All Products
Search

This Product

    Cloud Monitor:RAM authorization

    Document Center

    Cloud Monitor:RAM authorization

    更新时间:Dec 18, 2025

    Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. Using RAM helps you avoid sharing your Alibaba Cloud account keys with other users and allows you to grant users the least privilege access. RAM uses permission policies to define authorizations. This topic describes the general structure of a RAM policy, and the policy statement elements (Action, Resource, and Condition) defined by Cloud Monitor for RAM permission policies. The RAM code (RamCode) for Cloud Monitor is cms,log,arms , and the supported authorization granularity is RESOURCE .

    General structure of a policy

    Permission policies support JSON format with the following general structure:

    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

    The following list describes the fields in the policy:

    • Version: Specifies the policy version number. It is fixed at 1.

    • Statement:

      • Effect: Specifies the authorization result. Valid values: Allow and Deny.

      • Action: Specifies one or more operations that are allowed or denied.

      • Resource: Specifies the specific objects affected by the operations. You can use Alibaba Cloud Resource Names (ARNs) to describe specific resources.

      • Condition: Specifies the conditions for the authorization to take effect. This field is optional.

        • Condition operator: Specifies the conditional operators. Different types of conditions support different conditional operators.

        • Condition_key: Specifies the condition keys.

        • Condition_value: Specifies the condition values.

    Action

    The following table lists the actions defined by Cloud Monitor. The table's columns are detailed below:

    • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

    • API: The API that you can call to perform the action.

    • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

    • Resource type: The type of the resource that support authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

      • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding ARN in the Resource element of the policy.

      • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

    • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys that are applicable across all RAM-integrated services. For more information, see Common condition keys.

    • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

    Action

    API

    Access level

    Resource type

    Condition key

    Dependent action
    cms:DescribeEventRuleAttribute DescribeEventRuleAttribute get

    *All Resource

    *

    		 None None
    cms:DescribeMetricRuleList DescribeMetricRuleList get

    *All Resource

    *

    		 None None
    cms:DescribeCustomMetricDataPoint DescribeHybridMonitorDataList list

    *All Resource

    *

    		 None None
    cms:EnableActiveMetricRule EnableActiveMetricRule update

    *All Resource

    *

    		 None None
    cms:DescribeSiteMonitorData DescribeSiteMonitorData get

    *All Resource

    *

    		 None None
    cms:CreateSiteMonitor CreateSiteMonitor create

    *All Resource

    *

    		 None None
    cms:PutCustomMetric PutCustomMetric create

    *All Resource

    *

    		 None None
    cms:DeleteHostAvailability DeleteHostAvailability delete

    *HostAvailability

    acs:cms::{#accountId}:group/{#groupId}

    		 None None
    cms:PutGroupMetricRule PutGroupMetricRule create

    *GroupMetricRule

    acs:cms::{#accountId}:group/{#groupId}

    		 None None
    cms:DescribeMonitorGroups DescribeMonitorGroups get

    *All Resource

    *

    		 None None
    cms:CreateMonitorGroupNotifyPolicy CreateMonitorGroupNotifyPolicy create

    *All Resource

    *

    		 None None
    cms:CreateGroupMonitoringAgentProcess CreateGroupMonitoringAgentProcess create

    *GroupMonitoringAgentProcess

    acs:cms::{#accountId}:group/{#groupId}

    		 None None
    cms:PutExporterRule PutExporterRule create

    *All Resource

    *

    		 None None
    cms:DeleteDynamicTagGroup DeleteDynamicTagGroup delete

    *All Resource

    *

    		 None None
    cms:ModifyHybridMonitorTask ModifyHybridMonitorTask update

    *All Resource

    *

    		 None None
    cms:DeleteMetricRuleTemplate DeleteMetricRuleTemplate delete

    *All Resource

    *

    		 None None
    cms:DeleteMonitorGroupDynamicRule DeleteMonitorGroupDynamicRule delete

