Use RAM to manage ECS permissions - Resource Access Management

You can use Resource Access Management (RAM) to control access to your Elastic Compute Service (ECS) resources. This topic describes how to create custom RAM policies to grant fine-grained permissions to users for accessing ECS resources.

Background information

RAM provides the following system policies for ECS:

AliyunECSFullAccess: Grants permissions to perform all actions on all ECS resources.
AliyunECSReadOnlyAccess: Grants read-only permissions for all ECS resources.

If these system policies do not meet your requirements, you can create custom policies. Custom policies allow you to grant permissions based on the principle of least privilege, which helps you implement fine-grained access control and improve resource security. For more information, see RAM authorization.

Procedure

Create a RAM user.
Create a custom policy.
For examples, see the "Policy examples" section in this topic.
Attach the custom policy to the RAM user.
When you attach the policy, specify one of the following authorization scopes:
- Account: The permissions apply to all resources within your Alibaba Cloud account.
- Resource Group: The permissions apply only to the resources within a specified resource group.

Policy examples

Example 1: Grant permissions to manage specific ECS instances
The following example policy grants a RAM user permissions to manage two specific ECS instances, i-001 and i-002.
```
{
  "Statement": [
    {
      "Action": "ecs:*",
      "Effect": "Allow",
      "Resource": [
                  "acs:ecs:*:*:instance/i-001",
                  "acs:ecs:*:*:instance/i-002"
                  ]
    },
    {
      "Action": "ecs:Describe*",
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "1"
}
```
Note
- With this policy, the user can list all ECS instances in the account but can perform management actions only on the two specified instances. The ecs:Describe* action with "Resource": "*" grants this broad visibility. To restrict the user to see and manage only the specified instances, add the instances to a resource group and grant permissions to that resource group instead. For more information, see Use a resource group to manage an ECS instance.
- The ecs:Describe* action is required for the user to view instances in the ECS console. Without it, the user can still manage the specified instances by using the API, CLI, or an SDK, but the console will not display any instance information.
Example 2: Grant read-only permissions for instances in a specific region
The following example policy grants a user permissions to view all ECS instances in the China (Qingdao) region (cn-qingdao). The policy restricts access to instance resources only; the user cannot view other resources like disks or snapshots.
```
{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ecs:Describe*",
      "Resource": "acs:ecs:cn-qingdao:*:instance/*"
    }
  ],
  "Version": "1"
}
```
Note
To apply this policy to a different region, replace cn-qingdao in the Resource element with the ID of the desired region. For more information about region IDs, see Regions and zones.

Example 3: Grant permissions to create snapshots

To allow a user to create a snapshot of a disk, you must grant permissions for both the disk and snapshot resources. Granting permissions only on the parent ECS instance is not sufficient. The following example policy grants a user full access to instance i-001 and allows them to create snapshots for a specific disk, d-001.

{
  "Statement": [
    {
      "Action": "ecs:*",
      "Effect": "Allow",
      "Resource": [
        "acs:ecs:*:*:instance/i-001"
      ]
    },
    {
      "Action": "ecs:CreateSnapshot",
      "Effect": "Allow",
      "Resource": [
        "acs:ecs:*:*:disk/d-001",
        "acs:ecs:*:*:snapshot/*"
      ]
    },
    {
      "Action": [
        "ecs:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "1"
}