All Products
Search
Document Center

Elastic Compute Service:Custom policies

Last Updated:Apr 01, 2026

When RAM system policies are too broad for your needs, create custom policies to implement the principle of least privilege. Custom policies let you grant or deny access at the action, resource, and condition level.

This page provides ready-to-use policy examples for common ECS scenarios.

Before you begin

Before you create a custom policy, ensure that you have reviewed:

Policy examples

ScenarioEffect
Create pay-as-you-go instancesAllow
Create subscription instancesAllow
Restart instances with MFAAllow
Manage a specific instanceAllow
Connect to a specific instance via WorkbenchAllow
Deny VNC connectionsDeny
View instances in a specific regionAllow
Manage security groupsAllow
Create instance RAM rolesAllow
Query instances and block storageAllow
Purchase savings plansAllow
Deny creating a default VPCDeny
Use prefix listsAllow
Use Cloud AssistantAllow
Read OSS bucketsAllow
Read and write OSS bucketsAllow
Enforce HTTPS accessAllow
Enforce disk encryptionDeny
Enforce CMK disk encryptionDeny
Restrict to custom images onlyDeny
Prohibit root user logonDeny
Prohibit password-based logonDeny
Prohibit preset image password logonDeny
Deny open security group rulesDeny
Enforce security hardening mode for metadataDeny

Create pay-as-you-go instances

Grants a RAM user the actions needed to create pay-as-you-go ECS instances. The policy includes read actions for images, VPCs, vSwitches, security groups, key pairs, and tags — all required to populate the instance creation form — plus ecs:RunInstances to submit the request.

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecs:DescribeImages",
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitches",
        "ecs:DescribeSecurityGroups",
        "ecs:DescribeKeyPairs",
        "ecs:DescribeTags",
        "ecs:RunInstances"
      ],
      "Resource": "*"
    }
  ],
  "Version": "1"
}

Create subscription instances

Extends the pay-as-you-go policy with four specific BSS actions — bss:DescribeOrderList, bss:DescribeOrderDetail, bss:PayOrder, and bss:CancelOrder — to query and pay for subscription orders. The corresponding system policy is AliyunBSSOrderAccess.

Important

If you set autoPay to true when calling RunInstances to create subscription instances, payment is handled automatically and the bss-related permissions are not required.

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecs:DescribeImages",
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitches",
        "ecs:DescribeSecurityGroups",
        "ecs:DescribeKeyPairs",
        "ecs:DescribeTags",
        "ecs:RunInstances",
        "bss:DescribeOrderList",
        "bss:DescribeOrderDetail",
        "bss:PayOrder",
        "bss:CancelOrder"
      ],
      "Resource": "*"
    }
  ],
  "Version": "1"
}

Restart instances with MFA

Allows ecs:RebootInstance, but only when the RAM user has multi-factor authentication (MFA) enabled and logs on using MFA. The acs:MFAPresent condition key must evaluate to true — if the user has not authenticated with MFA in the current session, the condition fails and the action is denied.

{
  "Statement": [
    {
      "Action": "ecs:RebootInstance",
      "Effect": "Allow",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "acs:MFAPresent": "true"
        }
      }
    }
  ],
  "Version": "1"
}

Manage a specific instance

Grants the RAM user full control over a single instance while allowing read access across all resources. Two statements are required:

  • First statement: Full ECS permissions (ecs:*) scoped to instance i-001 by its ARN.

  • Second statement: Read-only ecs:Describe* access with Resource: "*". This is necessary because ECS list and describe APIs do not support resource-level restrictions — without it, the RAM user cannot view the instance list at all.

Replace i-001 with your target instance ID.

{
  "Statement": [
    {
      "Action": "ecs:*",
      "Effect": "Allow",
      "Resource": "acs:ecs:*:*:instance/i-001"
    },
    {
      "Action": "ecs:Describe*",
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "1"
}

Connect to a specific instance via Workbench

Allows Workbench login to a single instance while keeping the instance list visible. Two statements are required:

  • First statement: Read-only ecs:Describe* access across all resources, so the RAM user can browse the instance list.

