All Products
Search
Document Center

Elastic Compute Service:Grant encryption permissions for ECS resources

Last Updated:Jul 15, 2026

Grant ECS access to KMS keys for encrypting disks, snapshots, and images, or for sharing encrypted resources across accounts.

Encrypt ECS resources

ECS uses KMS envelope encryption for disks, snapshots, and images. Two key types are available:

Key type Managed by Permission setup required
Service key Alibaba Cloud (free) None — ECS uses it automatically
Customer master key (CMK) You Yes — grant ECS access via a RAM role

Use service keys

Alibaba Cloud creates and manages service keys free of charge. ECS uses them directly with no permission setup.

In the disk configuration section, in the Settings column, select Encryption. The system automatically uses the service key alias/acs/ecs.

Use CMKs

To use a CMK, grant ECS permission to access it. The authorization flow:

  1. Alibaba Cloud creates a system RAM role named AliyunECSDiskEncryptDefaultRole in your account with permission to access KMS resources.

  2. ECS assumes this RAM role to access your CMK in KMS.

image

Confirm the authorization:

  1. When you first select a CMK to encrypt an ECS resource (for example, when creating an encrypted disk), the If you want to select more keys, grant permissions to the RAM role message appears.

    In the disk configuration section, select the Encryption check box, select a key from the Service Key drop-down list (default: alias/acs/ecs), and then click Confirm Authorization to complete authorization.

  2. Click Confirm Authorization Policy. The system creates AliyunECSDiskEncryptDefaultRole and grants it the required permissions.

After confirmation, you can select any CMK from KMS when configuring ECS resources in the console.

Share encrypted resources across accounts

To share an encrypted image or snapshot with another account or resource directory, grant the sharee access to the sharer's KMS key. Complete these steps in the sharer's account.

Prerequisites

Ensure that you have:

  • An encrypted image or snapshot in the sharer's account

  • Permission to create and manage RAM roles in the sharer's account

Step 1: Create a RAM role

In the sharer's account, create a RAM role with the sharer's account as the trusted entity. See Create a RAM role for a trusted Alibaba Cloud account.

Use the role name that matches the resource type:

Resource type RAM role name
Encrypted snapshot AliyunECSShareEncryptSnapshotDefaultRole
Encrypted image AliyunECSShareEncryptImageDefaultRole

Step 2: Modify the trust policy

On the Trust Policy tab of the RAM role, update the policy to specify the sharee. See Modify a RAM role's trust policy.

Choose the policy for your sharing scenario:

Scenario 1: Share with other Alibaba Cloud accounts

{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "<UID1>@ecs.aliyuncs.com",
          "<UID2>@ecs.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}

Replace <UID1> and <UID2> with the sharee account IDs. Add one entry per account.

Scenario 2: Share with a resource directory

{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": "*@ecs.aliyuncs.com"
      },
      "Condition": {
        "StringEquals": {
          "sts:ServiceOwnerRDId": "<ID of the resource directory>"
        }
      }
    }
  ],
  "Version": "1"
}

Replace <ID of the resource directory> with your resource directory ID. See View the basic information about a resource directory.

Scenario 3: Share with a specific folder in a resource directory

{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": "*@ecs.aliyuncs.com"
      },
      "Condition": {
        "StringLike": {
          "sts:ServiceOwnerRDPath": "<ID of the resource directory>/<Root folder ID>/.../<Current folder ID*>"
        }
      }
    }
  ],
  "Version": "1"
}

Replace <ID of the resource directory>, <Root folder ID>, and <Current folder ID> with actual values. See View the basic information of a folder.

Step 3: Attach a policy to the RAM role

The policy depends on the encryption key type:

Custom policy template:

{
  "Version": "1",
  "Statement": [
    {
      "Action": "kms:List*",
      "Resource": "acs:kms:<region-id>:<account-id>:key",
      "Effect": "Allow"
    },
    {
      "Action": [
        "kms:DescribeKey",
        "kms:TagResource",
        "kms:UntagResource",
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "acs:kms:<region-id>:<account-id>:key/<cmk-id>",
      "Effect": "Allow"
    }
  ]
}

Replace the placeholders:

Placeholder Description
<region-id> The region where the CMK resides
<account-id> The Alibaba Cloud account that owns the CMK
<cmk-id> The CMK used to encrypt the ECS resource

Step 4: Share the resource

Share the encrypted resource with the sharee: