When RAM system policies are too broad for your needs, create custom policies to implement the principle of least privilege. Custom policies let you grant or deny access at the action, resource, and condition level.
This page provides ready-to-use policy examples for common ECS scenarios.
Before you begin
Before you create a custom policy, ensure that you have reviewed:
Create custom policies — how to create and attach a policy in the RAM console
Policy elements — the building blocks of a policy (
Effect,Action,Resource,Condition)Policy structure and syntax — the JSON grammar and supported operators
Policy evaluation process — how
AllowandDenystatements interact when multiple policies apply
Policy examples
Create pay-as-you-go instances
Grants a RAM user the actions needed to create pay-as-you-go ECS instances. The policy includes read actions for images, VPCs, vSwitches, security groups, key pairs, and tags — all required to populate the instance creation form — plus ecs:RunInstances to submit the request.
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeImages",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"ecs:DescribeSecurityGroups",
"ecs:DescribeKeyPairs",
"ecs:DescribeTags",
"ecs:RunInstances"
],
"Resource": "*"
}
],
"Version": "1"
}Create subscription instances
Extends the pay-as-you-go policy with four specific BSS actions — bss:DescribeOrderList, bss:DescribeOrderDetail, bss:PayOrder, and bss:CancelOrder — to query and pay for subscription orders. The corresponding system policy is AliyunBSSOrderAccess.
If you set autoPay to true when calling RunInstances to create subscription instances, payment is handled automatically and the bss-related permissions are not required.
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeImages",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"ecs:DescribeSecurityGroups",
"ecs:DescribeKeyPairs",
"ecs:DescribeTags",
"ecs:RunInstances",
"bss:DescribeOrderList",
"bss:DescribeOrderDetail",
"bss:PayOrder",
"bss:CancelOrder"
],
"Resource": "*"
}
],
"Version": "1"
}Restart instances with MFA
Allows ecs:RebootInstance, but only when the RAM user has multi-factor authentication (MFA) enabled and logs on using MFA. The acs:MFAPresent condition key must evaluate to true — if the user has not authenticated with MFA in the current session, the condition fails and the action is denied.
{
"Statement": [
{
"Action": "ecs:RebootInstance",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"Bool": {
"acs:MFAPresent": "true"
}
}
}
],
"Version": "1"
}Manage a specific instance
Grants the RAM user full control over a single instance while allowing read access across all resources. Two statements are required:
First statement: Full ECS permissions (
ecs:*) scoped to instancei-001by its ARN.Second statement: Read-only
ecs:Describe*access withResource: "*". This is necessary because ECS list and describe APIs do not support resource-level restrictions — without it, the RAM user cannot view the instance list at all.
Replace i-001 with your target instance ID.
{
"Statement": [
{
"Action": "ecs:*",
"Effect": "Allow",
"Resource": "acs:ecs:*:*:instance/i-001"
},
{
"Action": "ecs:Describe*",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "1"
}Connect to a specific instance via Workbench
Allows Workbench login to a single instance while keeping the instance list visible. Two statements are required:
First statement: Read-only
ecs:Describe*access across all resources, so the RAM user can browse the instance list.Second statement:
ecs-workbench:LoginInstancescoped to instancei-001only, blocking Workbench access to all other instances.
Replace i-001 with your target instance ID.
{
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ecs-workbench:LoginInstance",
"Resource": "acs:ecs-workbench:*:*:workbench/i-001"
}
],
"Version": "1"
}Deny VNC connections
Prevents the RAM user from obtaining a Virtual Network Computing (VNC) URL for any ECS instance. Because Deny overrides Allow, this policy blocks VNC access even if a broader Allow policy is attached to the same user.
{
"Statement": [
{
"Effect": "Deny",
"Action": "ecs:DescribeInstanceVncUrl",
"Resource": "*"
}
],
"Version": "1"
}View instances in a specific region
Limits ecs:Describe* to ECS instances in China (Qingdao). The resource ARN is scoped to instance/*, so the RAM user cannot view disks or snapshots in this region even though those resources exist under the same account.
{
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:Describe*",
"Resource": "acs:ecs:cn-qingdao:*:instance/*"
}
],
"Version": "1"
}Manage security groups
Grants all security group actions (ecs:*SecurityGroup*) across all resources in the Alibaba Cloud account.
{
"Version": "1",
"Statement": [
{
"Action": "ecs:*SecurityGroup*",
"Resource": "*",
"Effect": "Allow"
}
]
}Create instance RAM roles
Grants the actions needed to create an instance and attach or detach a RAM role. Two statements are required:
First statement:
ecs:CreateInstance,ecs:AttachInstanceRamRole, andecs:DetachInstanceRAMRoleto manage the instance and its role association.Second statement:
ram:PassRolewithResource: "*". This permission is required because attaching a role to an instance involves passing that role from RAM to ECS. Withoutram:PassRole, the attach operation fails even ifecs:AttachInstanceRamRoleis granted.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:CreateInstance",
"ecs:AttachInstanceRamRole",
"ecs:DetachInstanceRAMRole"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "*"
}
]
}Query instances and block storage
Read-only access to ECS instances and disks. Suitable for monitoring tools or auditing roles that need visibility without any write permissions.
