You can use resource groups with RAM to isolate resources and implement fine-grained permission management within an Alibaba Cloud account. This topic explains how ECS supports resource groups and the steps to authorize operations at the resource group level.
-
Resource group-level authorization applies only to resource types that support resource groups and operations that support resource group-level authorization.
-
Permissions granted at the resource group scope do not apply to resource types that do not support resource groups. To grant permissions for your entire account, set the resource scope to Account. For more information, see Operations that do not support resource group-level authorization.
Resource group authorization
You can use Resource Groups to group and manage resources in an Alibaba Cloud account. For example, you can create a dedicated Resource Group for each project and move the project's resources into that group to manage them centrally. For more information, see What is a Resource Group?.
After you group your resources, you can grant permissions scoped to a specific Resource Group to different RAM principals, such as RAM users, RAM user groups, or RAM roles. This restricts each principal to managing only the resources in that Resource Group. For more information, see Resource grouping and authorization.
This approach provides the following benefits:
-
Fine-grained permissions: You can ensure that each identity is granted only the permissions required to access specific resources. This helps you isolate resources from different projects within a single account.
-
Scalability: When you add new resources, you only need to add them to the relevant Resource Group. Associated RAM principals automatically gain the required permissions for the new resources, eliminating the need for re-authorization.
Grant a RAM user resource group-level permissions
This topic describes how to grant a RAM user permissions on ECS resources within a specific resource group.
1. Prerequisites
-
Create the RAM user that you want to use. For more information, see Create a RAM user.
-
Create a resource group and transfer existing resources to it. For more information, see Create a resource group, Automatically transfer resources to a resource group, and Manually transfer resources to a resource group.
2. Grant resource group-level permissions
You can grant resource group-level permissions in one of the following ways.
Method 1: Resource Management console
Grant permissions to a RAM user by using a resource group's permission management feature. For more information, see Grant permissions on a resource group to a RAM identity.
-
Log in to the Resource Management console.
-
On the Resource Groups page, click Permission Management in the Actions column of the target resource group.
-
On the Permission Management tab, click Grant Permission.
-
In the Grant Permission panel, configure the principal and policy.
-
Principal: Select an existing RAM user.
-
Policy: Select a system policy or an existing custom policy. For more information, see Create a custom policy.
-
-
Click Confirm.
Method 2: RAM console
You can also grant resource group-level permissions to a RAM user in the RAM console. For more information, see Manage the permissions of a RAM user.
-
Log in to the RAM console as an Alibaba Cloud account or a RAM administrator.
-
In the left-side navigation pane, choose . On the Users page, click Add Permissions in the Actions column of the target RAM user.
-
In the Add Permissions panel, configure the following settings:
-
Resource Scope: Select Specified Resource Group.
-
Principal: The current RAM user is automatically selected.
-
Policy: Select a system policy or an existing custom policy. For more information, see Create a custom policy.
-
-
Click OK.
Resource types supported by resource groups
This table lists the ECS resource types that are supported by resource groups.
|
Cloud service |
Cloud service code |
Resource type |
|
ECS |
ecs |
ddh: Dedicated Host |
|
ECS |
ecs |
disk |
|
ECS |
ecs |
eni: elastic network interface |
|
ECS |
ecs |
image |
|
ECS |
ecs |
imagecomponent: image component |
|
ECS |
ecs |
imagepipeline: image pipeline |
|
ECS |
ecs |
instance |
|
ECS |
ecs |
keypair: key pair |
|
ECS |
ecs |
launchtemplate: launch template |
|
ECS |
ecs |
securitygroup: security group |
|
ECS |
ecs |
snapshot |
|
ECS |
ecs |
snapshotpolicy: snapshot policy |
To request support for other resource types, submit feedback in the Resource Group console.
