全部产品
Search
文档中心

云服务器 ECS:系统策略示例

更新时间:Sep 07, 2023

本文列出云服务器ECS常用系统策略的详情,供您了解权限策略涉及的操作等信息,您也可以按需自定义权限策略。

AliyunECSFullAccess

管理云服务器ECS相关资源的权限策略详情:

{
    "Version": "1",
    "Statement": [
        {
            "Action": "ecs:*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

AliyunECSReadOnlyAccess

查看云服务器ECS相关资源的权限策略详情:

{
    "Version": "1",
    "Statement": [
        {
            "Action": "ecs:Describe*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ecs:List*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

AliyunECSNetworkInterfaceManagementAccess

管理弹性网卡的权限策略详情:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "vpc:DescribeVSwitchAttributes"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:DeleteNetworkInterfacePermission"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

AliyunECSAssistantFullAccess

管理云助手命令的权限策略详情:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DescribeInstances",
                "ecs:DescribeTag*",
                "ecs:*Command",
                "ecs:DescribeCommand*",
                "ecs:DescribeInvocation*",
                "ecs:StopInvocation",
                "ecs:*CloudAssistant*",
                "ecs:SendFile",
                "ecs:DescribeSendFileResults",
                "ecs:*ManagedInstance",
                "ecs:DescribeManagedInstances",
                "ecs:*Activation",
                "ecs:DescribeActivations"
            ],
            "Resource": [
                "acs:ecs:*:*:instance/*",
                "acs:ecs:*:*:command/*",
                "acs:ecs:*:*:activation/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "archiving.ecs.aliyuncs.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:ListServiceSettings",
                "ecs:UpdateServiceSettings"
            ],
            "Resource": [
                "acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings"
            ]
        }
    ]
}

AliyunECSAssistantReadonlyAccess

查看云助手命令的权限策略详情:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DescribeInstances",
                "ecs:DescribeTag*",
                "ecs:DescribeCommand*",
                "ecs:DescribeInvocation*",
                "ecs:DescribeCloudAssistant*",
                "ecs:DescribeSendFileResults",
                "ecs:DescribeManagedInstances",
                "ecs:DescribeActivations"
            ],
            "Resource": [
                "acs:ecs:*:*:instance/*",
                "acs:ecs:*:*:command/*",
                "acs:ecs:*:*:activation/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:ListServiceSettings"
            ],
            "Resource": [
                "acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings"
            ]
        }
    ]
}

AliyunECSImageExportRolePolicy

导出ECS实例镜像的权限策略详情:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:GetObject",
                "oss:PutObject",
                "oss:DeleteObject",
                "oss:GetBucketLocation",
                "oss:AbortMultipartUpload",
                "oss:ListMultipartUploads",
                "oss:ListParts",
                "oss:GetBucketInfo",
                "oss:GetBucketUserQos"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

AliyunECSImageImportRolePolicy

导入镜像的权限策略详情:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:GetObject",
                "oss:GetBucketLocation",
                "oss:GetBucketInfo"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

AliyunECSInstanceForYundunSysTrustRolePolicy

安全增强型实例可信服务的权限策略详情:

{
    "Statement": [
        {
            "Action": [
                "yundun-systrust:GenerateNonce",
                "yundun-systrust:GenerateAikcert",
                "yundun-systrust:RegisterMessage",
                "yundun-systrust:PutMessage"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ],
    "Version": "1"
}

AliyunECSDiskEncryptRolePolicy

加密云盘的权限策略详情:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "kms:List*",
                "kms:DescribeKey",
                "kms:TagResource",
                "kms:UntagResource"
            ],
            "Resource": [
                "acs:kms:*:*:*",
                "acs:kms:*:*:*/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": [
                "acs:kms:*:*:*/*"
            ],
            "Effect": "Allow"
        }
    ]
}

