使用资源组进行精细化资源控制 -

当您使用资源组对资源进行分组管理时，可以结合访问控制（RAM），在单个阿里云账号内实现资源的隔离和精细化权限管理。本文总结了云服务器ECS对资源组的支持情况，以及资源组级别的授权操作步骤。

说明

只有支持资源组的资源类型和支持资源组级别授权的操作，资源组级别授权才能生效。
对于不支持资源组的资源类型，授予资源组范围的权限将无效。在选择资源范围时，请选择账号级别，进行账号级别授权。具体操作，请参见不支持资源组级别授权的操作。

资源组授权的工作原理

您可以使用资源组（Resource Group）对阿里云账号内的资源进行分组管理。例如，为不同的项目创建对应的资源组，并将资源转移到对应的组中，以便集中管理各项目的资源。更多信息，请参见什么是资源组。

在完成资源分组后，您可以为不同的RAM授权主体（RAM用户、RAM用户组或RAM角色）授予指定资源组范围的权限，从而限定这个授权主体只能管理该资源组内的资源。更多信息，请参见资源分组和授权。

这种授权方式的优点有：

权限精细化：确保每个身份能获得最准确的资源访问权限，避免账号下的多个项目的资源混合管理。
良好的扩展性：后续新增资源时，只需将其加入该资源组，RAM身份便会自动获得新资源的相应权限，无需再次授权。

为RAM用户授予资源组级别的权限

下面以RAM用户为例，介绍授予指定资源组内云服务器ECS资源权限的操作步骤。

1. 前置步骤

创建待使用的RAM用户，可参考：创建RAM用户
创建资源组并将已有资源划分到目标资源组，可参考：创建资源组，资源自动转组及资源手动转组。

2. 进行资源组级别授权

您可以通过以下任一方式进行资源组级别授权。

方式一：在资源管理控制台中授权

通过资源组的权限管理功能为指定 RAM 用户授权。详情操作可参见为RAM身份授予资源组范围的权限。

登录资源组控制台。
在资源组页面，单击目标资源组操作列的权限管理。
在权限管理页签，单击新增授权。
在新增授权面板，设置授权主体和权限策略。
- 授权主体：选择已有RAM用户。
- 权限策略：选择系统策略或已创建的自定义策略，参考创建自定义权限策略。
单击确认新增授权。

方式二：在 RAM 控制台中授权

通过RAM控制台为指定 RAM 用户进行资源组级别授权。详细操作可参见为RAM用户授权。

使用阿里云账号（主账号）或RAM管理员登录RAM控制台。
在左侧导航栏，选择身份管理 > 用户。在用户页面，单击目标RAM用户操作列的添加权限。
在新增授权面板，为RAM用户添加权限。
- 资源范围：选择资源组级别。
- 授权主体：选择已有 RAM 用户或前面步骤创建的 RAM 用户。
- 权限策略：选择系统策略或已创建的自定义策略，参考创建自定义权限策略。
单击确认新增授权。

支持资源组的资源类型

云服务器ECS支持资源组的资源类型如下表所示：

云服务	云服务代码	资源类型
云服务器ECS	ecs	ddh : DDH
云服务器ECS	ecs	disk : 磁盘
云服务器ECS	ecs	eni : 弹性网卡
云服务器ECS	ecs	image : 镜像
云服务器ECS	ecs	imagecomponent : 镜像组件
云服务器ECS	ecs	imagepipeline : 镜像模板
云服务器ECS	ecs	instance : 实例
云服务器ECS	ecs	keypair : 密钥对
云服务器ECS	ecs	launchtemplate : 实例启动模板
云服务器ECS	ecs	securitygroup : 安全组
云服务器ECS	ecs	snapshot : 快照
云服务器ECS	ecs	snapshotpolicy : 快照策略

