All Products
Search
Document Center

Elastic Compute Service:Use resource groups for horizontal permission management

Last Updated:May 15, 2026

Group ECS instances and related resources by department to isolate access between teams.

Security risks

By default, a RAM user granted ECS management permissions such as AliyunECSFullAccess can operate on all ECS instances and related resources in the account. This flat authorization poses security risks as teams grow:

  • Permission abuse and operational errors: An administrator from Department A can view, modify, or delete production servers belonging to Department B—whether intentionally or by accident.

  • Violation of least privilege: The RAM user holds permissions far exceeding job requirements, violating the principle of least privilege—a core tenet of defense in depth that limits every user, program, or process to the minimum access needed.

  • Audit and compliance challenges: When all operations are mixed together, tracking which department changed which resource becomes difficult, making compliance harder to achieve.

Best practices

Use resource groups and identity-based RAM policies to build logical management borders within your Alibaba Cloud account. The following scenario uses two departments, DepartmentA and DepartmentB, to demonstrate horizontal permission isolation.

Scenario: Create separate ECS administrators for Department A and Department B, each restricted to their own department's resources.

  1. Create resource groups

    1. Log on with an Alibaba Cloud account or a RAM identity that has resource group management permissions.

    2. Go to the Resource Group console. Click Create Resource Group, fill in the required information, and click OK.

      • Resource Group Identifier: Enter DepartmentA.

      • Resource Group Name: Enter Department A Resource Group.

    3. Repeat to create a resource group with ID DepartmentB.

  2. Create RAM users

    1. Go to the RAM console. In the left-side navigation pane, choose Identities > User.

    2. Click Create User and fill in the information as prompted.

      1. Logon Name/Display Name: Enter AdminA.

      2. Access Mode: Select Console Access and configure the password policy.

    3. Click OK and complete security authentication.

    4. Repeat to create user AdminB.

  3. Grant permissions to resource groups

    1. Return to the Resource Group console.

    2. Find the DepartmentA resource group and click Manage Permission in the Actions column.

    3. Click Grant Permission.

      1. Resource Scope: Defaults to the current resource group, DepartmentA.

      2. Principal: Select RAM User and select AdminA.

      3. Policy: Search for ecs. Select AliyunECSFullAccess and AliyunBSSFullAccess.

      4. Click OK.

    4. Repeat to grant permissions to AdminB for the DepartmentB resource group.

  4. Verify the isolation

    • Log out. Then log on to the Alibaba Cloud console as AdminA and AdminB separately.

    • After you log on as AdminA: Create a custom instance. For resource group, select Department A Resource Group.

      Go to the ECS console - Instances page. Only ECS instances in the DepartmentA resource group are visible.

    • After you log on as AdminB: You see similar but completely isolated behavior. All operations are restricted to the DepartmentB resource group.