RAM authorization - Cloud Config - Alibaba Cloud ドキュメントセンター

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. Using RAM helps you avoid sharing your Alibaba Cloud account keys with other users and allows you to grant users the least privilege access. RAM uses permission policies to define authorizations. This topic describes the general structure of a RAM policy, and the policy statement elements (Action, Resource, and Condition) defined by CloudConfig for RAM permission policies. The RAM code (RamCode) for CloudConfig is config , and the supported authorization granularity is RESOURCE .

General structure of a policy

Permission policies support JSON format with the following general structure:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

The following list describes the fields in the policy:

Version: Specifies the policy version number. It is fixed at 1.
Statement:
- Effect: Specifies the authorization result. Valid values: Allow and Deny.
- Action: Specifies one or more operations that are allowed or denied.
- Resource: Specifies the specific objects affected by the operations. You can use Alibaba Cloud Resource Names (ARNs) to describe specific resources.
- Condition: Specifies the conditions for the authorization to take effect. This field is optional.
  - Condition operator: Specifies the conditional operators. Different types of conditions support different conditional operators.
  - Condition_key: Specifies the condition keys.
  - Condition_value: Specifies the condition values.

Action

The following table lists the actions defined by CloudConfig. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that support authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding ARN in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys that are applicable across all RAM-integrated services. For more information, see Common condition keys.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action	API	Access level	Resource type	Condition key	Dependent action
config:GetAggregator	GetAggregator	get	Aggregator `acs:config::{#accountId}:aggregator/{#AggregatorId}`	None	None
config:ListAggregators	ListAggregators	get	Aggregator `acs:config::{#accountId}:aggregator/*`	None	None
config:UntagResources	UntagResources	update	All Resource ``	None	None
config:GetDiscoveredResource	GetDiscoveredResource	get	All Resource ``	None	None
config:GetAggregateResourceComplianceTimeline	GetAggregateResourceComplianceTimeline	get	All Resource ``	None	None
config:IgnoreEvaluationResults	IgnoreEvaluationResults	update	All Resource ``	None	None
config:GetConfigurationRecorder	GetConfigurationRecorder	get	All Resource ``	None	None
config:GetAggregateResourceInventory	GetAggregateResourceInventory	get	All Resource ``	None	None
config:GetConfigRulesReport	GetConfigRulesReport	get	All Resource ``	None	None
config:GenerateAggregateResourceInventory	GenerateAggregateResourceInventory	none	All Resource ``	None	None
config:StartConfigRuleEvaluation	StartConfigRuleEvaluation	none	All Resource ``	None	None
config:GetAggregateResourceCountsGroupByResourceType	GetAggregateResourceCountsGroupByResourceType	get	All Resource ``	None	None
config:ListAggregateResourceEvaluationResults	ListAggregateResourceEvaluationResults	list	All Resource ``	None	None
config:DeleteRemediations	DeleteRemediations	delete	All Resource ``	None	None
config:GetResourceConfigurationSample	GetResourceConfigurationSample	none	All Resource ``	None	None
config:UpdateAggregateConfigDeliveryChannel	UpdateAggregateConfigDeliveryChannel	update	AggregateDelivery `acs:config::{#accountId}:aggregatedelivery/{#DeliveryChannelId}`	None	None
config:AttachAggregateConfigRuleToCompliancePack	AttachAggregateConfigRuleToCompliancePack	update	All Resource ``	None	None
config:GetCompliancePack	GetCompliancePack	get	CompliancePack `acs:config::{#accountId}:compliancepack/{#CompliancePackId}`	None	None
config:ListDiscoveredResources	ListDiscoveredResources	list	All Resource ``	None	None
config:GetDiscoveredResourceCountsGroupByRegion	GetDiscoveredResourceCountsGroupByRegion	get	All Resource ``	None	None
config:GetManagedRule	GetManagedRule	get	All Resource ``	None	None
config:IgnoreAggregateEvaluationResults	IgnoreAggregateEvaluationResults	update	All Resource ``	None	None
config:CreateAdvancedSearchFile	CreateAdvancedSearchFile	create	All Resource ``	None	None
config:GetAggregateConfigRuleComplianceByPack	GetAggregateConfigRuleComplianceByPack	get	AggregateCompliancePack `acs:config::{#accountId}:aggregatecompliancepack/{#AggregatorCompliancePackId}`	None	None