说明

对于暂不支持资源组的资源类型，如有需要，您可以在资源组控制台提交反馈。

不支持资源组级别授权的操作

云服务器ECS中不支持资源组级别授权的操作（Action）如下：

操作（Action）	操作描述
ecs:AddInstancesToCarePlan	-
ecs:AddInvisibleChecks	-
ecs:AllocateEipAddress	-
ecs:ApplySecurityGroupSnapshot	-
ecs:AssociateEipAddress	-
ecs:AssociateSecurityGroupSnapshotPolicy	-
ecs:CancelMigrationPlan	-
ecs:CancelSystemEvent	-
ecs:CancelTask	调用CancelTask取消一件正在运行的任务。目前，您能取消正在运行的导入镜像任务（ImportImage）和导出镜像任务（ExportImage）。
ecs:CheckOpenSnapshotService	-
ecs:ConfirmCarePlanBill	-
ecs:CreateCarePlan	-
ecs:CreateClassicToVpcRollbackTask	-
ecs:CreateDeploymentSet	在指定的地域内创建一个部署集。
ecs:CreateDiagnosisOperateRecords	-
ecs:CreateDiagnosticMetricSet	调用CreateDiagnosticMetricSet创建资源诊断指标集合。您可以根据需要，灵活组合诊断指标。
ecs:CreateFunctionFeedback	-
ecs:CreateHpcCluster	调用CreateHpcCluster创建一个HPC集群。
ecs:CreateIssueCategoryReportRelation	-
ecs:CreateNetworkInsightsPath	-
ecs:CreatePlanMaintenanceWindow	-
ecs:CreatePortRangeList	创建端口列表，后续可关联资源（例如安全组）使用。
ecs:CreateSecurityGroupSnapshotPolicy	-
ecs:CreateSystemEvent	-
ecs:DeleteCarePlan	-
ecs:DeleteDeploymentSet	删除一个部署集。
ecs:DeleteDiagnosticMetricSets	调用DeleteDiagnosticMetricSets删除资源诊断指标集合。
ecs:DeleteDiagnosticReports	调用DeleteDiagnosticReports删除资源诊断报告。
ecs:DeleteHpcCluster	调用DeleteHpcCluster删除一个HPC集群。
ecs:DeleteNetworkInsightsAnalysis	-
ecs:DeleteNetworkInsightsPath	-
ecs:DeletePlanMaintenanceWindow	-
ecs:DeletePortRangeList	删除指定端口列表，同时端口列表下的端口列表条目都将被删除。
ecs:DeleteReservationDemand	-
ecs:DeleteSecurityGroupSnapshotPolicy	-
ecs:DeleteVolume	-
ecs:DeleteWaitingOrders	-
ecs:DescribeAccountAttributes	-
ecs:DescribeAccountCommonQuotas	-
ecs:DescribeAccountLimits	-
ecs:DescribeAvailableResource	-
ecs:DescribeBandwidthHistory	-
ecs:DescribeCarePlans	-
ecs:DescribeChargeTypeModificationPrice	-
ecs:DescribeClassicLinkInstances	查询一台或多台与专有网络VPC建立了连接的经典网络类型实例。
ecs:DescribeCloudAssistantSettings	查询云助手服务配置。
ecs:DescribeClusters	-
ecs:DescribeCustomerIssueCategory	-
ecs:DescribeDedicatedBlockStorageClusterDisks	-
ecs:DescribeDeploymentSetTopology	-
ecs:DescribeDeploymentSets	查询一个或多个部署集的详细信息。
ecs:DescribeDiagnosisOperateRecords	-
ecs:DescribeDiagnosticMetrics	调用DescribeDiagnosticMetrics查询诊断指标列表。
ecs:DescribeDiagnosticReportAttributes	调用DescribeDiagnosticReportAttributes查询资源诊断详情。
ecs:DescribeDiskDefaultKMSKeyId	查询块存储账号级默认加密使用的密钥。
ecs:DescribeDiskEncryptionByDefaultStatus	查询指定地域块存储账号级默认加密的服务状态。
ecs:DescribeEcsScenarioFacade	-
ecs:DescribeEipAddresses	-
ecs:DescribeEipPrice	-
