Control access to ECS using RAM users - Elastic Compute Service

When multiple teams — managers, developers, and O&M engineers — share the same ECS environment, giving everyone identical permissions creates unnecessary risk. Resource Access Management (RAM) lets you assign each team exactly the permissions their role requires, so a developer can deploy code but cannot delete instances, and an O&M engineer can create snapshots but cannot modify security group rules.

How it works

Every RAM permission setup has three components:

RAM user — the identity that represents a person or team
Access policy — a JSON document that specifies which actions are allowed
Grant — the link that attaches a policy to a RAM user

You create users and policies independently, then connect them. If a team member's role changes or a security incident occurs, you update the grant or restrict the policy without modifying anything else.

Prerequisites

Before you begin, make sure you have:

An Alibaba Cloud account with RAM administrative permissions
Access to the RAM console

Scenario

This guide sets up access control for a company that hosts applications on ECS. Three roles need different permission levels:

Role	RAM user	Required permissions
Manager	Manager	Full ECS control: create and delete instances, modify security group rules
Developer	Developer	Read-only view of all instances; remote connections via Workbench to deploy code
O&M engineer	Operator	Create snapshots and images, run commands, attach disks; no permission to delete resources

Step 1: Create RAM users

Log on to the RAM console using your Alibaba Cloud account.
Create three RAM users: Manager, Developer, and Operator. When creating each user, select Console Logon.

For detailed steps, see Create a RAM user.

Step 2: Create access policies

RAM includes system policies such as AliyunECSFullAccess and AliyunECSReadOnlyAccess that may already cover your needs. Review Custom policies for ECS before creating custom policies — you may be able to skip this step entirely.

Create three custom policies. For detailed steps, see Create a custom policy.

Manager_Policy

Grants full ECS permissions. The vpc:* actions are required because ECS calls VPC APIs to allocate private IP addresses when creating instances. The bss:ModifyAgreementRecord action handles billing agreement checks during instance creation.

{
    "Version": "1",
    "Statement": [
        {
            "Action": "ecs:*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:CheckCanAllocateVpcPrivateIpAddress",
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches",
                "bss:ModifyAgreementRecord"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Developer_Policy

Grants read-only access to ECS instances and VPC network details, plus the ability to open remote connections through Workbench. The vpc:DescribeVpcs and vpc:DescribeVSwitches actions are included so developers can view VPC and vSwitch information in the ECS console. Developers cannot create, modify, or delete any resources.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:List*",
                "ecs:Describe*",
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches",
                "ecs-workbench:LoginInstance"
            ],
            "Resource": "*"
        }
    ]
}

Operator_Policy

Grants read access plus the ability to create snapshots and images, attach disks, and run commands. The vpc:DescribeVpcs and vpc:DescribeVSwitches actions are included so O&M engineers can view network topology when diagnosing issues. No delete permissions are granted.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:Describe*",
                "ecs:AttachDisk",
                "ecs:CreateSnapshot",
                "ecs:CreateImage",
                "ecs:RunCommand",
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Step 3: Grant permissions to RAM users

Attach each custom policy to the corresponding RAM user:

RAM user	Policy to attach
Manager	Manager_Policy
Developer	Developer_Policy
Operator	Operator_Policy

For detailed steps, see Grant permissions to a RAM user.

Step 4: Verify access control

Test each user to confirm that permissions are enforced correctly — both that allowed actions succeed and that denied actions are blocked.

Go to the RAM user logon page and log on as each RAM user in turn.
Open the ECS console and attempt the operations listed in the table below.

For each Denied result, confirm that ECS returns a permission error. This verifies that policy boundaries are actively enforced, not just that permitted actions happen to work.

Expected results

Operation	Manager	Developer	Operator
View the instance list	Allowed	Allowed	Allowed
Create an ECS instance	Allowed	Denied	Denied
Delete an ECS instance	Allowed	Denied	Denied
Create a snapshot	Allowed	Denied	Allowed
Create an image	Allowed	Denied	Allowed
Connect via Workbench	Allowed	Allowed	Denied

If a result does not match, review the policy JSON for missing or mistyped action names, then re-attach the updated policy.

Elastic Compute Service:Control access to ECS using RAM users