    *All Resource

    *

    		 None None
    cms:DeleteEventRules DeleteEventRules delete

    *All Resource

    *

    		 None None
    cms:CreateMetricRuleBlackList CreateMetricRuleBlackList create

    *All Resource

    *

    		 None None
    cms:EnableMetricRules EnableMetricRules update

    *All Resource

    *

    		 None None
    cms:DescribeCustomEventHistogram DescribeCustomEventHistogram get

    *All Resource

    *

    		 None None
    cms:DeleteMonitorGroup DeleteMonitorGroup delete

    *All Resource

    *

    		 None None
    cms:CreateInstantSiteMonitor CreateInstantSiteMonitor create

    *All Resource

    *

    		 None None
    cms:ModifyMetricRuleTemplate ModifyMetricRuleTemplate update

    *All Resource

    *

    		 None None
    cms:QueryMetricTop DescribeMetricTop get

    *All Resource

    *

    		 None None
    cms:DescribeAlertLogHistogram DescribeAlertLogHistogram get

    *All Resource

    *

    		 None None
    cms:CreateMonitorGroupInstances CreateMonitorGroupInstances create

    *All Resource

    *

    		 None None
    cms:RemoveTags RemoveTags delete

    *All Resource

    *

    		 None None
    cms:DescribeEventRuleList DescribeEventRuleList get

    *All Resource

    *

    		 None None
    cms:DescribeSyntheticProbeList DescribeSyntheticProbeList none

    *All Resource

    *

    		 None None
    cms:DescribeMonitorGroupNotifyPolicyList DescribeMonitorGroupNotifyPolicyList get

    *All Resource

    *

    		 None None
    cms:PutEventRuleTargets PutEventRuleTargets create

    *All Resource

    *

    		 None None
    cms:CreateMonitorGroup CreateMonitorGroup create

    *All Resource

    *

    		 None None
    cms:DisableSiteMonitors DisableSiteMonitors update

    *All Resource

    *

    		 None None
    cms:DeleteMonitoringAgentProcess DeleteMonitoringAgentProcess delete

    *All Resource

    *

    		 None None
    cms:DescribeMonitoringAgentStatuses DescribeMonitoringAgentStatuses get

    *All Resource

    *

    		 None None
    cms:CreateHostAvailability CreateHostAvailability create

    *HostAvailability

    acs:cms::{#accountId}:group/{#groupId}

    		 None None
    cms:CreateMetricRuleResources CreateMetricRuleResources create

    *All Resource

    *

    		 None None
    cms:DescribeCustomEventCount DescribeCustomEventCount get

    *All Resource

    *

    		 None None
    cms:PutCustomEvent PutCustomEvent create

    *All Resource

    *

    		 None None
    cms:DescribeHybridMonitorSLSGroup DescribeHybridMonitorSLSGroup get

    *All Resource

    *

    		 None None
    cms:DeleteMonitorGroupNotifyPolicy DeleteMonitorGroupNotifyPolicy delete

    *All Resource

    *

    		 None None
    cms:DisableActiveMetricRule DisableActiveMetricRule update

    *All Resource

    *

    		 None None
    cms:CreateHybridMonitorTask CreateHybridMonitorTask create

    *All Resource

    *

    		 None None
    cms:DeleteMetricRules DeleteMetricRules delete

    *All Resource

    *

    		 None None
    cms:DescribeAlertLogCount DescribeAlertLogCount get

    *All Resource

    *

    		 None None
    cms:DescribeMonitorResourceQuotaAttribute DescribeMonitorResourceQuotaAttribute get

    *All Resource

    *

    		 None None
    cms:BatchCreateInstantSiteMonitor BatchCreateInstantSiteMonitor create

    *All Resource

    *

    		 None None
    cms:CreateHybridMonitorSLSGroup CreateHybridMonitorSLSGroup create

    *All Resource

    *

    		 None None
    cms:DescribeAlertingMetricRuleResources DescribeAlertingMetricRuleResources get