ecs:DescribeFunctionFeedback	-
ecs:DescribeHpcClusters	调用DescribeHpcClusters查询您可用的HPC集群。请求参数作为筛选器（Filter）使用，筛选关系为逻辑与关系，参数之间无依赖关系。
ecs:DescribeImageFromFamily	查询指定镜像族系内最新创建的可用自定义镜像。
ecs:DescribeInsightCheckItems	-
ecs:DescribeInsightChecks	-
ecs:DescribeInsightStatus	-
ecs:DescribeInsightSummaries	-
ecs:DescribeInstanceCrossZoneModifyConstraint	-
ecs:DescribeInstanceMigrationLog	-
ecs:DescribeInstanceStatus	本接口主要用于查询一台或多台指定ECS实例的状态信息，同时支持查询指定条件下的实例列表。
ecs:DescribeInstanceTypeResource	-
ecs:DescribeInstanceTypes	-
ecs:DescribeKMSKeyAttribute	-
ecs:DescribeKMSKeys	-
ecs:DescribeLimitation	查询账号限制
ecs:DescribeLinkedKMSKeys	-
ecs:DescribeMigrationInstancesTask	-
ecs:DescribeMigrationPlans	-
ecs:DescribeMigrationPreferences	-
ecs:DescribeNetworkInsightsAnalysisResult	-
ecs:DescribeNetworkInsightsAnalysises	-
ecs:DescribeNetworkInsightsPaths	-
ecs:DescribeOrderAutoRebootTime	-
ecs:DescribePlanMaintenanceWindows	-
ecs:DescribePortRangeListAssociations	查询指定端口列表已关联的资源信息，例如，安全组。
ecs:DescribePortRangeListEntries	查询指定端口列表的条目。
ecs:DescribePurchaseRecommendation	-
ecs:DescribeRegions	-
ecs:DescribeReservationDemandCommittedAmount	-
ecs:DescribeReservationDemands	-
ecs:DescribeReservedInstanceCategories	-
ecs:DescribeResourceByTags	调用DescribeResourceByTags根据标签检索资源。支持根据标签检索，也支持根据资源类型检索。
ecs:DescribeResourceDisplay	-
ecs:DescribeResourceStatusDiagnosis	-
ecs:DescribeSecurityGroupSnapshotAttributes	-
ecs:DescribeSecurityGroupSnapshotPolicies	-
ecs:DescribeSecurityGroupSnapshots	-
ecs:DescribeSnapshotBusinessStatus	-
ecs:DescribeSnapshotCampaign	-
ecs:DescribeSnapshotMonitorData	查询一个地域下近30天内的快照容量变化监控数据。
ecs:DescribeSnapshotPackage	调用DescribeSnapshotPackage查询您在一个阿里云地域下已经购买的OSS存储包。存储包可以用于抵扣标准快照存储容量，但不支持抵扣本地快照。
ecs:DescribeSnapshotPolicyAssociatedSecurityGroups	-
ecs:DescribeSnapshotPrice	-
ecs:DescribeSnapshotsUsage	查询您在一个地域下的快照数量以及快照容量。
ecs:DescribeSpotPriceHistory	-
ecs:DescribeStorageCapacityUnitDeductFactor	-
ecs:DescribeStorageSetDetails	-
ecs:DescribeTaskAttribute	调用DescribeTaskAttribute查询异步任务的详细信息。目前，可以查询的异步任务有导入镜像（ImportImage）、导出镜像（ExportImage）及变更云盘类型（ModifyDiskSpec）。
ecs:DescribeTasks	调用DescribeTasks查询一个或多个异步请求的进度。
ecs:DescribeUserBusinessBehavior	获取用户级别默认属性
ecs:DescribeVSwitches	-
ecs:DescribeVolumes	-
ecs:DescribeVpcHavsInstances	-
ecs:DescribeVpcs	-
ecs:DescribeVscs	-
ecs:DescribeWaitingOrders	-
ecs:DescribeZones	-
ecs:DisableDiskEncryptionByDefault	关闭指定地域块存储账号级默认加密。
ecs:DiskDefaultEncryptionQueryByParam	-
