All Products
Search

This Product

    Resource Access Management:Policy structure and syntax

    Document Center

    Resource Access Management:Policy structure and syntax

    Last Updated:Mar 20, 2026

    A Resource Access Management (RAM) policy is a JSON document that defines permissions. This topic explains the structure of a policy and the syntax for its elements.

    Policy structure

    A RAM policy consists of the following top-level elements:

    • Version: The version of the policy language. The current and only valid value is "1".

    • Statement: A list containing one or more individual permission statements.

      Each Statement object must include the following elements:

      • Effect: Specifies whether the statement results in an Allow or Deny.

      • Action: The list of API operations that the statement applies to.

      • Resource: The list of resources that the statement applies to.

      • Condition: (Optional) The conditions under which the statement is in effect.

    image

    The following example shows the basic structure of a policy with a single statement:

    {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "service:ActionName",
            "Resource": "resource_arn",
            "Condition": {
                "Operator": {
                    "ConditionKey": "ConditionValue"
                }
            }
        }
    ]
}

    General syntax rules

    • JSON format: Policies must be valid JSON documents. Element names (like Effect), operators, and predefined values are case-sensitive and must be enclosed in double quotation marks (" ").

    • Multiple values: Elements that can have multiple values, such as Action and Resource, can be specified as either a single string or an array of strings. Both formats below are valid:

      "Action": "ecs:DescribeInstances"

"Action": [
    "ecs:DescribeInstances",
    "ecs:StopInstance"
]

    • Wildcards: You can use wildcards in string values for elements like Action and Resource.

      • An asterisk (*) matches zero or more characters. For example, ecs:Describe* matches all ECS actions that begin with "Describe".

      • A question mark (?) matches any single character.

    Formal syntax definition

    The following Backus-Naur Form (BNF) style grammar provides a formal definition of the policy language.

    policy  = {
     <version_block>,
     <statement_block>
}
<version_block> = "Version" : ("1")
<statement_block> = "Statement" : [ <statement>, <statement>, ... ]
<statement> = { 
    <effect_block>,
    <action_block>,
    <resource_block>,
    <condition_block?>
}
<effect_block> = "Effect" : ("Allow" | "Deny")  
<action_block> = "Action" | "NotAction" : 
    ("*" | <action_string> | [<action_string>, <action_string>, ...])
<resource_block> = "Resource" : 
    ("*" | <resource_string> | [<resource_string>, <resource_string>, ...])
<condition_block> = "Condition" : <condition_map>
<condition_map> = {
  <condition_type_string> : { 
      <condition_key_string> : <condition_value_list>,
      <condition_key_string> : <condition_value_list>,
      ...
  },
  <condition_type_string> : {
      <condition_key_string> : <condition_value_list>,
      <condition_key_string> : <condition_value_list>,
      ...
  }, ...
}  
<condition_value_list> = (<condition_value> | [<condition_value>, <condition_value>, ...])
<condition_value> = ("String" | "Number" | "Boolean" | "Date and time" | "IP address")