config:CreateAggregateConfigDeliveryChannel	CreateAggregateConfigDeliveryChannel	create	AggregateDelivery `acs:config::{#accountId}:aggregatedelivery/*`	None	None
config:GetResourceComplianceByConfigRule	GetResourceComplianceByConfigRule	get	All Resource ``	None	None
config:GetConfigRule	GetConfigRule	get	Rule `acs:config::{#accountId}:rule/{#ConfigRuleId}`	None	None
config:GetConfigDeliveryChannel	GetConfigDeliveryChannel	get	Delivery `acs:config::{#accountId}:delivery/{#DeliveryChannelId}`	None	None
config:ListAggregateDiscoveredResources	ListAggregateDiscoveredResources	list	All Resource ``	None	None
config:GetResourceComplianceGroupByResourceType	GetResourceComplianceGroupByResourceType	get	All Resource ``	None	None
config:GetComplianceSummary	GetComplianceSummary	get	All Resource ``	None	None
config:ListConfigRules	ListConfigRules	list	Rule `acs:config::{#accountId}:rule/*`	None	None
config:GenerateConfigRulesReport	GenerateConfigRulesReport	get	All Resource ``	None	None
config:DeleteAggregateConfigDeliveryChannel	DeleteAggregateConfigDeliveryChannel	delete	AggregateDelivery `acs:config::{#accountId}:aggregatedelivery/{#DeliveryChannelId}`	None	None
config:GetIntegratedServiceStatus	GetIntegratedServiceStatus	get	All Resource ``	None	None
config:RevertAggregateEvaluationResults	RevertAggregateEvaluationResults	update	All Resource ``	None	None
config:PutEvaluations	PutEvaluations	none	All Resource ``	None	None
config:ListConfigRuleEvaluationResults	ListConfigRuleEvaluationResults	list	All Resource ``	None	None
config:CreateAggregateAdvancedSearchFile	CreateAggregateAdvancedSearchFile	create	All Resource ``	None	None
config:GetAggregateCompliancePack	GetAggregateCompliancePack	get	AggregateCompliancePack `acs:config::{#accountId}:aggregatecompliancepack/{#AggregatorCompliancePackId}`	None	None
config:ListAggregateRemediationExecutions	ListAggregateRemediationExecutions	list	All Resource ``	None	None
config:DeactiveConfigRules	DeactiveConfigRules	update	All Resource ``	None	None
config:ListAggregateResourcesByAdvancedSearch	ListAggregateResourcesByAdvancedSearch	list	All Resource ``	None	None
config:CreateAggregateCompliancePack	CreateAggregateCompliancePack	create	AggregateCompliancePack `acs:config::{#accountId}:aggregatecompliancepack/*`	None	None
config:GetResourceTypeProperties	GetResourceTypeProperties	none	All Resource ``	None	None
config:ListResourceRelations	ListResourceRelations	get	All Resource ``	None	None
config:DeleteAggregateCompliancePacks	DeleteAggregateCompliancePacks	delete	AggregateCompliancePack `acs:config::{#accountId}:aggregatecompliancepack/{#AggregateCompliancePackId}`	None	None
config:GenerateResourceInventory	GenerateResourceInventory	none	All Resource ``	None	None
config:GetAggregateAdvancedSearchFile	GetAggregateAdvancedSearchFile	get	All Resource ``	None	None
config:GetAggregateCompliancePackReport	GetAggregateCompliancePackReport	get	AggregateCompliancePack `acs:config::{#accountId}:aggregatecompliancepack/{#AggregatorCompliancePackId}`	None	None
config:StopConfigurationRecorder	StopConfigurationRecorder	update	All Resource ``	None	None
config:DeactiveAggregateConfigRules	DeactiveAggregateConfigRules	update	All Resource ``	None	None
config:DescribeDiscoveredResourceBatch	DescribeDiscoveredResourceBatch	get	All Resource ``	None	None
config:ListResourceEvaluationResults	ListResourceEvaluationResults	list	All Resource ``	None	None
config:CreateRemediation	CreateRemediation	create	All Resource ``	None	None
config:CreateAggregateConfigRule	CreateAggregateConfigRule	create	AggregateConfigRule `acs:config::{#accountId}:aggregateconfigrule/*`	None	None
config:ListRemediationExecutions	ListRemediationExecutions	list	All Resource ``	None	None
config:GetAdvancedSearchFile	GetAdvancedSearchFile	get	All Resource ``	None	None
config:ListAggregateRecommendManagedRules	ListAggregateRecommendManagedRules	list	All Resource ``	None	None
config:ListConfigDeliveryChannels	ListConfigDeliveryChannels	list	All Resource ``	None	None
config:GetResourceConfigurationTimeline	GetResourceConfigurationTimeline	list	All Resource ``	None	None
config:DetachAggregateConfigRuleToCompliancePack	DetachAggregateConfigRuleToCompliancePack	update	All Resource ``	None	None
config:GetAggregateResourceConfigurationTimeline	GetAggregateResourceConfigurationTimeline	list	All Resource ``	None	None
