All Products
Search

This Product

    Elastic Compute Service:Manage resource permissions with tags

    Document Center

    Elastic Compute Service:Manage resource permissions with tags

    Last Updated:Apr 27, 2026

    Tag ECS resources and use RAM policies to enforce fine-grained, category-based access control.

    Why use tag-based permissions

    Unlike resource groups, tags allow multiple labels per resource, so you can classify by region, department, environment, or any other dimension.

    Tag-based RAM policies offer three advantages:

    • Fine-grained control: Scope permissions to a subset of resources without broadening role assignments.

    • Fewer policies to maintain: A single tag-conditioned policy covers an entire resource class, reducing policy count as infrastructure grows.

    • Business-meaningful attributes: Tag keys and values mirror your naming conventions—project names, cost centers, deployment stages—making policies easier to audit.

    Best practices

    Tag ECS instances that share a business function, then reference the tag in a RAM policy condition to enforce access rules.

    The following example prevents database-tagged ECS instances from being assigned public IP addresses.

    Step 1: Tag the instances

    Add a tag to the ECS instances. See Tags overview.

    In this example, the tag is function:database.

    Step 2: Create a RAM policy with a tag condition

    Create the following RAM policy and attach it to the target RAM users or roles.

    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "ecs:ModifyInstanceNetworkSpec"
      ],
      "Resource": "acs:ecs:*:*:instance/*",
      "Condition": {
        "StringEquals": {
          "acs:ResourceTag/function:database": ["*"]
        },
        "Bool": {
          "ecs:AssociatePublicIpAddress": ["true"]
        }
      }
    }
  ]
}

    Key policy elements:

    Element Value Description
    Effect Deny Blocks the action when all conditions are met
    Action ecs:ModifyInstanceNetworkSpec Targets the instance network configuration operation
    Resource acs:ecs:*:*:instance/* Applies to all ECS instances across all regions and accounts
    acs:ResourceTag/function:database ["*"] Matches instances with the function:database tag
    ecs:AssociatePublicIpAddress ["true"] Matches requests that assign a public IP address

    Result

    Once active, any ModifyInstanceNetworkSpec request that assigns a public IP address to an instance tagged function:database is denied. Untagged instances are not affected.