  • Second statement: ecs-workbench:LoginInstance scoped to instance i-001 only, blocking Workbench access to all other instances.

Replace i-001 with your target instance ID.

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ecs:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "ecs-workbench:LoginInstance",
            "Resource": "acs:ecs-workbench:*:*:workbench/i-001"
        }
    ],
    "Version": "1"
}

Deny VNC connections

Prevents the RAM user from obtaining a Virtual Network Computing (VNC) URL for any ECS instance. Because Deny overrides Allow, this policy blocks VNC access even if a broader Allow policy is attached to the same user.

{
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "ecs:DescribeInstanceVncUrl",
            "Resource": "*"
        }
    ],
    "Version": "1"
}

View instances in a specific region

Limits ecs:Describe* to ECS instances in China (Qingdao). The resource ARN is scoped to instance/*, so the RAM user cannot view disks or snapshots in this region even though those resources exist under the same account.

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ecs:Describe*",
      "Resource": "acs:ecs:cn-qingdao:*:instance/*"
    }
  ],
  "Version": "1"
}

Manage security groups

Grants all security group actions (ecs:*SecurityGroup*) across all resources in the Alibaba Cloud account.

{
  "Version": "1",
  "Statement": [
    {
      "Action": "ecs:*SecurityGroup*",
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

Create instance RAM roles

Grants the actions needed to create an instance and attach or detach a RAM role. Two statements are required:

  • First statement: ecs:CreateInstance, ecs:AttachInstanceRamRole, and ecs:DetachInstanceRAMRole to manage the instance and its role association.

  • Second statement: ram:PassRole with Resource: "*". This permission is required because attaching a role to an instance involves passing that role from RAM to ECS. Without ram:PassRole, the attach operation fails even if ecs:AttachInstanceRamRole is granted.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecs:CreateInstance",
        "ecs:AttachInstanceRamRole",
        "ecs:DetachInstanceRAMRole"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "ram:PassRole",
      "Resource": "*"
    }
  ]
}

Query instances and block storage

Read-only access to ECS instances and disks. Suitable for monitoring tools or auditing roles that need visibility without any write permissions.

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["ecs:DescribeInstances", "ecs:DescribeDisks"],
      "Resource": "*"
    }
  ],
  "Version": "1"
}

Purchase savings plans

Grants permission to create savings plan orders via the BSS API.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "bssapi:CreateSavingsPlansInstance",
      "Resource": "*"
    }
  ]
}

Deny creating a default VPC

RAM users with AliyunECSFullAccess can create a default virtual private cloud (VPC) when no VPC exists in a region. To block that specific action while keeping all other ECS permissions, attach this Deny policy alongside the AliyunECSFullAccess system policy. Because Deny overrides Allow, only the VPC auto-creation is blocked.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "vpc:CreateDefaultVpc": ["true"]
        }
      }
    }
  ]
}

Use prefix lists

Grants full management of prefix lists: create, modify, describe, and delete.

{
  "Statement": [
    {
      "Action": [
        "ecs:CreatePrefixList",
        "ecs:ModifyPrefixList",
        "ecs:DescribePrefixLists",
        "ecs:DescribePrefixListAssociations",
        "ecs:DescribePrefixListAttributes",
        "ecs:DeletePrefixList"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ],
  "Version": "1"
}

Use Cloud Assistant

For Cloud Assistant-specific policy examples, see the Cloud Assistant Agent-specific sample custom policies section in "Grant a RAM user permissions to use Cloud Assistant".

Read OSS buckets

Grants read access to Object Storage Service (OSS) buckets: get objects, get bucket location, and get bucket information.

{
  "Version": "1",
  "Statement": [
    {
      "Action": ["oss:GetObject", "oss:GetBucketLocation", "oss:GetBucketInfo"],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

Read and write OSS buckets

Extends read access with write permissions: upload objects, delete objects, and manage multipart uploads.