Operations not supporting resource group authorization
The following ECS actions do not support resource group-level authorization:
|
Actions |
Description |
|
ecs:AddInstancesToCarePlan |
- |
|
ecs:AddInvisibleChecks |
- |
|
ecs:AllocateEipAddress |
- |
|
ecs:ApplySecurityGroupSnapshot |
- |
|
ecs:AssociateEipAddress |
- |
|
ecs:AssociateSecurityGroupSnapshotPolicy |
- |
|
ecs:CancelMigrationPlan |
- |
|
ecs:CancelSystemEvent |
- |
|
ecs:CancelTask |
Cancels a running task. You can currently cancel image import ( |
|
ecs:CheckOpenSnapshotService |
- |
|
ecs:ConfirmCarePlanBill |
- |
|
ecs:CreateCarePlan |
- |
|
ecs:CreateClassicToVpcRollbackTask |
- |
|
ecs:CreateDeploymentSet |
Creates a deployment set in a specified region. |
|
ecs:CreateDiagnosisOperateRecords |
- |
|
ecs:CreateDiagnosticMetricSet |
Creates a diagnostic metric set. You can combine diagnostic metrics as needed. |
|
ecs:CreateFunctionFeedback |
- |
|
ecs:CreateHpcCluster |
Creates an HPC cluster. |
|
ecs:CreateIssueCategoryReportRelation |
- |
|
ecs:CreateNetworkInsightsPath |
- |
|
ecs:CreatePlanMaintenanceWindow |
- |
|
ecs:CreatePortRangeList |
Creates a port list that can be associated with resources such as security groups. |
|
ecs:CreateSecurityGroupSnapshotPolicy |
- |
|
ecs:CreateSystemEvent |
- |
|
ecs:DeleteCarePlan |
- |
|
ecs:DeleteDeploymentSet |
Deletes a deployment set. |
|
ecs:DeleteDiagnosticMetricSets |
Deletes diagnostic metric sets. |
|
ecs:DeleteDiagnosticReports |
Deletes diagnostic reports. |
|
ecs:DeleteHpcCluster |
Deletes an HPC cluster. |
|
ecs:DeleteNetworkInsightsAnalysis |
- |
|
ecs:DeleteNetworkInsightsPath |
- |
|
ecs:DeletePlanMaintenanceWindow |
- |
|
ecs:DeletePortRangeList |
Deletes a specified port list. Deleting a port list also deletes all of its entries. |
|
ecs:DeleteReservationDemand |
- |
|
ecs:DeleteSecurityGroupSnapshotPolicy |
- |
|
ecs:DeleteVolume |
- |
|
ecs:DeleteWaitingOrders |
- |
|
ecs:DescribeAccountAttributes |
- |
|
ecs:DescribeAccountCommonQuotas |
- |
|
ecs:DescribeAccountLimits |
- |
|
ecs:DescribeAvailableResource |
- |
|
ecs:DescribeBandwidthHistory |
- |
|
ecs:DescribeCarePlans |
- |
|
ecs:DescribeChargeTypeModificationPrice |
- |
|
ecs:DescribeClassicLinkInstances |
Queries one or more classic network instances that are linked to a VPC. |
|
ecs:DescribeCloudAssistantSettings |
Queries the service settings of Cloud Assistant. |
|
ecs:DescribeClusters |
- |
|
ecs:DescribeCustomerIssueCategory |
- |
|
ecs:DescribeDedicatedBlockStorageClusterDisks |
- |
|
ecs:DescribeDeploymentSetTopology |
- |
|
ecs:DescribeDeploymentSets |
Queries the details of one or more deployment sets. |
|
ecs:DescribeDiagnosisOperateRecords |
- |
|
ecs:DescribeDiagnosticMetrics |
Queries a list of diagnostic metrics. |
|
ecs:DescribeDiagnosticReportAttributes |
Queries the details of a resource diagnostic report. |
|
ecs:DescribeDiskDefaultKMSKeyId |
Queries the key used for account-level default encryption of block storage. |
|
ecs:DescribeDiskEncryptionByDefaultStatus |
Queries the service status of account-level default encryption for block storage in a specified region. |
|
ecs:DescribeEcsScenarioFacade |
- |
|
ecs:DescribeEipAddresses |
- |
|
ecs:DescribeEipPrice |
- |
|
ecs:DescribeFunctionFeedback |
- |
|
ecs:DescribeHpcClusters |