config:DeleteAggregateConfigRules	DeleteAggregateConfigRules	delete	AggregateConfigRule `acs:config::{#accountId}:aggregateconfigrule/{#ConfigRuleId}`	None	None
config:DeleteConfigRules	DeleteConfigRules	delete	Rule `acs:config::{#accountId}:rule/{#ConfigRuleId}`	None	None
config:ListAggregateCompliancePacks	ListAggregateCompliancePacks	list	AggregateCompliancePack `acs:config::{#accountId}:aggregatecompliancepack/*`	None	None
config:ListAggregateConfigRuleEvaluationStatistics	ListAggregateConfigRuleEvaluationStatistics	list	All Resource ``	None	None
config:DeleteAggregateRemediations	DeleteAggregateRemediations	delete	All Resource ``	None	None
config:CreateConfigRule	CreateConfigRule	create	Rule `acs:config::{#accountId}:rule/*`	None	None
config:GetAggregateResourceComplianceGroupByRegion	GetAggregateResourceComplianceGroupByRegion	get	All Resource ``	None	None
config:UpdateIntegratedServiceStatus	UpdateIntegratedServiceStatus	update	All Resource ``	None	None
config:ListConfigRuleOperators	ListConfigRuleOperators	none	All Resource ``	None	None
config:ListConfigRuleEvaluationStatistics	ListConfigRuleEvaluationStatistics	list	All Resource ``	None	None
config:GetAggregateConfigRule	GetAggregateConfigRule	get	AggregateConfigRule `acs:config::{#accountId}:aggregateconfigrule/{#ConfigRuleId}`	None	None
config:GetAggregateConfigRulesReport	GetAggregateConfigRulesReport	get	All Resource ``	None	None
config:ListTagResources	ListTagResources	get	All Resource ``	None	None
config:GetAggregateAccountComplianceByPack	GetAggregateAccountComplianceByPack	get	AggregateCompliancePack `acs:config::{#accountId}:aggregatecompliancepack/{#AggregatorCompliancePackId}`	None	None
config:EvaluatePreConfigRules	EvaluatePreConfigRules	list	All Resource ``	None	None
config:UpdateAggregateCompliancePack	UpdateAggregateCompliancePack	update	AggregateCompliancePack `acs:config::{#accountId}:aggregatecompliancepack/{#AggregatorCompliancePackId}`	None	None
config:ActiveAggregateConfigRules	ActiveAggregateConfigRules	update	All Resource ``	None	None
config:GetAggregateDiscoveredResource	GetAggregateDiscoveredResource	get	Resource `acs:config::{#accountId}:resource/{#ResourceId}`	None	None
config:UpdateAggregator	UpdateAggregator	update	Aggregator `acs:config::{#accountId}:aggregator/{#AggregatorId}`	None	None
config:ListAggregateConfigRules	ListAggregateConfigRules	list	AggregateConfigRule `acs:config::{#accountId}:aggregateconfigrule/*`	None	None
config:UpdateConfigDeliveryChannel	UpdateConfigDeliveryChannel	update	Delivery `acs:config::{#accountId}:delivery/{#DeliveryChannelId}`	None	None
config:GetAggregateConfigRuleSummaryByRiskLevel	GetAggregateConfigRuleSummaryByRiskLevel	get	All Resource ``	None	None
config:GetAggregateResourceComplianceGroupByResourceType	GetAggregateResourceComplianceGroupByResourceType	get	All Resource ``	None	None
config:CreateAggregator	CreateAggregator	create	Aggregator `acs:config::{#accountId}:aggregator/*`	None	None
config:ListIntegratedService	ListIntegratedService	list	All Resource ``	None	None
config:StartConfigRuleEvaluationByResource	StartConfigRuleEvaluationByResource	none	All Resource ``	None	None
config:ListRecommendManagedRules	ListRecommendManagedRules	list	All Resource ``	None	None
config:GetAggregateComplianceSummary	GetAggregateComplianceSummary	get	All Resource ``	None	None
config:StartAggregateConfigRuleEvaluation	StartAggregateConfigRuleEvaluation	none	All Resource ``	None	None
config:GetResourceComplianceTimeline	GetResourceComplianceTimeline	list	All Resource ``	None	None
config:CreateCompliancePack	CreateCompliancePack	create	CompliancePack `acs:config::{#accountId}:compliancepack/*`	None	None
config:GetConfigRuleComplianceByPack	GetConfigRuleComplianceByPack	get	CompliancePack `acs:config::{#accountId}:compliancepack/{#CompliancePackId}`	None	None
config:CreateConfigDeliveryChannel	CreateConfigDeliveryChannel	create	Delivery `acs:config::{#accountId}:delivery/*`	None	None
config:TagResources	TagResources	update	All Resource ``	None	None
config:GetAggregateResourceComplianceByPack	GetAggregateResourceComplianceByPack	get	AggregateCompliancePack `acs:config::{#accountId}:aggregatecompliancepack/{#AggregatorCompliancePackId}`	None	None
config:GetRemediationTemplate	GetRemediationTemplate	get	All Resource ``	None	None
config:DeleteAggregators	DeleteAggregators	delete	Aggregator `acs:config::{#accountId}:aggregator/{#AggregatorId}`	None	None
config:UpdateConfigurationRecorder	UpdateConfigurationRecorder	update	All Resource ``	None	None