{
"Statement": [
{
"Effect": "Allow",
"Action": ["ecs:DescribeInstances", "ecs:DescribeDisks"],
"Resource": "*"
}
],
"Version": "1"
}Purchase savings plans
Grants permission to create savings plan orders via the BSS API.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "bssapi:CreateSavingsPlansInstance",
"Resource": "*"
}
]
}Deny creating a default VPC
RAM users with AliyunECSFullAccess can create a default virtual private cloud (VPC) when no VPC exists in a region. To block that specific action while keeping all other ECS permissions, attach this Deny policy alongside the AliyunECSFullAccess system policy. Because Deny overrides Allow, only the VPC auto-creation is blocked.
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"vpc:CreateDefaultVpc": ["true"]
}
}
}
]
}Use prefix lists
Grants full management of prefix lists: create, modify, describe, and delete.
{
"Statement": [
{
"Action": [
"ecs:CreatePrefixList",
"ecs:ModifyPrefixList",
"ecs:DescribePrefixLists",
"ecs:DescribePrefixListAssociations",
"ecs:DescribePrefixListAttributes",
"ecs:DeletePrefixList"
],
"Resource": "*",
"Effect": "Allow"
}
],
"Version": "1"
}Use Cloud Assistant
For Cloud Assistant-specific policy examples, see the Cloud Assistant Agent-specific sample custom policies section in "Grant a RAM user permissions to use Cloud Assistant".
Read OSS buckets
Grants read access to Object Storage Service (OSS) buckets: get objects, get bucket location, and get bucket information.
{
"Version": "1",
"Statement": [
{
"Action": ["oss:GetObject", "oss:GetBucketLocation", "oss:GetBucketInfo"],
"Resource": "*",
"Effect": "Allow"
}
]
}Read and write OSS buckets
Extends read access with write permissions: upload objects, delete objects, and manage multipart uploads.
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetObject",
"oss:GetBucketLocation",
"oss:GetBucketInfo",
"oss:PutObject",
"oss:DeleteObject",
"oss:AbortMultipartUpload",
"oss:ListMultipartUploads",
"oss:ListParts"
],
"Resource": "*",
"Effect": "Allow"
}
]
}Enforce HTTPS access
Allows all ECS actions only when the request is made over HTTPS. The acs:SecureTransport condition key evaluates to true only for HTTPS requests — HTTP requests are implicitly denied.
{
"Statement": [
{
"Action": "ecs:*",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"Bool": {
"acs:SecureTransport": "true"
}
}
}
],
"Version": "1"
}Enforce disk encryption
For organizations with compliance requirements, attach this policy to require all RAM users to encrypt every disk — data disks and system disks — when creating instances or standalone disks. The policy contains three Deny statements:
First statement: Denies
ecs:RunInstancesandecs:CreateInstanceif any data disk is unencrypted (ecs:IsDiskEncryptedmatches*false*).Second statement: Denies
ecs:RunInstancesandecs:CreateInstanceif the system disk is unencrypted (ecs:IsSystemDiskEncryptedequalsfalse).Third statement: Denies
ecs:CreateDiskif the standalone disk is unencrypted.
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ecs:IsDiskEncrypted": "*false*"
}
},
"Effect": "Deny"
},
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ecs:IsSystemDiskEncrypted": "false"
}
},
"Effect": "Deny"
},
{
"Action": "ecs:CreateDisk",
"Resource": "*",
"Condition": {
"StringLike": {
"ecs:IsDiskEncrypted": "*false*"
}
},
"Effect": "Deny"
}
]
}Enforce CMK disk encryption
Stricter than the previous policy: requires all disks to be encrypted using customer master keys (CMKs), also known as Bring Your Own Key (BYOK). After attaching this policy, the RAM user can only select CMKs when encrypting disks.
The policy mirrors the structure of Enforce disk encryption, replacing IsDiskEncrypted / IsSystemDiskEncrypted with IsDiskByokEncrypted / IsSystemDiskByokEncrypted. Three Deny statements cover data disks and system disks on instance creation, and standalone disk creation.
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ecs:IsDiskByokEncrypted": "*false*"
}
},
"Effect": "Deny"
},
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ecs:IsSystemDiskByokEncrypted": "false"
}
},
"Effect": "Deny"
},
{
"Action": "ecs:CreateDisk",
"Resource": "*",
"Condition": {
"StringLike": {
"ecs:IsDiskByokEncrypted": "*false*"
}
},
"Effect": "Deny"
}
]
}Restrict to custom images only
Prevents the RAM user from using marketplace, public, or shared images when creating instances. The condition StringNotEquals on ecs:ImageSource denies the request unless the image source is Custom.