Queries your available HPC clusters. Request parameters function as filters. These filters are independent and combined with a logical AND. |
|
ecs:DescribeImageFromFamily |
Queries the latest available custom image in a specified image family. |
|
ecs:DescribeInsightCheckItems |
- |
|
ecs:DescribeInsightChecks |
- |
|
ecs:DescribeInsightStatus |
- |
|
ecs:DescribeInsightSummaries |
- |
|
ecs:DescribeInstanceCrossZoneModifyConstraint |
- |
|
ecs:DescribeInstanceMigrationLog |
- |
|
ecs:DescribeInstanceStatus |
Queries the status of one or more ECS instances. You can also use this action to query for instances that meet specified conditions. |
|
ecs:DescribeInstanceTypeResource |
- |
|
ecs:DescribeInstanceTypes |
- |
|
ecs:DescribeKMSKeyAttribute |
- |
|
ecs:DescribeKMSKeys |
- |
|
ecs:DescribeLimitation |
Queries account limitations. |
|
ecs:DescribeLinkedKMSKeys |
- |
|
ecs:DescribeMigrationInstancesTask |
- |
|
ecs:DescribeMigrationPlans |
- |
|
ecs:DescribeMigrationPreferences |
- |
|
ecs:DescribeNetworkInsightsAnalysisResult |
- |
|
ecs:DescribeNetworkInsightsAnalysises |
- |
|
ecs:DescribeNetworkInsightsPaths |
- |
|
ecs:DescribeOrderAutoRebootTime |
- |
|
ecs:DescribePlanMaintenanceWindows |
- |
|
ecs:DescribePortRangeListAssociations |
Queries the resources, such as security groups, associated with a specified port list. |
|
ecs:DescribePortRangeListEntries |
Queries the entries of a specified port list. |
|
ecs:DescribePurchaseRecommendation |
- |
|
ecs:DescribeRegions |
- |
|
ecs:DescribeReservationDemandCommittedAmount |
- |
|
ecs:DescribeReservationDemands |
- |
|
ecs:DescribeReservedInstanceCategories |
- |
|
ecs:DescribeResourceByTags |
Retrieves resources based on tags. You can filter by tag or by resource type. |
|
ecs:DescribeResourceDisplay |
- |
|
ecs:DescribeResourceStatusDiagnosis |
- |
|
ecs:DescribeSecurityGroupSnapshotAttributes |
- |
|
ecs:DescribeSecurityGroupSnapshotPolicies |
- |
|
ecs:DescribeSecurityGroupSnapshots |
- |
|
ecs:DescribeSnapshotBusinessStatus |
- |
|
ecs:DescribeSnapshotCampaign |
- |
|
ecs:DescribeSnapshotMonitorData |
Queries the monitoring data about snapshot capacity changes in a region over the past 30 days. |
|
ecs:DescribeSnapshotPackage |
Call DescribeSnapshotPackage to query the OSS storage packages that you have purchased in an Alibaba Cloud region. Storage packages can be used to offset the storage capacity of standard snapshots, but not local snapshots. |
|
ecs:DescribeSnapshotPolicyAssociatedSecurityGroups |
- |
|
ecs:DescribeSnapshotPrice |
- |
|
ecs:DescribeSnapshotsUsage |
Queries the number of snapshots and the total snapshot capacity in a region. |
|
ecs:DescribeSpotPriceHistory |
- |
|
ecs:DescribeStorageCapacityUnitDeductFactor |
- |
|
ecs:DescribeStorageSetDetails |
- |
|
ecs:DescribeTaskAttribute |
Call DescribeTaskAttribute to query the detailed information of an asynchronous task. Currently, the asynchronous tasks that can be queried include importing an image (ImportImage), exporting an image (ExportImage), and changing a cloud disk type (ModifyDiskSpec). |
|
ecs:DescribeTasks |
Call DescribeTasks to query the progress of one or more asynchronous requests. |
|
ecs:DescribeUserBusinessBehavior |
Get user-level default attributes |
|
ecs:DescribeVSwitches |
- |
|
ecs:DescribeVolumes |
- |
|
ecs:DescribeVpcHavsInstances |
- |
|
ecs:DescribeVpcs |
- |
|
ecs:DescribeWaitingOrders |
- |
|
ecs:DescribeZones |