config:StartAggregateRemediation	StartAggregateRemediation	none	All Resource ``	None	None
config:ListRemediations	ListRemediations	list	All Resource ``	None	None
config:UpdateCompliancePack	UpdateCompliancePack	update	CompliancePack `acs:config::{#accountId}:compliancepack/{#CompliancePackId}`	None	None
config:GetAggregateResourceCountsGroupByRegion	GetAggregateResourceCountsGroupByRegion	get	All Resource ``	None	None
config:DryRunConfigRule	DryRunConfigRule	none	All Resource ``	None	None
config:GetAggregateResourceComplianceByConfigRule	GetAggregateResourceComplianceByConfigRule	get	All Resource ``	None	None
config:DescribeIntegratedServiceStatus	DescribeIntegratedServiceStatus	get	All Resource ``	None	None
config:GetConfigRuleSummaryByRiskLevel	GetConfigRuleSummaryByRiskLevel	get	All Resource ``	None	None
config:DescribeRemediation	DescribeRemediation	get	All Resource ``	None	None
config:ListCompliancePacks	ListCompliancePacks	list	CompliancePack `acs:config::{#accountId}:compliancepack/*`	None	None
config:ListResourcesByAdvancedSearch	ListResourcesByAdvancedSearch	list	All Resource ``	None	None
config:UpdateAggregateRemediation	UpdateAggregateRemediation	update	All Resource ``	None	None
config:ListRemediationTemplates	ListRemediationTemplates	get	All Resource ``	None	None
config:StartConfigurationRecorder	StartConfigurationRecorder	create	All Resource ``	None	None
config:GenerateAggregateConfigRulesReport	GenerateAggregateConfigRulesReport	create	All Resource ``	None	None
config:GenerateAggregateCompliancePackReport	GenerateAggregateCompliancePackReport	create	AggregateCompliancePack `acs:config::{#accountId}:aggregatecompliancepack/{#AggregatorCompliancePackId}`	None	None
config:UpdateConfigRule	UpdateConfigRule	update	Rule `acs:config::{#accountId}:rule/{#ConfigRuleId}`	None	None
config:GetResourceComplianceGroupByRegion	GetResourceComplianceGroupByRegion	get	All Resource ``	None	None
config:ListManagedRules	ListManagedRules	get	All Resource ``	None	None
config:GetAggregateConfigDeliveryChannel	GetAggregateConfigDeliveryChannel	get	AggregateDelivery `acs:config::{#accountId}:aggregatedelivery/{#DeliveryChannelId}`	None	None
config:UpdateRemediation	UpdateRemediation	update	All Resource ``	None	None
config:GetResourceComplianceByPack	GetResourceComplianceByPack	get	CompliancePack `acs:config::{#accountId}:compliancepack/{#CompliancePackId}`	None	None
config:DetachConfigRuleToCompliancePack	DetachConfigRuleToCompliancePack	update	All Resource ``	None	None
config:GetCompliancePackReport	GetCompliancePackReport	get	CompliancePack `acs:config::{#accountId}:compliancepack/{#CompliancePackId}`	None	None
config:ListAggregateConfigRuleEvaluationResults	ListAggregateConfigRuleEvaluationResults	list	All Resource ``	None	None
config:ListAggregateResourceRelations	ListAggregateResourceRelations	get	All Resource ``	None	None
config:GetResourceInventory	GetResourceInventory	get	All Resource ``	None	None
config:GenerateCompliancePackReport	GenerateCompliancePackReport	create	CompliancePack `acs:config::{#accountId}:compliancepack/{#CompliancePackId}`	None	None
config:AttachConfigRuleToCompliancePack	AttachConfigRuleToCompliancePack	update	All Resource ``	None	None
config:StartRemediation	StartRemediation	none	All Resource ``	None	None
config:ListAggregateConfigDeliveryChannels	ListAggregateConfigDeliveryChannels	list	All Resource ``	None	None
config:UpdateAggregateConfigRule	UpdateAggregateConfigRule	update	AggregateConfigRule `acs:config::{#accountId}:aggregateconfigrule/{#ConfigRuleId}`	None	None
config:RevertEvaluationResults	RevertEvaluationResults	update	All Resource ``	None	None
config:ActiveConfigRules	ActiveConfigRules	update	All Resource ``	None	None
config:CopyCompliancePacks	CopyCompliancePacks	create	All Resource ``	None	None
config:DeleteCompliancePacks	DeleteCompliancePacks	delete	CompliancePack `acs:config::{#accountId}:compliancepack/{#CompliancePackId}`	None	None
config:CreateAggregateRemediation	CreateAggregateRemediation	create	All Resource ``	None	None
config:CopyConfigRules	CopyConfigRules	update	All Resource ``	None	None
config:GetDiscoveredResourceCountsGroupByResourceType	GetDiscoveredResourceCountsGroupByResourceType	get	All Resource ``	None	None
config:ListAggregateRemediations	ListAggregateRemediations	list	All Resource ``	None	None
config:DeleteConfigDeliveryChannel	DeleteConfigDeliveryChannel	delete	Delivery `acs:config::{#accountId}:delivery/{#DeliveryChannelId}`	None	None