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "oss:GetObject",
        "oss:GetBucketLocation",
        "oss:GetBucketInfo",
        "oss:PutObject",
        "oss:DeleteObject",
        "oss:AbortMultipartUpload",
        "oss:ListMultipartUploads",
        "oss:ListParts"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

Enforce HTTPS access

Allows all ECS actions only when the request is made over HTTPS. The acs:SecureTransport condition key evaluates to true only for HTTPS requests — HTTP requests are implicitly denied.

{
  "Statement": [
    {
      "Action": "ecs:*",
      "Effect": "Allow",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "acs:SecureTransport": "true"
        }
      }
    }
  ],
  "Version": "1"
}

Enforce disk encryption

For organizations with compliance requirements, attach this policy to require all RAM users to encrypt every disk — data disks and system disks — when creating instances or standalone disks. The policy contains three Deny statements:

  • First statement: Denies ecs:RunInstances and ecs:CreateInstance if any data disk is unencrypted (ecs:IsDiskEncrypted matches *false*).

  • Second statement: Denies ecs:RunInstances and ecs:CreateInstance if the system disk is unencrypted (ecs:IsSystemDiskEncrypted equals false).

  • Third statement: Denies ecs:CreateDisk if the standalone disk is unencrypted.

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:RunInstances",
        "ecs:CreateInstance"
      ],
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "ecs:IsDiskEncrypted": "*false*"
        }
      },
      "Effect": "Deny"
    },
    {
      "Action": [
        "ecs:RunInstances",
        "ecs:CreateInstance"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ecs:IsSystemDiskEncrypted": "false"
        }
      },
      "Effect": "Deny"
    },
    {
      "Action": "ecs:CreateDisk",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "ecs:IsDiskEncrypted": "*false*"
        }
      },
      "Effect": "Deny"
    }
  ]
}

Enforce CMK disk encryption

Stricter than the previous policy: requires all disks to be encrypted using customer master keys (CMKs), also known as Bring Your Own Key (BYOK). After attaching this policy, the RAM user can only select CMKs when encrypting disks.

The policy mirrors the structure of Enforce disk encryption, replacing IsDiskEncrypted / IsSystemDiskEncrypted with IsDiskByokEncrypted / IsSystemDiskByokEncrypted. Three Deny statements cover data disks and system disks on instance creation, and standalone disk creation.

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:RunInstances",
        "ecs:CreateInstance"
      ],
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "ecs:IsDiskByokEncrypted": "*false*"
        }
      },
      "Effect": "Deny"
    },
    {
      "Action": [
        "ecs:RunInstances",
        "ecs:CreateInstance"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ecs:IsSystemDiskByokEncrypted": "false"
        }
      },
      "Effect": "Deny"
    },
    {
      "Action": "ecs:CreateDisk",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "ecs:IsDiskByokEncrypted": "*false*"
        }
      },
      "Effect": "Deny"
    }
  ]
}

Restrict to custom images only

Prevents the RAM user from using marketplace, public, or shared images when creating instances. The condition StringNotEquals on ecs:ImageSource denies the request unless the image source is Custom.

Replace <Region ID> with the target region ID (for example, cn-hangzhou).

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:RunInstances",
                "ecs:CreateInstance"
            ],
            "Effect": "Deny",
            "Resource": "acs:ecs:<Region ID>:*:instance/*",
            "Condition": {
                "StringNotEquals": {
                    "ecs:ImageSource": "Custom"
                }
            }
        }
    ]
}

Prohibit root user logon

Prevents the RAM user from setting the root account as the login user during instance creation, system disk replacement, disk attachment, and Cloud Assistant command invocation. The condition ecs:LoginAsNonRoot set to false triggers the Deny — meaning any attempt to log on as root is blocked.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:RunInstances",
                "ecs:CreateInstance",
                "ecs:CreateOrder",
                "ecs:ReplaceSystemDisk",
                "ecs:AttachDisk",
                "ecs:InvokeCommand"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "ecs:LoginAsNonRoot": [
                        "false"
                    ]
                }
            },
            "Effect": "Deny"
        }
    ]
}