Replace <Region ID> with the target region ID (for example, cn-hangzhou).
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance"
],
"Effect": "Deny",
"Resource": "acs:ecs:<Region ID>:*:instance/*",
"Condition": {
"StringNotEquals": {
"ecs:ImageSource": "Custom"
}
}
}
]
}Prohibit root user logon
Prevents the RAM user from setting the root account as the login user during instance creation, system disk replacement, disk attachment, and Cloud Assistant command invocation. The condition ecs:LoginAsNonRoot set to false triggers the Deny — meaning any attempt to log on as root is blocked.
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance",
"ecs:CreateOrder",
"ecs:ReplaceSystemDisk",
"ecs:AttachDisk",
"ecs:InvokeCommand"
],
"Resource": "*",
"Condition": {
"Bool": {
"ecs:LoginAsNonRoot": [
"false"
]
}
},
"Effect": "Deny"
}
]
}Prohibit password-based logon
After attaching this policy, the RAM user can only log on to ECS instances using key pairs or Session Manager — username and password logon is blocked. The policy contains two Deny statements:
First statement: Denies instance creation and system disk operations when a custom password is set (
ecs:PasswordCustomizedistrue) for Linux instances. Theecs:ImagePlatformcondition is set tolinux, so Windows instances are unaffected. To block password logon for all platforms, remove theecs:ImagePlatformcondition.Second statement: Denies
ecs:ModifyInstanceAttribute,ecs:InvokeCommand, andecs:AttachDiskwhen a custom password is set, regardless of platform.
Settingecs:ImagePlatformtolinuxblocks password logon for Linux instances only, leaving Windows instances unaffected. Adjust or remove this condition to match your requirements.
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance",
"ecs:CreateOrder",
"ecs:ReplaceSystemDisk"
],
"Resource": "*",
"Condition": {
"Bool": {
"ecs:PasswordCustomized": [
"true"
]
},
"StringEquals": {
"ecs:ImagePlatform": "linux"
}
},
"Effect": "Deny"
},
{
"Action": [
"ecs:ModifyInstanceAttribute",
"ecs:InvokeCommand",
"ecs:AttachDisk"
],
"Resource": "*",
"Condition": {
"Bool": {
"ecs:PasswordCustomized": [
"true"
]
}
},
"Effect": "Deny"
}
]
}Prohibit preset image password logon
Prevents using the password embedded in an image to log on to an instance. Applies when creating instances or replacing the system disk. After attaching this policy, users must set a new password or use a key pair — they cannot reuse the image's preset password.
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance",
"ecs:CreateOrder",
"ecs:ReplaceSystemDisk"
],
"Resource": "*",
"Condition": {
"Bool": {
"ecs:PasswordInherit": [
"true"
]
}
},
"Effect": "Deny"
}
]
}Deny open security group rules
An inbound rule that allows 0.0.0.0/0 exposes ECS instances to all external IP addresses. This policy blocks two risky actions:
First statement: Denies creating or modifying TCP security group rules with
0.0.0.0/0as the source CIDR. TheForAnyValue:CIDRInRangeoperator checks whether any of the supplied source CIDRs falls within0.0.0.0/0. For more information about condition operators, see Policy structure and syntax.Second statement: Denies instance creation when no security group is specified (
ecs:NotSpecifySecureGroupIdistrue), preventing the instance from falling back to the default security group.
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ecs:AuthorizeSecurityGroup",
"ecs:ConfigureSecurityGroupPermissions",
"ecs:ModifySecurityGroupRule"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringLike": {
"ecs:SecurityGroupIpProtocols": [
"TCP"
]
},
"ForAnyValue:CIDRInRange": {
"ecs:SecurityGroupSourceCidrIps": [
"0.0.0.0/0"
]
}
}
},
{
"Effect": "Deny",
"Action": [
"ecs:CreateInstance",
"ecs:RunInstances"
],
"Resource": "*",
"Condition": {
"Bool": {
"ecs:NotSpecifySecureGroupId": [
"true"
]
}
}
}
]
}Enforce security hardening mode for metadata
Requires all RAM users to access instance metadata only in security hardening mode. Applies to RunInstances and CreateInstance when creating instances, and to ModifyInstanceMetadataOptions when updating the metadata of existing instances. If ecs:SecurityHardeningMode is false, the request is denied.
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ecs:RunInstances",
"ecs:CreateInstance",
"ecs:ModifyInstanceMetadataOptions"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ecs:SecurityHardeningMode": ["false"]
}
}
}
]
}