Resource

The following table lists the resources defined by CloudConfig. Specify them in the Resource element of RAM policy statements to grant permissions for specific operations. They are uniquely identified by ARNs. Format: acs:{#ramcode}:{#regionId}:{#accountId}:{#resourceType}:

acs: The initialism of Alibaba Cloud service, which indicates the public cloud of Alibaba Cloud.
{#ramcode}: The code used in RAM to indicate an Alibaba Cloud service.
{#regionId}: The region ID. If the resource covers all regions, set it to an asterisk (*).
{#accountId}: The ID of the Alibaba Cloud account. If the resource covers all Alibaba Cloud accounts, set it to an asterisk (*).
{#resourceType}: The service-defined resource identifier. It supports a hierarchical structure, which is similar to a file path. If the statement covers global resources, set it to an asterisk (*).

Resource type	ARN
Aggregator	acs:config::{#accountId}:aggregator/{#AggregatorId} acs:config::{#accountId}:aggregator/* acs:config:*:{#accountId}:aggregator/{#AggregtorId}
Rule	acs:config::{#accountId}:rule/{#ConfigRuleId} acs:config::{#accountId}:rule/*
AggregateConfigRule	acs:config::{#accountId}:aggregateconfigrule/{#ConfigRuleId} acs:config::{#accountId}:aggregateconfigrule/*
AggregateCompliancePack	acs:config::{#accountId}:aggregatecompliancepack/{#AggregatorCompliancePackId} acs:config::{#accountId}:aggregatecompliancepack/* acs:config:*:{#accountId}:aggregatecompliancepack/{#AggregateCompliancePackId}
CompliancePack	acs:config::{#accountId}:compliancepack/{#CompliancePackId} acs:config::{#accountId}:compliancepack/*
AggregateDelivery	acs:config::{#accountId}:aggregatedelivery/{#DeliveryChannelId} acs:config::{#accountId}:aggregatedelivery/*
Delivery	acs:config::{#accountId}:delivery/{#DeliveryChannelId} acs:config::{#accountId}:delivery/*
Resource	acs:config:*:{#accountId}:resource/{#ResourceId}

Condition

CloudConfig does not define product-level condition keys. However, you can use Alibaba Cloud common condition keys for access control. For more information, see Common condition keys.

How to create custom RAM policies?

You can create custom policies and grant them to RAM users, RAM user groups, or RAM roles. For instructions, see: