:ecs:{#regionId}:{#accountId}:disk/{#diskId} Snapshot acs:ecs:{#regionId}:{#accountId}:snapshot/{#snapshotId} | ecs:IsDiskEncrypted ecs:IsDiskByokEncrypted | None |
ecs:CreateElasticityAssurance | CreateElasticityAssurance | create | *ElasticityAssurance acs:ecs:{#regionId}:{#accountId}:elasticityassurance/* | None | None |
ecs:CreateHpcCluster | CreateHpcCluster | create | *HpcCluster acs:ecs:{#regionId}:{#accountId}:hpc/* | None | None |
ecs:CreateImage | CreateImage | create | *Image acs:ecs:{#regionId}:{#accountId}:image/* Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} Snapshot acs:ecs:{#regionId}:{#accountId}:snapshot/{#snapshotId} | None | None |
ecs:CreateImageComponent | CreateImageComponent | create | *ImageComponent acs:ecs:{#regionId}:{#accountId}:imagecomponent/* | None | None |
ecs:CreateImagePipeline | CreateImagePipeline | create | *ImagePipeline acs:ecs:{#regionId}:{#accountId}:imagepipeline/* | None | None |
ecs:CreateInstance | CreateInstance | create | *All Resources * | vpc:VPC vpc:IsDefaultVSwitch vpc:IsDefaultVpc ecs:IsDiskEncrypted ecs:InstanceType ecs:InstanceTypeFamily ecs:ImageOwnerId ecs:ImageSource ecs:NotSpecifySecurityGroupId ecs:LoginAsNonRoot ecs:IsSystemDiskByokEncrypted ecs:IsDiskByokEncrypted ecs:PasswordInherit ecs:PasswordCustomized ecs:IsSystemDiskEncrypted ecs:ImagePlatform ecs:LoginAsNonRoot ecs:IsSystemDiskByokEncrypted ecs:IsDiskByokEncrypted ecs:PasswordInherit ecs:PasswordCustomized ecs:IsSystemDiskEncrypted ecs:ImagePlatform ecs:SecurityHardeningMode | None |
ecs:CreateKeyPair | CreateKeyPair | create | *KeyPair acs:ecs:{#regionId}:{#accountId}:keypair/* | None | None |
ecs:CreateLaunchTemplate | CreateLaunchTemplate | create | *LaunchTemplate acs:ecs:{#regionId}:{#accountId}:launchtemplate/* | None | None |
ecs:CreateLaunchTemplateVersion | CreateLaunchTemplateVersion | create | *LaunchTemplate acs:ecs:{#regionId}:{#accountId}:launchtemplate/{#launchtemplateId} | None | None |
ecs:CreateNetworkInterface | CreateNetworkInterface | create | *NetworkInterface acs:ecs:{#regionId}:{#accountId}:eni/* *SecurityGroup acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId} *VSwitch acs:vpc:{#regionId}:{#accountId}:vswitch/{#vswitchId} | vpc:IsDefaultVSwitch vpc:IsDefaultVpc vpc:VPC vpc:tag vpc:tag vpc:tag | None |
ecs:CreatePrefixList | CreatePrefixList | create | *All Resources * | None | None |
ecs:CreateSecurityGroup | CreateSecurityGroup | create | *SecurityGroup acs:ecs:{#regionId}:{#accountId}:securitygroup/* *VPC acs:vpc:{#regionId}:{#accountId}:vpc/{#vpcId} | None | None |
ecs:CreateSimulatedSystemEvents | CreateSimulatedSystemEvents | create | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:CreateSnapshot | CreateSnapshot | create | *Disk acs:ecs:{#regionId}:{#accountId}:disk/{#diskId} *Snapshot acs:ecs:{#regionId}:{#accountId}:snapshot/* | None | None |
ecs:CreateSnapshotGroup | CreateSnapshotGroup | create | Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} Disk acs:ecs:{#regionId}:{#accountId}:disk/{#DiskId} | None | None |
ecs:DeleteActivation | DeleteActivation | delete | *activation acs:ecs:{#regionId}:{#accountId}:activation/{#activationId} | None | None |
ecs:DeleteAutoProvisioningGroup | DeleteAutoProvisioningGroup | delete | *AutoProvisioningGroup acs:ecs:{#regionId}:{#accountId}:autoprovisioninggroup/{#autoprovisioninggroupId} | None | None |
ecs:DeleteAutoSnapshotPolicy | DeleteAutoSnapshotPolicy | delete | *AutoSnapshotPolicy acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/{#SnapshotPolicyId} | None | None |
ecs:DeleteCommand | DeleteCommand | delete | *Command acs:ecs:{#regionId}:{#accountId}:command/{#commandId} | None | None |
ecs:DeleteDedicatedHostCluster | DeleteDedicatedHostCluster | delete | *DedicatedHostCluster acs:ecs:{#regionId}:{#accountId}:ddhcluster/{#ddhclusterId} | None | None |
ecs:DeleteDeploymentSet | DeleteDeploymentSet | delete | *DeploymentSet acs:ecs:{#regionid}:{#accountId}:deploymentset/{#deploymentSetId} | None | None |
ecs:DeleteDiagnosticMetricSets | DeleteDiagnosticMetricSets | delete | *All Resources * | None | None |
ecs:DeleteDiagnosticReports | DeleteDiagnosticReports | delete | *All Resources * | None | None |
ecs:DeleteDisk | DeleteDisk | delete | *Disk acs:ecs:{#regionId}:{#accountId}:disk/{#diskId} | None | None |
ecs:DeleteHpcCluster | DeleteHpcCluster | delete | *All Resources * | None | None |
ecs:DeleteImage | DeleteImage | delete | *Image acs:ecs:{#regionId}:{#accountId}:image/{#imageId} | None | None |
ecs:DeleteImageComponent | DeleteImageComponent | delete | *ImageComponent acs:ecs:{#regionId}:{#accountId}:imagecomponent/{#imagecomponentId} | None | None |
ecs:DeleteImagePipeline | DeleteImagePipeline | delete | *ImagePipeline acs:ecs:{#regionId}:{#accountId}:imagepipeline/{#imagepipelineId} | None | None |
ecs:DeleteInstance | DeleteInstance | delete | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:DeleteInstances | DeleteInstances | delete | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:DeleteKeyPairs | DeleteKeyPairs | delete | *KeyPair acs:ecs:{#regionId}:{#accountId}:keypair/{#keypairName} | None | None |
ecs:DeleteLaunchTemplate | DeleteLaunchTemplate | delete | LaunchTemplate acs:ecs:{#regionId}:{#accountId}:launchtemplate/{#launchtemplateId} | None | None |
ecs:DeleteLaunchTemplateVersion | DeleteLaunchTemplateVersion | delete | *LaunchTemplate acs:ecs:{#regionId}:{#accountId}:launchtemplate/{#launchtemplateId} | None | None |
ecs:DeleteNetworkInterface | DeleteNetworkInterface | delete | *NetworkInterface acs:ecs:{#regionId}:{#accountId}:eni/{#eniId} | None | None |
ecs:DeletePrefixList | DeletePrefixList | delete | *PrefixList acs:ecs:{#regionId}:{#accountId}:prefixlist/{#PrefixListId} | None | None |
ecs:DeleteSecurityGroup | DeleteSecurityGroup | delete | *SecurityGroup acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId} | None | None |
ecs:DeleteSnapshot | DeleteSnapshot | delete | *Snapshot acs:ecs:{#regionId}:{#accountId}:snapshot/{#snapshotId} | None | None |
ecs:DeleteSnapshotGroup | DeleteSnapshotGroup | delete | *SnapshotGroup acs:ecs:{#regionId}:{#accountId}:snapshotgroup/{#snapshotgroupId} | None | None |
ecs:DeregisterManagedInstance | DeregisterManagedInstance | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:DescribeAccountAttributes | DescribeAccountAttributes | get | *All Resources * | None | None |
ecs:DescribeActivations | DescribeActivations | get | Activation acs:ecs:{#regionId}:{#accountId}:activation/* Activation acs:ecs:{#regionId}:{#accountId}:activation/{#activationId} | None | None |
ecs:DescribeAutoProvisioningGroupHistory | DescribeAutoProvisioningGroupHistory | get | *All Resources * | None | None |
ecs:DescribeAutoProvisioningGroupInstances | DescribeAutoProvisioningGroupInstances | get | *AutoProvisioningGroup acs:ecs:{#regionId}:{#accountId}:autoprovisioninggroup/{#autoprovisioninggroupId} | None | None |
ecs:DescribeAutoProvisioningGroups | DescribeAutoProvisioningGroups | get | *All Resources * | None | None |
ecs:DescribeAutoSnapshotPolicyEx | DescribeAutoSnapshotPolicyEx | get | AutoSnapshotPolicy acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/* AutoSnapshotPolicy acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/{#snapshotpolicyId} | None | None |
ecs:DescribeBandwidthLimitation | DescribeBandwidthLimitation | get | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:DescribeCapacityReservationInstances | DescribeCapacityReservationInstances | get | *CapacityReservation acs:ecs:{#regionId}:{#accountId}:capacityreservation/{#CapacityReservationId} | None | None |
ecs:DescribeCapacityReservations | DescribeCapacityReservations | get | *CapacityReservation acs:ecs:{#regionId}:{#accountId}:capacityreservation/* | None | None |
ecs:DescribeClassicLinkInstances | DescribeClassicLinkInstances | get | *All Resources * | None | None |
ecs:DescribeCloudAssistantSettings | DescribeCloudAssistantSettings | list | *ServiceSettings acs:ecs:{#regionId}:{#accountId}:servicesettings/{#servicesettingId} | None | None |
ecs:DescribeCloudAssistantStatus | DescribeCloudAssistantStatus | get | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:DescribeCommands | DescribeCommands | get | Command acs:ecs:{#regionId}:{#accountId}:command/* Command acs:ecs:{#regionId}:{#accountId}:command/{#commandId} | None | None |
ecs:DescribeDedicatedHostAutoRenew | DescribeDedicatedHostAutoRenew | get | *DedicatedHost acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId} | None | None |
ecs:DescribeDedicatedHostClusters | DescribeDedicatedHostClusters | get | DedicatedHostCluster acs:ecs:{#regionId}:{#accountId}:ddhcluster/{#ddhclusterId} DedicatedHostCluster acs:ecs:{#regionId}:{#accountId}:ddhcluster/* | None | None |
ecs:DescribeDedicatedHosts | DescribeDedicatedHosts | get | DedicatedHost acs:ecs:{#regionId}:{#accountId}:ddh/* DedicatedHost acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId} | None | None |
ecs:DescribeDeploymentSets | DescribeDeploymentSets | get | *DeploymentSet acs:ecs:{#regionId}:{#accountId}:deploymentset/* | None | None |
ecs:DescribeDiagnosticMetricSets | DescribeDiagnosticMetricSets | get | *All Resources * | None | None |
ecs:DescribeDiagnosticMetrics | DescribeDiagnosticMetrics | get | *All Resources * | None | None |
ecs:DescribeDiagnosticReportAttributes | DescribeDiagnosticReportAttributes | get | *All Resources * | None | None |
ecs:DescribeDiagnosticReports | DescribeDiagnosticReports | get | *All Resources * | None | None |
ecs:DescribeDiskDefaultKMSKeyId | DescribeDiskDefaultKMSKeyId | none | *DiskEncryptionDefaultConfig acs:ecs:{#regionId}:{#accountId}:diskencryptiondefaultconfig/* | None | None |
ecs:DescribeDiskEncryptionByDefaultStatus | DescribeDiskEncryptionByDefaultStatus | none | *DiskEncryptionDefaultConfig acs:ecs:{#regionId}:{#accountId}:diskencryptiondefaultconfig/* | None | None |
ecs:DescribeDiskMonitorData | DescribeDiskMonitorData | get | *Disk acs:ecs:{#regionId}:{#accountId}:disk/{#diskId} | None | None |
ecs:DescribeDisks | DescribeDisks | list | Disk acs:ecs:{#regionId}:{#accountId}:disk/{#diskId} Disk acs:ecs:{#regionId}:{#accountId}:disk/* | None | None |