Prohibit password-based logon

After attaching this policy, the RAM user can only log on to ECS instances using key pairs or Session Manager — username and password logon is blocked. The policy contains two Deny statements:

  • First statement: Denies instance creation and system disk operations when a custom password is set (ecs:PasswordCustomized is true) for Linux instances. The ecs:ImagePlatform condition is set to linux, so Windows instances are unaffected. To block password logon for all platforms, remove the ecs:ImagePlatform condition.

  • Second statement: Denies ecs:ModifyInstanceAttribute, ecs:InvokeCommand, and ecs:AttachDisk when a custom password is set, regardless of platform.

Setting ecs:ImagePlatform to linux blocks password logon for Linux instances only, leaving Windows instances unaffected. Adjust or remove this condition to match your requirements.
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:RunInstances",
                "ecs:CreateInstance",
                "ecs:CreateOrder",
                "ecs:ReplaceSystemDisk"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "ecs:PasswordCustomized": [
                        "true"
                    ]
                },
                "StringEquals": {
                    "ecs:ImagePlatform": "linux"
                }
            },
            "Effect": "Deny"
        },
        {
            "Action": [
                "ecs:ModifyInstanceAttribute",
                "ecs:InvokeCommand",
                "ecs:AttachDisk"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "ecs:PasswordCustomized": [
                        "true"
                    ]
                }
            },
            "Effect": "Deny"
        }
    ]
}

Prohibit preset image password logon

Prevents using the password embedded in an image to log on to an instance. Applies when creating instances or replacing the system disk. After attaching this policy, users must set a new password or use a key pair — they cannot reuse the image's preset password.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:RunInstances",
                "ecs:CreateInstance",
                "ecs:CreateOrder",
                "ecs:ReplaceSystemDisk"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "ecs:PasswordInherit": [
                        "true"
                    ]
                }
            },
            "Effect": "Deny"
        }
    ]
}

Deny open security group rules

An inbound rule that allows 0.0.0.0/0 exposes ECS instances to all external IP addresses. This policy blocks two risky actions:

  • First statement: Denies creating or modifying TCP security group rules with 0.0.0.0/0 as the source CIDR. The ForAnyValue:CIDRInRange operator checks whether any of the supplied source CIDRs falls within 0.0.0.0/0. For more information about condition operators, see Policy structure and syntax.

  • Second statement: Denies instance creation when no security group is specified (ecs:NotSpecifySecureGroupId is true), preventing the instance from falling back to the default security group.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "ecs:AuthorizeSecurityGroup",
        "ecs:ConfigureSecurityGroupPermissions",
        "ecs:ModifySecurityGroupRule"
      ],
      "Resource": "*",
      "Condition": {
        "ForAnyValue:StringLike": {
          "ecs:SecurityGroupIpProtocols": [
            "TCP"
          ]
        },
        "ForAnyValue:CIDRInRange": {
          "ecs:SecurityGroupSourceCidrIps": [
            "0.0.0.0/0"
          ]
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": [
        "ecs:CreateInstance",
        "ecs:RunInstances"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "ecs:NotSpecifySecureGroupId": [
            "true"
          ]
        }
      }
    }
  ]
}

Enforce security hardening mode for metadata

Requires all RAM users to access instance metadata only in security hardening mode. Applies to RunInstances and CreateInstance when creating instances, and to ModifyInstanceMetadataOptions when updating the metadata of existing instances. If ecs:SecurityHardeningMode is false, the request is denied.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "ecs:RunInstances",
        "ecs:CreateInstance",
        "ecs:ModifyInstanceMetadataOptions"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ecs:SecurityHardeningMode": ["false"]
        }
      }
    }
  ]
}