    *All Resource

    *

    		 None None
    cms:DescribeProductsOfActiveMetricRule DescribeProductsOfActiveMetricRule get

    *All Resource

    *

    		 None None
    cms:DescribeTagKeyList DescribeTagKeyList get

    *All Resource

    *

    		 None None
    cms:DescribeExporterRuleList DescribeExporterRuleList get

    *All Resource

    *

    		 None None
    cms:UninstallMonitoringAgent UninstallMonitoringAgent delete

    *All Resource

    *

    		 None None
    cms:DescribeSiteMonitorStatistics DescribeSiteMonitorStatistics get

    *All Resource

    *

    		 None None
    cms:DescribeSystemEventCount DescribeSystemEventCount get

    *All Resource

    *

    		 None None
    cms:CreateDynamicTagGroup CreateDynamicTagGroup create

    *All Resource

    *

    		 None None
    cms:DeleteHybridMonitorTask DeleteHybridMonitorTask delete

    *All Resource

    *

    		 None None
    cms:EnableHostAvailability EnableHostAvailability update

    *All Resource

    *

    		 None None
    cms:PutCustomEventRule PutCustomEventRule create

    *All Resource

    *

    		 None None
    cms:PutExporterOutput PutExporterOutput create

    *All Resource

    *

    		 None None
    cms:BatchExport BatchExport list

    *All Resource

    *

    		 None None
    cms:DescribeMetricRuleTemplateAttribute DescribeMetricRuleTemplateAttribute get

    *All Resource

    *

    		 None None
    cms:DescribeMetricRuleTemplateList DescribeMetricRuleTemplateList get

    *All Resource

    *

    		 None None
    cms:DescribeMonitoringAgentAccessKey DescribeMonitoringAgentAccessKey get

    *All Resource

    *

    		 None None
    cms:QueryMetricLast DescribeMetricLast get

    *All Resource

    *

    		 None None
    cms:DescribeTagValueList DescribeTagValueList get

    *All Resource

    *

    		 None None
    cms:DeleteGroupMonitoringAgentProcess DeleteGroupMonitoringAgentProcess delete

    *All Resource

    *

    		 None None
    cms:DescribeMetricRuleBlackList DescribeMetricRuleBlackList list

    *All Resource

    *

    		 None None
    cms:DescribeExporterOutputList DescribeExporterOutputList get

    *All Resource

    *

    		 None None
    cms:ModifyMonitorGroup ModifyMonitorGroup update

    *MonitorGroup

    acs:cms::{#accountId}:group/{#groupId}

    		 None None
    cms:DescribeMonitorGroupDynamicRules DescribeMonitorGroupDynamicRules get

    *All Resource

    *

    		 None None
    cms:DescribeMonitoringAgentProcesses DescribeMonitoringAgentProcesses get

    *All Resource

    *

    		 None None
    cms:QueryMetricList DescribeMetricList get

    *All Resource

    *

    		 None None
    cms:DeleteExporterOutput DeleteExporterOutput delete

    *All Resource

    *

    		 None None
    cms:DescribeSiteMonitorQuota DescribeSiteMonitorQuota get

    *All Resource

    *

    		 None None
    cms:DeleteMetricRuleBlackList DeleteMetricRuleBlackList delete

    *All Resource

    *

    		 None None
    cms:DescribeAlertLogList DescribeAlertLogList get

    *All Resource

    *

    		 None None
    cms:DeleteSiteMonitors DeleteSiteMonitors delete

    *All Resource

    *

    		 None None
    cms:PutMetricRuleTargets PutMetricRuleTargets create

    *All Resource

    *

    		 None None
    cms:ModifyHostInfo ModifyHostInfo update

    *All Resource

    *

    		 None None
    cms:DescribeContactList DescribeContactList get

    *All Resource

    *

    		 None None
    cms:EnableMetricRuleBlackList EnableMetricRuleBlackList update

    *All Resource

    *

    		 None None
    cms:UpdateCustomNamespace ModifyHybridMonitorNamespace update

    *All Resource

    *

    		 None None
    cms:DescribeSiteMonitorISPCityList DescribeSiteMonitorISPCityList get