ecs:DescribeDisksFullStatus | DescribeDisksFullStatus | list | Disk acs:ecs:{#regionId}:{#accountId}:disk/{#diskId} Disk acs:ecs:{#regionId}:{#accountId}:disk/* | None | None |
ecs:DescribeElasticityAssuranceAutoRenewAttribute | DescribeElasticityAssuranceAutoRenewAttribute | get | *ElasticityAssurance acs:ecs:{#regionId}:{#accountId}:elasticityassurance/{#ElasticityAssuranceId} | None | None |
ecs:DescribeElasticityAssuranceInstances | DescribeElasticityAssuranceInstances | get | *All Resources * | None | None |
ecs:DescribeElasticityAssurances | DescribeElasticityAssurances | get | *ElasticityAssurance acs:ecs:{#regionId}:{#accountId}:elasticityassurance/* | None | None |
ecs:DescribeEniMonitorData | DescribeEniMonitorData | get | NetworkInterface acs:ecs:{#regionId}:{#accountId}:eni/{#eniId} *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:DescribeHpcClusters | DescribeHpcClusters | get | *HpcCluster acs:ecs:{#regionId}:{#accountId}:hpc/* | None | None |
ecs:DescribeImageComponents | DescribeImageComponents | get | *ImageComponent acs:ecs:{#regionId}:{#accountId}:imagecomponent/* *ImageComponent acs:ecs:{#regionId}:{#accountId}:imagecomponent/{#imagecomponentId} | None | None |
ecs:DescribeImageFromFamily | DescribeImageFromFamily | get | *All Resources * | None | None |
ecs:DescribeImagePipelineExecutions | DescribeImagePipelineExecutions | get | *ImagePipelineExecution acs:ecs:{#regionId}:{#accountId}:imagepipelineexecution/* *ImagePipelineExecution acs:ecs:{#regionId}:{#accountId}:imagepipelineexecution/{#ImagePipelineExecutionId} *ImagePipeline acs:ecs:{#regionId}:{#accountId}:imagepipeline/* *ImagePipeline acs:ecs:{#regionId}:{#accountId}:imagepipeline/{#ImagePipelineId} | None | None |
ecs:DescribeImagePipelines | DescribeImagePipelines | get | *ImagePipeline acs:ecs:{#regionId}:{#accountId}:imagepipeline/* *ImagePipeline acs:ecs:{#regionId}:{#accountId}:imagepipeline/{#imagepipelineId} | None | None |
ecs:DescribeImageSharePermission | DescribeImageSharePermission | get | *Image acs:ecs:{#regionId}:{#accountId}:image/{#imageId} | None | None |
ecs:DescribeImageSupportInstanceTypes | DescribeImageSupportInstanceTypes | get | *Image acs:ecs:{#regionId}:{#accountId}:image/{#imageId} | None | None |
ecs:DescribeImages | DescribeImages | get | Image acs:ecs:{#regionId}:{#accountId}:image/* Image acs:ecs:{#regionId}:{#accountId}:image/{#imageId} | None | None |
ecs:DescribeInstanceAttachmentAttributes | DescribeInstanceAttachmentAttributes | get | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:DescribeInstanceAttribute | DescribeInstanceAttribute | get | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:DescribeInstanceAutoRenewAttribute | DescribeInstanceAutoRenewAttribute | list | Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} Instance acs:ecs:{#regionId}:{#accountId}:instance/* | None | None |
ecs:DescribeInstanceHistoryEvents | DescribeInstanceHistoryEvents | get | *All Resources * | None | None |
ecs:DescribeInstanceMaintenanceAttributes | DescribeInstanceMaintenanceAttributes | get | *All Resources * | None | None |
ecs:DescribeInstanceModificationPrice | DescribeInstanceModificationPrice | get | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#InstanceId} | None | None |
ecs:DescribeInstanceMonitorData | DescribeInstanceMonitorData | get | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:DescribeInstanceRamRole | DescribeInstanceRamRole | get | Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} Role acs:ram:{#regionId}:{#accountId}:role/{#roleName} | None | None |
ecs:DescribeInstanceStatus | DescribeInstanceStatus | list | *All Resources * | None | None |
ecs:DescribeInstanceVncUrl | DescribeInstanceVncUrl | get | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:DescribeInstances | DescribeInstances | list | Instance acs:ecs:{#regionId}:{#accountId}:instance/* Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | ResourceOwner | None |
ecs:DescribeInstancesFullStatus | DescribeInstancesFullStatus | list | *All Resources * | None | None |
ecs:DescribeInvocationResults | DescribeInvocationResults | get | Command acs:ecs:{#regionId}:{#accountId}:command/{#commandId} Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:DescribeInvocations | DescribeInvocations | get | Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} Command acs:ecs:{#regionId}:{#accountId}:command/{#commandId} | None | None |
ecs:DescribeKeyPairs | DescribeKeyPairs | get | KeyPair acs:ecs:{#regionId}:{#accountId}:keypair/{#keypairName} KeyPair acs:ecs:{#regionId}:{#accountId}:keypair/* | None | None |
ecs:DescribeLaunchTemplateVersions | DescribeLaunchTemplateVersions | list | LaunchTemplate acs:ecs:{#regionId}:{#accountId}:launchtemplate/* LaunchTemplate acs:ecs:{#regionId}:{#accountId}:launchtemplate/{#launchtemplateId} | None | None |
ecs:DescribeLaunchTemplates | DescribeLaunchTemplates | get | LaunchTemplate acs:ecs:{#regionId}:{#accountId}:launchtemplate/* LaunchTemplate acs:ecs:{#regionId}:{#accountId}:launchtemplate/{#launchtemplateId} | None | None |
ecs:DescribeManagedInstances | DescribeManagedInstances | get | Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:DescribeNetworkInterfaceAttribute | DescribeNetworkInterfaceAttribute | get | *NetworkInterface acs:ecs:{#regionId}:{#accountId}:eni/{#eniId} | None | None |
ecs:DescribeNetworkInterfaces | DescribeNetworkInterfaces | get | NetworkInterface acs:ecs:{#regionId}:{#accountId}:eni/{#eniId} | None | None |
ecs:DescribePrefixListAssociations | DescribePrefixListAssociations | get | *PrefixList acs:ecs:{#regionId}:{#accountId}:prefixlist/{#PrefixListId} | None | None |
ecs:DescribePrefixListAttributes | DescribePrefixListAttributes | get | *PrefixList acs:ecs:{#regionId}:{#accountId}:prefixlist/{#PrefixListId} | None | None |
ecs:DescribePrefixLists | DescribePrefixLists | get | *PrefixList acs:ecs:{#regionId}:{#accountId}:prefixlist/{#PrefixListId} | None | None |
ecs:DescribePrice | DescribePrice | get | *All Resources * | None | None |
ecs:DescribeRenewalPrice | DescribeRenewalPrice | get | DedicatedHost acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId} Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:DescribeReservedInstanceAutoRenewAttribute | DescribeReservedInstanceAutoRenewAttribute | get | *ReservedInstance acs:ecs:{#regionId}:{#accountId}:reservedinstance/{#ReservedInstanceId} | None | None |
ecs:DescribeReservedInstances | DescribeReservedInstances | get | ReservedInstance acs:ecs:{#regionId}:{#accountId}:reservedinstance/* ReservedInstance acs:ecs:{#regionId}:{#accountId}:reservedinstance/{#reservedinstanceId} | None | None |
ecs:DescribeResourcesModification | DescribeResourcesModification | get | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:DescribeSecurityGroupAttribute | DescribeSecurityGroupAttribute | get | *SecurityGroup acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId} | ecs:tag | None |
ecs:DescribeSecurityGroupReferences | DescribeSecurityGroupReferences | get | *SecurityGroup acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId} | None | None |
ecs:DescribeSecurityGroups | DescribeSecurityGroups | get | SecurityGroup acs:ecs:{#regionId}:{#accountId}:securitygroup/* SecurityGroup acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId} | ecs:tag ecs:tag ecs:tag ecs:tag | None |
ecs:DescribeSendFileResults | DescribeSendFileResults | get | Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:DescribeSnapshotGroups | DescribeSnapshotGroups | get | SnapshotGroup acs:ecs:{#regionId}:{#accountId}:snapshotgroup/* SnapshotGroup acs:ecs:{#regionId}:{#accountId}:snapshotgroup/{#snapshotgroupId} | None | None |
ecs:DescribeSnapshotLinks | DescribeSnapshotLinks | get | *All Resources * | None | None |
ecs:DescribeSnapshotMonitorData | DescribeSnapshotMonitorData | get | *All Resources * | None | None |
ecs:DescribeSnapshotPackage | DescribeSnapshotPackage | get | *All Resources * | None | None |
ecs:DescribeSnapshots | DescribeSnapshots | get | Snapshot acs:ecs:{#regionId}:{#accountId}:snapshot/* Snapshot acs:ecs:{#regionId}:{#accountId}:snapshot/{#snapshotId} | None | None |
ecs:DescribeSnapshotsUsage | DescribeSnapshotsUsage | get | *All Resources * | None | None |
ecs:DescribeStorageCapacityUnits | DescribeStorageCapacityUnits | get | StorageCapacityUnit acs:ecs:{#regionId}:{#accountId}:scu/* StorageCapacityUnit acs:ecs:{#regionId}:{#accountId}:scu/{#scuId} | None | None |
ecs:DescribeTaskAttribute | DescribeTaskAttribute | get | *All Resources * | None | None |
ecs:DescribeTasks | DescribeTasks | get | *All Resources * | None | None |
ecs:DescribeTerminalSessions | DescribeTerminalSessions | list | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#InstanceId} | None | None |
ecs:DescribeUserData | DescribeUserData | get | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:DetachClassicLinkVpc | DetachClassicLinkVpc | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} *VPC acs:vpc:{#regionId}:{#accountId}:vpc/{#vpcId} | None | None |
ecs:DetachDisk | DetachDisk | update | *Disk acs:ecs:{#regionId}:{#accountId}:disk/{#diskId} *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:DetachInstanceRamRole | DetachInstanceRamRole | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} *Role acs:ram:{#regionId}:{#accountId}:role/{#roleName} | None | None |
ecs:DetachKeyPair | DetachKeyPair | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} *KeyPair acs:ecs:{#regionId}:{#accountId}:keypair/{#keypairName} | None | None |
ecs:DetachNetworkInterface | DetachNetworkInterface | update | *NetworkInterface acs:ecs:{#regionId}:{#accountId}:eni/{#eniId} *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:DisableActivation | DisableActivation | update | *Activation acs:ecs:{#regionId}:{#accountId}:activation/{#ActivationId} | None | None |
ecs:EndTerminalSession | EndTerminalSession | update | *All Resources * | None | None |
ecs:ExportImage | ExportImage | update | *Image acs:ecs:{#regionId}:{#accountId}:image/{#imageId} | None | None |
ecs:GetInstanceConsoleOutput | GetInstanceConsoleOutput | get | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:GetInstanceScreenshot | GetInstanceScreenshot | get | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:ImportImage | ImportImage | update | *Image acs:ecs:{#regionId}:{#accountId}:image/* | None | None |
ecs:ImportKeyPair | ImportKeyPair | create | *KeyPair acs:ecs:{#regionId}:{#accountId}:keypair/* | None | None |
ecs:InstallCloudAssistant | InstallCloudAssistant | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:InvokeCommand | InvokeCommand | update | *Command acs:ecs:{#regionId}:{#accountId}:command/{#commandId} *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | ecs:CommandRunAs | None |
ecs:JoinResourceGroup | JoinResourceGroup | update | DedicatedHost acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId} Disk acs:ecs:{#regionId}:{#accountId}:disk/{#diskId} NetworkInterface acs:ecs:{#regionId}:{#accountId}:eni/{#eniId} Image acs:ecs:{#regionId}:{#accountId}:image/{#imageId} Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} KeyPair acs:ecs:{#regionId}:{#accountId}:keypair/{#keypairId} LaunchTemplate acs:ecs:{#regionId}:{#accountId}:launchtemplate/{#launchtemplateId} SecurityGroup acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId} Snapshot acs:ecs:{#regionId}:{#accountId}:snapshot/{#SnapshotId} | None | None |
ecs:JoinSecurityGroup | JoinSecurityGroup | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} *SecurityGroup acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId} | None | None |
ecs:LeaveSecurityGroup | LeaveSecurityGroup | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} *SecurityGroup acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId} | None | None |
ecs:ListPluginStatus | ListPluginStatus | get | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#InstanceId} | None | None |
ecs:ListTagResources | ListTagResources | get | *All Resources * | None | None |
ecs:ModifyAutoProvisioningGroup | ModifyAutoProvisioningGroup | update | *autoprovisioninggroup acs:ecs:{#regionId}:{#accountId}:autoprovisioninggroup/{#autoprovisioninggroupId} | None | None |
ecs:ModifyAutoSnapshotPolicyEx | ModifyAutoSnapshotPolicyEx | update | *Snapshot acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/{#autoSnapshotPolicyId} | None | None |
ecs:ModifyCapacityReservation | ModifyCapacityReservation | update | *CapacityReservation acs:ecs:{#regionId}:{#accountId}:capacityreservation/{#CapacityReservationId} | None | None |
ecs:ModifyCloudAssistantSettings | ModifyCloudAssistantSettings | update | *ServiceSettings acs:ecs:{#regionId}:{#accountId}:servicesettings/{#servicesettingId} | None | None |
ecs:ModifyCommand | ModifyCommand | update | *Command acs:ecs:{#regionId}:{#accountId}:command/{#commandId} | None | None |
ecs:ModifyDedicatedHostAttribute | ModifyDedicatedHostAttribute | update | *DedicatedHost acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId} DedicatedHostCluster acs:ecs:{#regionId}:{#accountId}:ddhcluster/{#ddhclusterId} | None | None |
ecs:ModifyDedicatedHostAutoReleaseTime | ModifyDedicatedHostAutoReleaseTime | update | *DedicatedHost acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId} | None | None |
ecs:ModifyDedicatedHostAutoRenewAttribute | ModifyDedicatedHostAutoRenewAttribute | update | *DedicatedHost acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId} | None | None |
ecs:ModifyDedicatedHostClusterAttribute | ModifyDedicatedHostClusterAttribute | update | *ddhcluster acs:ecs:{#regionId}:{#accountId}:ddhcluster/{#ddhclusterId} | None | None |
ecs:ModifyDedicatedHostsChargeType | ModifyDedicatedHostsChargeType | update | *All Resources * | None | None |
ecs:ModifyDeploymentSetAttribute | ModifyDeploymentSetAttribute | update | *DeploymentSet acs:ecs:{#regionId}:{#accountId}:deploymentset/{#DeploymentSetId} | None | None |
ecs:ModifyDiagnosticMetricSet | ModifyDiagnosticMetricSet | update | *All Resources * | None | None |
ecs:ModifyDiskAttribute | ModifyDiskAttribute | update | *Disk acs:ecs:{#regionId}:{#accountId}:disk/{#diskId} | None | None |
ecs:ModifyDiskChargeType | ModifyDiskChargeType | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:ModifyDiskSpec | ModifyDiskSpec | update | *Disk acs:ecs:{#regionId}:{#accountId}:disk/{#diskId} | None | None |
ecs:ModifyElasticityAssurance | ModifyElasticityAssurance | update | *ElasticityAssurance acs:ecs:{#regionId}:{#accountId}:elasticityassurance/{#ElasticityAssuranceId} | None | None |
ecs:ModifyElasticityAssuranceAutoRenewAttribute | ModifyElasticityAssuranceAutoRenewAttribute | update | *ElasticityAssurance acs:ecs:{#regionId}:{#accountId}:elasticityassurance/{#ElasticityAssuranceId} | None | None |
ecs:ModifyHpcClusterAttribute | ModifyHpcClusterAttribute | update | *All Resources * | None | None |
ecs:ModifyImageAttribute | ModifyImageAttribute | update | *Image acs:ecs:{#regionId}:{#accountId}:image/{#imageId} | None | None |
ecs:ModifyImageSharePermission | ModifyImageSharePermission | update | *Image acs:ecs:{#regionId}:{#accountId}:image/{#imageId} | None | None |
ecs:ModifyInstanceAttachmentAttributes | ModifyInstanceAttachmentAttributes | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:ModifyInstanceAttribute | ModifyInstanceAttribute | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} SecurityGroup acs:ecs:{#regionId}:{#accountId}:securitygroup/{#SecurityGroupId} | ecs:tag ecs:tag ecs:tag ecs:tag | None |
ecs:ModifyInstanceAutoReleaseTime | ModifyInstanceAutoReleaseTime | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:ModifyInstanceAutoRenewAttribute | ModifyInstanceAutoRenewAttribute | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:ModifyInstanceChargeType | ModifyInstanceChargeType | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:ModifyInstanceDeployment | ModifyInstanceDeployment | update | DedicatedHost acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId} *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:ModifyInstanceMaintenanceAttributes | ModifyInstanceMaintenanceAttributes | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:ModifyInstanceMetadataOptions | ModifyInstanceMetadataOptions | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:ModifyInstanceNetworkSpec | ModifyInstanceNetworkSpec | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:ModifyInstanceSpec | ModifyInstanceSpec | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:ModifyInstanceVncPasswd | ModifyInstanceVncPasswd | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:ModifyInstanceVpcAttribute | ModifyInstanceVpcAttribute | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} *VSwitch acs:vpc:{#regionId}:{#accountId}:vswitch/{#vswitchId} | vpc:tag vpc:VPC | None |
ecs:ModifyInvocationAttribute | ModifyInvocationAttribute | update | *Invocation acs:ecs:{#regionId}:{#accountId}:invocation/{#invocationId} Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:ModifyLaunchTemplateDefaultVersion | ModifyLaunchTemplateDefaultVersion | update | LaunchTemplate acs:ecs:{#regionId}:{#accountId}:launchtemplate/{#launchtemplateId} | None | None |
ecs:ModifyManagedInstance | ModifyManagedInstance | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:ModifyNetworkInterfaceAttribute | ModifyNetworkInterfaceAttribute | update | *NetworkInterface acs:ecs:{#regionId}:{#accountId}:eni/{#eniId} *SecurityGroup acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId} | None | None |
ecs:ModifyPrefixList | ModifyPrefixList | update | *PrefixList acs:ecs:{#regionId}:{#accountId}:prefixlist/{#PrefixListId} | None | None |
ecs:ModifyPrepayInstanceSpec | ModifyPrepayInstanceSpec | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:ModifyReservedInstanceAttribute | ModifyReservedInstanceAttribute | update | *ReservedInstance acs:ecs:{#regionId}:{#accountId}:reservedinstance/{#reservedinstanceId} | None | None |
ecs:ModifyReservedInstanceAutoRenewAttribute | ModifyReservedInstanceAutoRenewAttribute | update | *ReservedInstance acs:ecs:{#regionId}:{#accountId}:reservedinstance/{#ReservedInstanceId} | None | None |
ecs:ModifyReservedInstances | ModifyReservedInstances | update | *ReservedInstance acs:ecs:{#regionId}:{#accountId}:reservedinstance/{#reservedinstanceId} | None | None |
ecs:ModifySecurityGroupAttribute | ModifySecurityGroupAttribute | update | *SecurityGroup acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId} | None | None |
ecs:ModifySecurityGroupEgressRule | ModifySecurityGroupEgressRule | update | *All Resources * | ecs:tag ecs:tag ecs:SecurityGroupIpProtocols ecs:SecurityGroupSourceCidrIps | None |
ecs:ModifySecurityGroupPolicy | ModifySecurityGroupPolicy | update | *SecurityGroup acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId} | None | None |
ecs:ModifySecurityGroupRule | ModifySecurityGroupRule | update | *All Resources * | ecs:SecurityGroupIpProtocols ecs:SecurityGroupSourceCidrIps | None |
ecs:ModifySnapshotAttribute | ModifySnapshotAttribute | update | *Snapshot acs:ecs:{#regionId}:{#accountId}:snapshot/{#snapshotId} | None | None |
ecs:ModifySnapshotCategory | ModifySnapshotCategory | update | *Snapshot acs:ecs:{#regionId}:{#accountId}:snapshot/{#snapshotId} | ecs:tag | None |
ecs:ModifySnapshotGroup | ModifySnapshotGroup | update | *SnapshotGroup acs:ecs:{#regionId}:{#accountId}:snapshotgroup/{#SnapshotGroupId} | None | None |
ecs:ModifyStorageCapacityUnitAttribute | ModifyStorageCapacityUnitAttribute | update | *StorageCapacityUnit acs:ecs:{#regionId}:{#accountId}:scu/{#scuId} | None | None |
ecs:PurchaseElasticityAssurance | PurchaseElasticityAssurance | update | *ElasticityAssurance acs:ecs:{#regionId}:{#accountId}:elasticityassurance/{#ElasticityAssuranceId} | None | None |
ecs:PurchaseReservedInstancesOffering | PurchaseReservedInstancesOffering | create | *ReservedInstance acs:ecs:{#regionId}:{#accountId}:reservedinstance/* | None | None |
ecs:PurchaseStorageCapacityUnit | PurchaseStorageCapacityUnit | create | *StorageCapacityUnit acs:ecs:{#regionId}:{#accountId}:scu/* | None | None |
ecs:ReActivateInstances | ReActivateInstances | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:ReInitDisk | ReInitDisk | update | *Disk acs:ecs:{#regionId}:{#accountId}:disk/{#diskId} | None | None |
ecs:RebootInstance | RebootInstance | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:RebootInstances | RebootInstances | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:RedeployDedicatedHost | RedeployDedicatedHost | update | *DedicatedHost acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId} | None | None |
ecs:RedeployInstance | RedeployInstance | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:ReleaseCapacityReservation | ReleaseCapacityReservation | delete | *CapacityReservation acs:ecs:{#regionId}:{#accountId}:capacityreservation/{#CapacityReservationId} | None | None |
ecs:ReleaseDedicatedHost | ReleaseDedicatedHost | delete | *DedicatedHost acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId} | None | None |
ecs:RenewDedicatedHosts | RenewDedicatedHosts | update | *DedicatedHost acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId} | None | None |
ecs:RenewElasticityAssurances | RenewElasticityAssurances | create | *ElasticityAssurance acs:ecs:{#regionId}:{#accountId}:elasticityassurance/{#ElasticityAssuranceId} | None | None |
ecs:RenewInstance | RenewInstance | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:RenewReservedInstances | RenewReservedInstances | create | *ReservedInstance acs:ecs:{#regionId}:{#accountId}:reservedinstance/{#ReservedInstanceId} | None | None |
ecs:ReplaceSystemDisk | ReplaceSystemDisk | update | Disk acs:ecs:{#regionId}:{#accountId}:disk/{#diskId} Image acs:ecs:{#regionId}:{#accountId}:image/{#imageId} *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | ecs:IsDiskEncrypted ecs:IsSystemDiskEncrypted ecs:PasswordInherit ecs:PasswordCustomized ecs:IsDiskByokEncrypted ecs:IsSystemDiskByokEncrypted ecs:LoginAsNonRoot ecs:ImagePlatform | None |
ecs:ReportInstancesStatus | ReportInstancesStatus | get | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:ResetDisk | ResetDisk | update | *Disk acs:ecs:{#regionId}:{#accountId}:disk/{#diskId} *Snapshot acs:ecs:{#regionId}:{#accountId}:snapshot/{#snapshotId} | None | None |
ecs:ResizeDisk | ResizeDisk | update | *Disk acs:ecs:{#regionId}:{#accountId}:disk/{#diskId} | None | None |
ecs:RevokeSecurityGroup | RevokeSecurityGroup | delete | *SecurityGroup acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId} | ecs:tag ecs:tag ecs:tag | None |
ecs:RevokeSecurityGroupEgress | RevokeSecurityGroupEgress | delete | *SecurityGroup acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId} | ecs:tag ecs:tag ecs:tag | None |
ecs:RunCommand | RunCommand | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | ecs:CommandRunAs | None |
ecs:RunInstances | RunInstances | create | *All Resources * | vpc:IsDefaultVSwitch vpc:IsDefaultVpc vpc:VPC ecs:IsDiskEncrypted ecs:InstanceTypeFamily ecs:InstanceType ecs:ImageOwnerId ecs:ImageSource ecs:NotSpecifySecurityGroupId ecs:LoginAsNonRoot ecs:IsSystemDiskByokEncrypted ecs:IsDiskByokEncrypted ecs:PasswordInherit ecs:PasswordCustomized ecs:IsSystemDiskEncrypted ecs:ImagePlatform ecs:IsDiskEncrypted ecs:SecurityHardeningMode | None |
ecs:SendFile | SendFile | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:StartImagePipelineExecution | StartImagePipelineExecution | update | *ImagePipeline acs:ecs:{#regionId}:{#accountId}:imagepipeline/{#imagepipelineId} | None | None |
ecs:StartInstance | StartInstance | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:StartInstances | StartInstances | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:StartTerminalSession | StartTerminalSession | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:StopInstance | StopInstance | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:StopInstances | StopInstances | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:StopInvocation | StopInvocation | update | Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
ecs:TagResources | TagResources | create | DedicatedHost acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId} Disk acs:ecs:{#regionId}:{#accountId}:disk/{#diskId} NetworkInterface acs:ecs:{#regionId}:{#accountId}:eni/{#eniId} Image acs:ecs:{#regionId}:{#accountId}:image/{#imageId} Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} KeyPair acs:ecs:{#regionId}:{#accountId}:keypair/{#keypairId} LaunchTemplate acs:ecs:{#regionId}:{#accountId}:launchtemplate/{#launchtemplateId} ReservedInstance acs:ecs:{#regionId}:{#accountId}:reservedinstance/{#reservedinstanceId} SecurityGroup acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId} Snapshot acs:ecs:{#regionId}:{#accountId}:snapshot/{#snapshotId} AutoSnapshotPolicy acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/{#SnapshotPolicyId} | None | None |
ecs:UnassignIpv6Addresses | UnassignIpv6Addresses | delete | *NetworkInterface acs:ecs:{#regionId}:{#accountId}:eni/{#eniId} | None | None |
ecs:UnassignPrivateIpAddresses | UnassignPrivateIpAddresses | delete | *NetworkInterface acs:ecs:{#regionId}:{#accountId}:eni/{#eniId} | None | None |
ecs:UntagResources | UntagResources | delete | *All Resources * | None | None |
Resource
ECS defines the values that you can use in theResource
. You can attach the policy to a RAM user or a RAM role so that the RAM user or the RAM role can perform a specific operation on a specific resource.
The ARN is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:{#}
indicates a variable. {#} must be replaced with an actual value. For example,{#ramcode}
must be replaced with the actual code of an Alibaba Cloud service in RAM.- An asterisk (
*
) is used as a wildcard. Examples:{#resourceType}
is set to*
, all resources are specified.{#regionId}
is set to*
, all regions are specified.{#accountId}
is set to*
, all Alibaba Cloud accounts are specified.
Resource type | ARN |
---|---|
Activation |
|
Address |
|
Association |
|
AutoProvisioningGroup |
|
AutoSnapshotPolicy |
|
BandwidthPackage |
|
CapacityReservation |
|
Command |
|
DedicatedHost |
|
DedicatedHostCluster |
|
Demand |
|
DeploymentSet |
|
Disk |
|
DiskEncryptionDefaultConfig |
|
ElasticityAssurance |
|
Fleet |
|
ForwardTable |
|
HaVip |
|
HpcCluster |
|
Image |
|
ImageComponent |
|
ImagePipeline |
|
ImagePipelineExecution |
|
Instance |
|
Invocation |
|
KeyPair |
|
LaunchTemplate |
|
NatGateway |
|
NetworkInterface |
|
PhysicalConnection |
|
PortRangeList |
|
PrefixList |
|
ReservedInstance |
|
Role |
|
RouteTable |
|
RouterInterface |
|
SecurityGroup |
|
ServiceSettings |
|
Snapshot |
|
SnapshotGroup |
|
StorageCapacityUnit |
|
StorageSet |
|
VPC |
|
VRouter |
|
VSwitch |
|
VirtualBorderRouter |
|
Volume |
|
activation |
|
autoprovisioninggroup |
|
ddhcluster |
|
snapshotpolicy |
|
Condition
ECS defines the values that you can use in the
Condition
element of a policy statement. The following table describes the values. The following table describes the service-specific condition keys. The common condition keys that are defined by Alibaba Cloud also apply to ECS. For more information about the common condition keys, see Generic Condition Keyword.The data type determines the conditional operators that you can use to compare the value in a request with the value in a policy statement. You must use conditional operators that are supported by the data type. Otherwise, you cannot compare the value in the request with the value in the policy statement. In this case, the authorization is invalid. For more information about the conditional operators that are supported by each data type, see Policy elements.
Condition key | Description | Data type |
---|---|---|
ecs:AssociatePublicIpAddress | Whether to support the allocation of public network IP in the process of resource creation and change, that is, whether to allow the operation of resources to make the public network bandwidth greater than 0. | Boolean |
ecs:CommandRunAs | User in the operating system that executes cloud assistant commands | String |
ecs:ImageOwnerId | Owner UID of the image. | String |
ecs:ImagePlatform | Operating system type of the image | String |
ecs:ImageSource | Image Source | String |
ecs:InstanceType | Instance specifications | String |
ecs:InstanceTypeFamily | instance specification family | String |
ecs:IsDiskByokEncrypted | Whether to encrypt the data disk with the primary key. | String |
ecs:IsDiskEncrypted | Whether it is an encrypted data disk | String |
ecs:IsSystemDiskByokEncrypted | Whether the master key encrypts the system disk. | String |
ecs:IsSystemDiskEncrypted | Whether it is an encryption system disk | String |
ecs:LoginAsNonRoot | Whether to log on to the instance as non-root | Boolean |
ecs:NotSpecifySecurityGroupId | Whether the security group ID is not specified | Boolean |
ecs:PasswordCustomized | Whether a custom password is used | Boolean |
ecs:PasswordInherit | Whether the instance inherits the image password. | Boolean |
ecs:SecurityEnhancementStrategy | Whether to open security reinforcement. | String |
ecs:SecurityGroupIpProtocols | Transport layer protocol with security group open | String |
ecs:SecurityGroupSourceCidrIps | The source IPv4 CIDR segment of the security group that sets access permissions | String |
ecs:SecurityHardeningMode | Whether to enforce hardened mode (IMDSv2) when accessing instance metadata | Boolean |
vpc:CreateDefaultVpc | Whether a default VPC can be created | Boolean |
vpc:IsDefaultVSwitch | Whether it is the default VSwitch and whether the default VSwitch can be used | Boolean |
vpc:IsDefaultVpc | Whether it is the default VPC | Boolean |
vpc:VPC | VPC Information | String |