AliyunServiceRolePolicyForECSAutoProvisioning

弹性供应功能的权限策略详情:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:CreateInstance",
                "ecs:RunInstances",
                "ecs:StartInstance",
                "ecs:AllocatePublicIpAddress",
                "ecs:StopInstance",
                "ecs:DeleteInstance",
                "ecs:DescribeInstances",
                "ecs:DescribeInstanceAttribute",
                "ecs:ModifyInstanceAttribute",
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:DescribeImages",
                "ecs:DescribeSnapshots",
                "ecs:DescribeKeyPairs",
                "ecs:CreateLaunchTemplate",
                "ecs:DescribeLaunchTemplates",
                "ecs:DescribeLaunchTemplateVersions",
                "ecs:DescribeSecurityGroups",
                "ecs:DescribeHpcClusters",
                "ecs:DescribeImageFromFamily",
                "slb:DescribeLoadBalancerAttribute",
                "slb:RemoveBackendServers",
                "slb:DescribeHealthStatus",
                "slb:AddBackendServers",
                "slb:SetBackendServers",
                "slb:DescribeLoadBalancers",
                "slb:DescribeVServerGroups",
                "slb:DescribeVServerGroupAttribute",
                "slb:AddVServerGroupBackendServers",
                "slb:RemoveVServerGroupBackendServers",
                "slb:DescribeMasterSlaveServerGroupAttribute",
                "slb:DescribeMasterSlaveServerGroups",
                "slb:SetVServerGroupAttribute",
                "slb:DescribeLoadBalancerUDPListenerAttribute",
                "slb:DescribeLoadBalancerHTTPListenerAttribute",
                "slb:DescribeLoadBalancerHTTPSListenerAttribute",
                "slb:DescribeLoadBalancerTCPListenerAttribute",
                "rds:ModifySecurityIps",
                "rds:DescribeDBInstanceAttribute",
                "rds:DescribeTaskInfo",
                "rds:DescribeDBInstanceIPArrayList",
                "oos:GetTemplate",
                "oos:StartExecution",
                "ecs:DescribeUserData",
                "ecs:DescribeInstanceRamRole",
                "ecs:DescribeDisks",
                "ecs:DescribeAutoSnapshotPolicyEx",
                "ecs:DescribeDedicatedHosts",
                "ecs:DescribeDedicatedHostTypes"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "mns:ListTopic",
                "mns:ListQueue",
                "mns:SendMessage",
                "mns:PublishMessage"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cms:NodeInstall",
                "cms:NodeStatusList",
                "cms:QueryCustomMetricList",
                "cms:ProfileSet",
                "cms:CreateAlert",
                "cms:DeleteAlert",
                "cms:QueryAlert",
                "cms:UpdateAlert",
                "cms:DisableAlert",
                "cms:EnableAlert",
                "cms:CreateAction",
                "cms:GetAction",
                "cms:CreateDimensions",
                "cms:QueryDimensions",
                "cms:UpdateDimensions",
                "cms:QueryMetricList",
                "cms:ListAlarmHistory"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:PassRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "acs:Service": [
                        "ecs.aliyuncs.com",
                        "oos.aliyuncs.com"
                    ]
                }
            }
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "autoprovisioning.ecs.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRolePolicyForECSImageBuilder

镜像构建功能的权限策略详情:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oos:CreateTemplate",
                "oos:StartExecution",
                "oos:CancelExecution",
                "oos:ListExecutions",
                "oos:ListTaskExecutions",
                "oos:ListExecutionLogs",
                "oos:DeleteTemplate"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "ecs:DescribeAvailableResource",
                "ecs:DescribeInstances",
                "ecs:DescribeCloudAssistantStatus",
                "ecs:DescribeImages",
                "ecs:DescribeInvocations",
                "ecs:DescribeInvocationResults",
                "ecs:CreateSecurityGroup",
                "ecs:DescribeSecurityGroups",
                "ecs:CancelCopyImage",
                "ecs:RunInstances",
                "ecs:CopyImage",
                "ecs:DeleteSnapshot"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "ecs:RebootInstance",
                "ecs:DeleteInstance",
                "ecs:DeleteImage",
                "ecs:DescribeImageSharePermission",
                "ecs:DeleteSecurityGroup",
                "ecs:ModifyImageSharePermission",
                "ecs:InstallCloudAssistant",
                "ecs:RunCommand",
                "ecs:StopInstance",
                "ecs:CreateImage"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "ecs:tag/imagepipelineid": "*"
                }
            }
        },
        {
            "Action": [
                "vpc:DescribeVSwitches",
                "vpc:DescribeVpcs",
                "vpc:CreateVpc",
                "vpc:CreateVSwitch",
                "vpc:DeleteVSwitch",
                "vpc:DeleteVpc"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "imagebuilder.ecs.aliyuncs.com"
                }
            }
        }
    ]
}