    *All Resource

    *

    		 None None
    cms:DeleteCustomNamespace DeleteHybridMonitorNamespace delete

    *All Resource

    *

    		 None None
    cms:DeleteHybridMonitorSLSGroup DeleteHybridMonitorSLSGroup delete

    *All Resource

    *

    		 None None
    cms:InstallMonitoringAgent InstallMonitoringAgent create

    *All Resource

    *

    		 None None
    cms:DescribeEventRuleTargetList DescribeEventRuleTargetList get

    *All Resource

    *

    		 None None
    cms:DescribeMonitorGroupInstances DescribeMonitorGroupInstances get

    *All Resource

    *

    		 None None
    cms:ModifyMetricRuleBlackList ModifyMetricRuleBlackList update

    *All Resource

    *

    		 None None
    cms:DescribeMonitoringAgentHosts DescribeMonitoringAgentHosts get

    *All Resource

    *

    		 None None
    cms:DeleteMetricRuleTargets DeleteMetricRuleTargets delete

    *All Resource

    *

    		 None None
    cms:CreateMonitorGroupByResourceGroupId CreateMonitorGroupByResourceGroupId create

    *All Resource

    *

    		 None None
    cms:DisableMetricRules DisableMetricRules update

    *All Resource

    *

    		 None None
    cms:DeleteContactGroup DeleteContactGroup delete

    *All Resource

    *

    		 None None
    cms:SendDryRunSystemEvent SendDryRunSystemEvent none

    *All Resource

    *

    		 None None
    cms:DeleteCustomMetric DeleteCustomMetric delete

    *All Resource

    *

    		 None None
    cms:DisableHostAvailability DisableHostAvailability update

    *HostAvailability

    acs:cms::{#accountId}:group/{#groupId}

    		 None None
    cms:DescribeGroupMonitoringAgentProcess DescribeGroupMonitoringAgentProcess get

    *All Resource

    *

    		 None None
    cms:Cursor Cursor list

    *All Resource

    *

    		 None None
    cms:DescribeMetricRuleCount DescribeMetricRuleCount get

    *All Resource

    *

    		 None None
    cms:ModifyGroupMonitoringAgentProcess ModifyGroupMonitoringAgentProcess update

    *MonitoringAgentProcess

    acs:cms::{#accountId}:group/{#groupId}

    		 None None
    cms:DescribeCustomEventAttribute DescribeCustomEventAttribute get

    *All Resource

    *

    		 None None
    cms:DescribeLogMonitorList DescribeLogMonitorList get

    *All Resource

    *

    		 None None
    cms:DescribeMonitorGroupCategories DescribeMonitorGroupCategories get

    *MonitorGroup

    acs:cms::{#accountId}:group/{#groupId}

    		 None None
    cms:AddTags AddTags create

    *All Resource

    *

    		 None None
    cms:DescribeContactListByContactGroup DescribeContactListByContactGroup get

    *All Resource

    *

    		 None None
    cms:DescribeMetricRuleTargets DescribeMetricRuleTargets list

    *All Resource

    *

    		 None None
    cms:DeleteContact DeleteContact delete

    *All Resource

    *

    		 None None
    cms:DisableEventRules DisableEventRules update

    *All Resource

    *

    		 None None
    cms:DescribeDynamicTagRuleList DescribeDynamicTagRuleList get

    *All Resource

    *

    		 None None
    cms:CreateMonitoringAgentProcess CreateMonitoringAgentProcess create

    *All Resource

    *

    		 None None
    cms:DescribeCustomNamespace DescribeHybridMonitorNamespaceList get

    *All Resource

    *

    		 None None
    cms:DescribeActiveMetricRuleList DescribeActiveMetricRuleList get

    *All Resource

    *

    		 None None
    cms:DescribeAlertHistoryList DescribeAlertHistoryList get

    *All Resource

    *

    		 None None
    cms:DescribeSystemEventHistogram DescribeSystemEventHistogram get

    *All Resource

    *

    		 None None
    cms:CreateGroupMetricRules CreateGroupMetricRules create

    *GroupMetricRule

    acs:cms::{#accountId}:group/{#groupId}

    		 None None
    cms:DescribeMonitoringAgentConfig DescribeMonitoringAgentConfig get

    *All Resource

    *

    		 None None
    cms:DescribeSiteMonitorList DescribeSiteMonitorList get

    *All Resource

    *

    		 None None
    cms:PutContact PutContact create

    *All Resource

    *

    		 None None
    cms:ModifySiteMonitor ModifySiteMonitor update

    *All Resource

    *

    		 None None
    cms:PutEventRule PutEventRule create

    *All Resource

    *

    		 None None
    cms:CreateMetricRuleTemplate CreateMetricRuleTemplate create

    *All Resource

    *

    		 None None
    cms:DeleteLogMonitor DeleteLogMonitor delete

    *All Resource

    *

    		 None None
    cms:PutMonitoringConfig PutMonitoringConfig create

    *All Resource

    *

    		 None None
    cms:DescribeSiteMonitorLog DescribeSiteMonitorLog list

    *All Resource

    *

    		 None None
    cms:PutResourceMetricRules PutResourceMetricRules create

    *All Resource

    *

    		 None None
    cms:DescribeUnhealthyHostAvailability DescribeUnhealthyHostAvailability get

    *All Resource

    *

    		 None None
    cms:PutContactGroup PutContactGroup create

    *All Resource

    *

    		 None None
    cms:EnableSiteMonitors EnableSiteMonitors update

    *All Resource

    *

    		 None None
    cms:ModifyMonitorGroupInstances ModifyMonitorGroupInstances update

    *All Resource

    *

    		 None None
    cms:PutMonitorGroupDynamicRule PutMonitorGroupDynamicRule create

    *MonitorGroup

    acs:cms::{#accountId}:group/{#groupId}

    		 None None
    cms:PutResourceMetricRule PutResourceMetricRule create

    *All Resource

    *

    		 None None
    cms:PutCustomMetricRule PutCustomMetricRule create

    *All Resource

    *

    		 None None
    cms:DeleteMonitorGroupInstances DeleteMonitorGroupInstances delete

    *MonitorGroupInstances

    acs:cms::{#accountId}:group/{#groupId}

    		 None None
    cms:DescribeSiteMonitorAttribute DescribeSiteMonitorAttribute get

    *All Resource

    *

    		 None None
    cms:PutLogMonitor PutLogMonitor create

    *All Resource

    *

    		 None None
    cms:DescribeMonitorGroupInstanceAttribute DescribeMonitorGroupInstanceAttribute get

    *MonitorGroupInstances

    acs:cms::{#accountId}:group/{#groupId}

    		 None None
    cms:ApplyMetricRuleTemplate ApplyMetricRuleTemplate create

    *MetricRuleTemplate

    acs:cms::{#accountId}:group/{#groupId}

    		 None None
    cms:DescribeCustomMetricList DescribeCustomMetricList get

    *All Resource

    *

    		 None None
    cms:EnableEventRules EnableEventRules update

    *All Resource

    *

    		 None None
    cms:DescribeProductResourceTagKeyList DescribeProductResourceTagKeyList get

    *All Resource

    *

    		 None None
    cms:ModifyHostAvailability ModifyHostAvailability update

    *All Resource

    *

    		 None None
    cms:DescribeSystemEventAttribute DescribeSystemEventAttribute get

    *All Resource

    *

    		 None None
    cms:DescribeContactGroupList DescribeContactGroupList get

    *All Resource

    *

    		 None None
    cms:DescribeLogMonitorAttribute DescribeLogMonitorAttribute get

    *All Resource

    *

    		 None None
    cms:PutHybridMonitorMetricData PutHybridMonitorMetricData create

    *All Resource

    *

    		 None None
    cms:DescribeHybridMonitorTaskList DescribeHybridMonitorTaskList list

    *All Resource

    *

    		 None None
    cms:DeleteEventRuleTargets DeleteEventRuleTargets delete

    *All Resource

    *

    		 None None
    cms:ModifyHybridMonitorSLSGroup ModifyHybridMonitorSLSGroup create

    *All Resource

    *

    		 None None
    cms:CreateMonitorAgentProcess CreateMonitorAgentProcess create

    *All Resource

    *

    		 None None
    cms:DeleteExporterRule DeleteExporterRule delete

    *All Resource

    *

    		 None None
    cms:QueryMetricData DescribeMetricData get

    *All Resource

    *

    		 None None
    cms:DescribeMonitoringConfig DescribeMonitoringConfig get

    *All Resource

    *

    		 None None
    cms:DeleteMetricRuleResources DeleteMetricRuleResources delete

    *All Resource

    *

    		 None None
    cms:DescribeHostAvailabilityList DescribeHostAvailabilityList get

    *All Resource

    *

    		 None None
    cms:CreateCustomNamespace CreateHybridMonitorNamespace create

    *All Resource

    *

    		 None None

    Resource

    The following table lists the resources defined by Cloud Monitor. Specify them in the Resource element of RAM policy statements to grant permissions for specific operations. They are uniquely identified by ARNs. Format: acs:{#ramcode}:{#regionId}:{#accountId}:{#resourceType}:

    • acs: The initialism of Alibaba Cloud service, which indicates the public cloud of Alibaba Cloud.

    • {#ramcode}: The code used in RAM to indicate an Alibaba Cloud service.

    • {#regionId}: The region ID. If the resource covers all regions, set it to an asterisk (*).

    • {#accountId}: The ID of the Alibaba Cloud account. If the resource covers all Alibaba Cloud accounts, set it to an asterisk (*).

    • {#resourceType}: The service-defined resource identifier. It supports a hierarchical structure, which is similar to a file path. If the statement covers global resources, set it to an asterisk (*).

    Resource type

    ARN
    HostAvailability
    • acs:cms::{#accountId}:group/{#groupId}
    • acs:cms:{#regionId}:{#accountId}:HostAvailability/*
    GroupMetricRule
    • acs:cms::{#accountId}:group/{#groupId}
    GroupMonitoringAgentProcess
    • acs:cms::{#accountId}:group/{#groupId}
    SiteMonitor
    • acs:cloudmonitorservice::{#accountId}:*
    SlsGroup
    • acs:cms:{#regionId}:{#accountId}:SlsGroup/*
    • acs:cms:{#regionId}:{#accountId}:SlsGroup/SlsGroupId
    InstantSiteMonitor
    • acs:cms:{#regionId}:{#accountId}:instantsitemonitor/*
    MonitorGroup
    • acs:cms::{#accountId}:group/{#groupId}
    HybridMonitorNamespace
    • acs:cms,log,arms::{#accountId}:hybridmonitornamespace/*
    • acs:cms::{#accountId}:
    SystemEvent
    • acs:cms::{#accountId}:group/{#groupId}
    MonitoringAgentProcess
    • acs:cms::{#accountId}:group/{#groupId}
    LogMonitor
    • acs:cms::{#accountId}:group/{#groupId}
    MetricRuleTargets
    • acs:cms::{#accountId}:*
    AlarmContact
    • acs:cms:{#regionId}:{#accountId}:AlarmContact/*
    MonitorGroupInstances
    • acs:cms::{#accountId}:group/{#groupId}
    MetricRuleTemplate
    • acs:cms::{#accountId}:group/{#groupId}

    Condition

    Cloud Monitor does not define product-level condition keys. However, you can use Alibaba Cloud common condition keys for access control. For more information, see Common condition keys.

    How to create custom RAM policies?

    You can create custom policies and grant them to RAM users, RAM user groups, or RAM roles. For instructions, see: