Use a RAM policy to grant a user full management permissions on a single ECS instance while limiting all other instances to read-only access.
Scenario
You want to delegate the administration of a specific ECS instance (i-001) to a RAM user. To manage the instance effectively through the console, the user must be able to list and view all instances to find the one they are assigned to. However, they should only have permission to perform actions (like start, stop, or reboot) on the specified instance.
Policy example
The following policy achieves this by using two separate statements.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:*",
"Resource": "acs:ecs:*:*:instance/i-001"
},
{
"Effect": "Allow",
"Action": "ecs:Describe*",
"Resource": "*"
}
]
}How this policy works
The policy uses two statements that work together:
Statement 1: Allows full management of the specific instance
"Action": "ecs:*" combined with "Resource": "acs:ecs:*:*:instance/i-001" grants permission to perform all ECS actions (such as ecs:StartInstance and ecs:StopInstance) on only the instance with the ID i-001.
Statement 2: Allows read-only access to all instances
"Action": "ecs:Describe*" combined with "Resource": "*" grants permission for all read-only actions that start with "Describe" (such as ecs:DescribeInstances and ecs:DescribeInstanceAttribute).
Without this statement, the RAM user cannot see any instances in the console, making it impossible to locate and manage the assigned instance.