- |
|
ecs:DisableDiskEncryptionByDefault |
Disable the account-level default encryption for block storage in a specified region. |
|
ecs:DiskDefaultEncryptionQueryByParam |
- |
|
ecs:EnableDiskEncryptionByDefault |
Enable account-level default encryption for block storage in a specified region. |
|
ecs:EnableInsight |
- |
|
ecs:GetSnapshotBlock |
- |
|
ecs:GetSnapshotInfo |
- |
|
ecs:InnerCreateDiagnosticReport |
- |
|
ecs:InnerOpenSnapShotService |
- |
|
ecs:InnerReleaseDedicatedHost |
- |
|
ecs:InnerReleaseElasticAssurance |
- |
|
ecs:JoinSnapshotCampaign |
- |
|
ecs:KeepUsing |
- |
|
ecs:ListAccountEcsQuotas |
- |
|
ecs:ListBandwidthHistory |
- |
|
ecs:ListChangedBlocks |
- |
|
ecs:ListServiceSettings |
- |
|
ecs:ListSnapshotBlocks |
- |
|
ecs:ModifyCarePlanAttribute |
- |
|
ecs:ModifyCloudAssistantSettings |
Modifies the service settings of Cloud Assistant. |
|
ecs:ModifyDeploymentSetAttribute |
Modify the name and description of a deployment set. |
|
ecs:ModifyDiskDefaultKMSKeyId |
Modifies the KMS Key ID for the account-level default encryption of block storage in a specified region. |
|
ecs:ModifyEipAddressAttribute |
- |
|
ecs:ModifyHpcClusterAttribute |
Call ModifyHpcClusterAttribute to modify the description of an HPC cluster. |
|
ecs:ModifyOrderAutoRebootTime |
- |
|
ecs:ModifyPlanMaintenanceWindow |
- |
|
ecs:ModifyPortRangeList |
You can modify the name of a specified port list, and add, modify, or delete its entries. |
|
ecs:ModifyReservationDemand |
- |
|
ecs:ModifyResourceMeta |
- |
|
ecs:ModifySecurityGroupSnapshotPolicy |
- |
|
ecs:ModifySnapshotBusinessStatus |
- |
|
ecs:ModifySystemEventAttribute |
- |
|
ecs:ModifyUserBusinessBehavior |
Sets default user-level attributes. |
|
ecs:ModifyVolumeAttribute |
- |
|
ecs:OpenSnapshotService |
- |
|
ecs:OpenSnapshotService |
- |
|
ecs:PurchaseSavingPlanOffering |
- |
|
ecs:PurchaseStorageCapacityUnit |
- |
|
ecs:QueryConstraints |
- |
|
ecs:QueryCopyImageSupportRegions |
- |
|
ecs:QueryNeedKeepUsing |
- |
|
ecs:QueryUsableSnapshots |
- |
|
ecs:QueryUserInfo |
- |
|
ecs:ReAddMigrationTaskInPlan |
- |
|
ecs:ReInitVolume |
- |
|
ecs:ReinitDisk |
- |
|
ecs:ReleaseCapacityReservation |
Call ReleaseCapacityReservation to release a capacity reservation. |
|
ecs:ReleaseEipAddress |
- |
|
ecs:RemoveInvisibleChecks |
- |
|
ecs:RepairDiagnosticReports |
- |
|
ecs:ResetDiskDefaultKMSKeyId |
Resets the KMS Key ID for the account-level default encryption of block storage in a specified region to the service key. |
|
ecs:ResizeVolume |
- |
|
ecs:RollbackVolume |
- |
|
ecs:RunInstance |
- |
|
ecs:StartNetworkInsightsAnalysis |
- |
|
ecs:UnassociateEipAddress |
- |
|
ecs:UnassociateSecurityGroupSnapshotPolicy |
- |
|
ecs:UpdateServiceSettings |
- |
|
ecs:ValidatePurchaseRule |
- |
|
ecs:WithdrawCarePlan |
- |
|
ecs:DescribeImageFromFamily |
- |
|
ecs:DescribeInstances |
- |
|
ecs:DescribeNetworkInterfaces |
- |
|
ecs:ModifyDiskAttribute |
- |
|
ecs:RunInstances |
- |
|
ecs:unmountPEDisk |
- |
Setting the authorization scope to Resource Group Level has no effect on operations that do not support resource group-level authorization. To grant a RAM user permissions for these operations, you must create a custom policy and set the authorization scope to Account Level.
Here are two examples of custom permission policies that you can modify to fit your needs.
-
Allows all read-only operations that do not support resource group-level authorization, which are listed in the
Actionelement.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeAccountAttributes", "ecs:DescribeAccountCommonQuotas", "ecs:DescribeAccountLimits", "ecs:DescribeAvailableResource", "ecs:DescribeBandwidthHistory", "ecs:DescribeCarePlans", "ecs:DescribeChargeTypeModificationPrice", "ecs:DescribeClassicLinkInstances", "ecs:DescribeCloudAssistantSettings", "ecs:DescribeClusters", "ecs:DescribeCustomerIssueCategory", "ecs:DescribeDedicatedBlockStorageClusterDisks", "ecs:DescribeDeploymentSetTopology", "ecs:DescribeDeploymentSets", "ecs:DescribeDiagnosisOperateRecords", "ecs:DescribeDiagnosticMetrics", "ecs:DescribeDiagnosticReportAttributes", "ecs:DescribeDiskDefaultKMSKeyId", "ecs:DescribeDiskEncryptionByDefaultStatus", "ecs:DescribeEcsScenarioFacade", "ecs:DescribeEipAddresses", "ecs:DescribeEipPrice", "ecs:DescribeFunctionFeedback", "ecs:DescribeHpcClusters", "ecs:DescribeImageFromFamily", "ecs:DescribeInsightCheckItems", "ecs:DescribeInsightChecks", "ecs:DescribeInsightStatus", "ecs:DescribeInsightSummaries", "ecs:DescribeInstanceCrossZoneModifyConstraint", "ecs:DescribeInstanceMigrationLog", "ecs:DescribeInstanceStatus", "ecs:DescribeInstanceTypeResource", "ecs:DescribeInstanceTypes", "ecs:DescribeKMSKeyAttribute", "ecs:DescribeKMSKeys", "ecs:DescribeLimitation", "ecs:DescribeLinkedKMSKeys", "ecs:DescribeMigrationInstancesTask", "ecs:DescribeMigrationPlans", "ecs:DescribeMigrationPreferences", "ecs:DescribeNetworkInsightsAnalysisResult", "ecs:DescribeNetworkInsightsAnalysises", "ecs:DescribeNetworkInsightsPaths", "ecs:DescribeOrderAutoRebootTime", "ecs:DescribePlanMaintenanceWindows", "ecs:DescribePortRangeListAssociations", "ecs:DescribePortRangeListEntries", "ecs:DescribePurchaseRecommendation", "ecs:DescribeRegions", "ecs:DescribeReservationDemandCommittedAmount", "ecs:DescribeReservationDemands", "ecs:DescribeReservedInstanceCategories", "ecs:DescribeResourceByTags", "ecs:DescribeResourceDisplay", "ecs:DescribeResourceStatusDiagnosis", "ecs:DescribeSecurityGroupSnapshotAttributes", "ecs:DescribeSecurityGroupSnapshotPolicies", "ecs:DescribeSecurityGroupSnapshots", "ecs:DescribeSnapshotBusinessStatus", "ecs:DescribeSnapshotCampaign", "ecs:DescribeSnapshotMonitorData", "ecs:DescribeSnapshotPackage", "ecs:DescribeSnapshotPolicyAssociatedSecurityGroups", "ecs:DescribeSnapshotPrice", "ecs:DescribeSnapshotsUsage", "ecs:DescribeSpotPriceHistory", "ecs:DescribeStorageCapacityUnitDeductFactor", "ecs:DescribeStorageSetDetails", "ecs:DescribeTaskAttribute", "ecs:DescribeTasks", "ecs:DescribeUserBusinessBehavior", "ecs:DescribeVSwitches", "ecs:DescribeVolumes", "ecs:DescribeVpcHavsInstances", "ecs:DescribeVpcs", "ecs:DescribeWaitingOrders", "ecs:DescribeZones", "ecs:ListAccountEcsQuotas", "ecs:ListBandwidthHistory", "ecs:ListChangedBlocks", "ecs:ListServiceSettings", "ecs:ListSnapshotBlocks", "ecs:QueryConstraints", "ecs:QueryCopyImageSupportRegions", "ecs:QueryNeedKeepUsing", "ecs:QueryUsableSnapshots", "ecs:QueryUserInfo" ], "Resource": "*" } ] } -
Allows all operations that do not support resource group-level authorization: The
Actionelement lists all operations that do not support resource group-level authorization.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:AddInstancesToCarePlan", "ecs:AddInvisibleChecks", "ecs:AllocateEipAddress", "ecs:ApplySecurityGroupSnapshot", "ecs:AssociateEipAddress", "ecs:AssociateSecurityGroupSnapshotPolicy", "ecs:CancelMigrationPlan", "ecs:CancelSystemEvent", "ecs:CancelTask", "ecs:CheckOpenSnapshotService", "ecs:ConfirmCarePlanBill", "ecs:CreateCarePlan", "ecs:CreateClassicToVpcRollbackTask", "ecs:CreateDeploymentSet", "ecs:CreateDiagnosisOperateRecords", "ecs:CreateDiagnosticMetricSet", "ecs:CreateFunctionFeedback", "ecs:CreateHpcCluster", "ecs:CreateIssueCategoryReportRelation", "ecs:CreateNetworkInsightsPath", "ecs:CreatePlanMaintenanceWindow", "ecs:CreatePortRangeList", "ecs:CreateSecurityGroupSnapshotPolicy", "ecs:CreateSystemEvent", "ecs:DeleteCarePlan", "ecs:DeleteDeploymentSet", "ecs:DeleteDiagnosticMetricSets", "ecs:DeleteDiagnosticReports", "ecs:DeleteHpcCluster", "ecs:DeleteNetworkInsightsAnalysis", "ecs:DeleteNetworkInsightsPath", "ecs:DeletePlanMaintenanceWindow", "ecs:DeletePortRangeList", "ecs:DeleteReservationDemand", "ecs:DeleteSecurityGroupSnapshotPolicy", "ecs:DeleteVolume", "ecs:DeleteWaitingOrders", "ecs:DescribeAccountAttributes", "ecs:DescribeAccountCommonQuotas", "ecs:DescribeAccountLimits", "ecs:DescribeAvailableResource", "ecs:DescribeBandwidthHistory", "ecs:DescribeCarePlans", "ecs:DescribeChargeTypeModificationPrice", "ecs:DescribeClassicLinkInstances", "ecs:DescribeCloudAssistantSettings", "ecs:DescribeClusters", "ecs:DescribeCustomerIssueCategory", "ecs:DescribeDedicatedBlockStorageClusterDisks", "ecs:DescribeDeploymentSetTopology", "ecs:DescribeDeploymentSets", "ecs:DescribeDiagnosisOperateRecords", "ecs:DescribeDiagnosticMetrics", "ecs:DescribeDiagnosticReportAttributes", "ecs:DescribeDiskDefaultKMSKeyId", "ecs:DescribeDiskEncryptionByDefaultStatus", "ecs:DescribeEcsScenarioFacade", "ecs:DescribeEipAddresses", "ecs:DescribeEipPrice", "ecs:DescribeFunctionFeedback", "ecs:DescribeHpcClusters", "ecs:DescribeImageFromFamily", "ecs:DescribeInsightCheckItems", "ecs:DescribeInsightChecks", "ecs:DescribeInsightStatus", "ecs:DescribeInsightSummaries", "ecs:DescribeInstanceCrossZoneModifyConstraint", "ecs:DescribeInstanceMigrationLog", "ecs:DescribeInstanceStatus", "ecs:DescribeInstanceTypeResource", "ecs:DescribeInstanceTypes", "ecs:DescribeKMSKeyAttribute", "ecs:DescribeKMSKeys", "ecs:DescribeLimitation", "ecs:DescribeLinkedKMSKeys", "ecs:DescribeMigrationInstancesTask", "ecs:DescribeMigrationPlans", "ecs:DescribeMigrationPreferences", "ecs:DescribeNetworkInsightsAnalysisResult", "ecs:DescribeNetworkInsightsAnalysises", "ecs:DescribeNetworkInsightsPaths", "ecs:DescribeOrderAutoRebootTime", "ecs:DescribePlanMaintenanceWindows", "ecs:DescribePortRangeListAssociations", "ecs:DescribePortRangeListEntries", "ecs:DescribePurchaseRecommendation", "ecs:DescribeRegions", "ecs:DescribeReservationDemandCommittedAmount", "ecs:DescribeReservationDemands", "ecs:DescribeReservedInstanceCategories", "ecs:DescribeResourceByTags", "ecs:DescribeResourceDisplay", "ecs:DescribeResourceStatusDiagnosis", "ecs:DescribeSecurityGroupSnapshotAttributes", "ecs:DescribeSecurityGroupSnapshotPolicies", "ecs:DescribeSecurityGroupSnapshots", "ecs:DescribeSnapshotBusinessStatus", "ecs:DescribeSnapshotCampaign", "ecs:DescribeSnapshotMonitorData", "ecs:DescribeSnapshotPackage", "ecs:DescribeSnapshotPolicyAssociatedSecurityGroups", "ecs:DescribeSnapshotPrice", "ecs:DescribeSnapshotsUsage", "ecs:DescribeSpotPriceHistory", "ecs:DescribeStorageCapacityUnitDeductFactor", "ecs:DescribeStorageSetDetails", "ecs:DescribeTaskAttribute", "ecs:DescribeTasks", "ecs:DescribeUserBusinessBehavior", "ecs:DescribeVSwitches", "ecs:DescribeVolumes", "ecs:DescribeVpcHavsInstances", "ecs:DescribeVpcs", "ecs:DescribeWaitingOrders", "ecs:DescribeZones", "ecs:DisableDiskEncryptionByDefault", "ecs:DiskDefaultEncryptionQueryByParam", "ecs:EnableDiskEncryptionByDefault", "ecs:EnableInsight", "ecs:GetSnapshotBlock", "ecs:GetSnapshotInfo", "ecs:InnerCreateDiagnosticReport", "ecs:InnerOpenSnapShotService", "ecs:InnerReleaseDedicatedHost", "ecs:InnerReleaseElasticAssurance", "ecs:JoinSnapshotCampaign", "ecs:KeepUsing", "ecs:ListAccountEcsQuotas", "ecs:ListBandwidthHistory", "ecs:ListChangedBlocks", "ecs:ListServiceSettings", "ecs:ListSnapshotBlocks", "ecs:ModifyCarePlanAttribute", "ecs:ModifyCloudAssistantSettings", "ecs:ModifyDeploymentSetAttribute", "ecs:ModifyDiskDefaultKMSKeyId", "ecs:ModifyEipAddressAttribute", "ecs:ModifyHpcClusterAttribute", "ecs:ModifyOrderAutoRebootTime", "ecs:ModifyPlanMaintenanceWindow", "ecs:ModifyPortRangeList", "ecs:ModifyReservationDemand", "ecs:ModifyResourceMeta", "ecs:ModifySecurityGroupSnapshotPolicy", "ecs:ModifySnapshotBusinessStatus", "ecs:ModifySystemEventAttribute", "ecs:ModifyUserBusinessBehavior", "ecs:ModifyVolumeAttribute", "ecs:OpenSnapShotService", "ecs:OpenSnapshotService", "ecs:PurchaseSavingPlanOffering", "ecs:PurchaseStorageCapacityUnit", "ecs:QueryConstraints", "ecs:QueryCopyImageSupportRegions", "ecs:QueryNeedKeepUsing", "ecs:QueryUsableSnapshots", "ecs:QueryUserInfo", "ecs:ReAddMigrationTaskInPlan", "ecs:ReInitVolume", "ecs:ReinitDisk", "ecs:ReleaseCapacityReservation", "ecs:ReleaseEipAddress", "ecs:RemoveInvisibleChecks", "ecs:RepairDiagnosticReports", "ecs:ResetDiskDefaultKMSKeyId", "ecs:ResizeVolume", "ecs:RollbackVolume", "ecs:RunInstance", "ecs:StartNetworkInsightsAnalysis", "ecs:UnassociateEipAddress", "ecs:UnassociateSecurityGroupSnapshotPolicy", "ecs:UpdateServiceSettings", "ecs:ValidatePurchaseRule", "ecs:WithdrawCarePlan", "ecs:describeImageFromFamily", "ecs:describeInstances", "ecs:describenetworkinterfaces", "ecs:modifyDiskAttribute", "ecs:runInstances", "ecs:unmountPEDisk" ], "Resource": "*" } ] }
A RAM user or RAM role with account-level permissions can manage all resources in your account. Grant only necessary permissions, following the principle of least privilege.
FAQ
Check a resource's resource group
-
Method 1: Click the resource name to go to its details page. The resource group is displayed on the page.
-
Method 2: Log on to the Resource Management console and go to . On the left, select the account that the resource belongs to (the current account is selected by default). Use the filters to find the resource and view its resource group.
View product resources in a resource group
-
Method 1: Log on to the Resource Management console and go to . In the account list on the left, which defaults to the current account, click the target resource group. On the right, select the product from the resource type dropdown list. All resources for that product in the selected resource group are displayed.
-
Method 2: Log on to the Resource Management console and go to . Find the target resource group and click Manage Resources in the Actions column of its row. On the Manage Resources page, select the product from the Product dropdown list to view all of its resources in that resource group.
Move resources to another resource group
Log on to the Resource Management console and go to . Find the target resource group and click Manage Resources in the Actions column of its row. On the Manage Resources page, use filters to locate the resources you want to move. Select the checkboxes for the resources in the first column, and then click Transfer Resource Group below the list. Follow the on-screen instructions to complete the transfer.