ecs:EnableDiskEncryptionByDefault	开启指定地域块存储账号级默认加密。
ecs:EnableInsight	-
ecs:GetSnapshotBlock	-
ecs:GetSnapshotInfo	-
ecs:GetXXX	-
ecs:InnerCreateDiagnosticReport	-
ecs:InnerOpenSnapShotService	-
ecs:InnerReleaseDedicatedHost	-
ecs:InnerReleaseElasticAssurance	-
ecs:JoinSnapshotCampaign	-
ecs:KeepUsing	-
ecs:ListAccountEcsQuotas	-
ecs:ListBandwidthHistory	-
ecs:ListChangedBlocks	-
ecs:ListServiceSettings	-
ecs:ListSnapshotBlocks	-
ecs:ModifyCarePlanAttribute	-
ecs:ModifyCloudAssistantSettings	修改云助手服务配置。
ecs:ModifyDeploymentSetAttribute	修改一个部署集的名称和描述信息。
ecs:ModifyDiskDefaultKMSKeyId	修改指定地域块存储账号级默认加密使用的KMS密钥ID。
ecs:ModifyEipAddressAttribute	-
ecs:ModifyHpcClusterAttribute	调用ModifyHpcClusterAttribute修改一个HPC集群的描述信息。
ecs:ModifyOrderAutoRebootTime	-
ecs:ModifyPlanMaintenanceWindow	-
ecs:ModifyPortRangeList	修改指定端口列表的名称、条目，支持增加、修改和删除条目。
ecs:ModifyReservationDemand	-
ecs:ModifyResourceMeta	-
ecs:ModifySecurityGroupSnapshotPolicy	-
ecs:ModifySnapshotBusinessStatus	-
ecs:ModifySystemEventAttribute	-
ecs:ModifyUserBusinessBehavior	设置用户级别默认属性
ecs:ModifyVolumeAttribute	-
ecs:OpenSnapShotService	-
ecs:OpenSnapshotService	-
ecs:PurchaseSavingPlanOffering	-
ecs:PurchaseStorageCapacityUnit	-
ecs:QueryConstraints	-
ecs:QueryCopyImageSupportRegions	-
ecs:QueryNeedKeepUsing	-
ecs:QueryUsableSnapshots	-
ecs:QueryUserInfo	-
ecs:ReAddMigrationTaskInPlan	-
ecs:ReInitVolume	-
ecs:ReleaseCapacityReservation	调用ReleaseCapacityReservation释放容量预定服务。
ecs:ReleaseEipAddress	-
ecs:RemoveInvisibleChecks	-
ecs:RepairDiagnosticReports	-
ecs:RepairReportIssues	-
ecs:ResetDiskDefaultKMSKeyId	将指定地域块存储账号级默认加密使用的 KMS 密钥 ID 重置为服务密钥的接口。
ecs:ResizeVolume	-
ecs:RollbackVolume	-
ecs:RunInstance	-
ecs:StartNetworkInsightsAnalysis	-
ecs:UnassociateEipAddress	-
ecs:UnassociateSecurityGroupSnapshotPolicy	-
ecs:UpdateServiceSettings	-
ecs:ValidatePurchaseRule	-
ecs:WithdrawCarePlan	-
ecs:describeImageFromFamily	-
ecs:describeInstances	-
ecs:describenetworkinterfaces	-
ecs:invokecommand	-
ecs:modifyDiskAttribute	-
ecs:modifyinstancenetworkspec	-
ecs:runInstances	-
ecs:unmountPEDisk	-

对于不支持资源组授权的操作，授权时资源范围选择资源组级别将无效。如果仍需要RAM用户有上述操作权限，您需要创建自定义权限策略，授权时资源范围选择账号级别。

以下是两个自定义权限策略示例，您可以根据实际需要调整策略内容。

允许不支持资源组级别授权的全部只读操作：Action中列举不支持资源组级别授权的所有只读操作。

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecs:DescribeAccountAttributes",
        "ecs:DescribeAccountCommonQuotas",
        "ecs:DescribeAccountLimits",
        "ecs:DescribeAvailableResource",
        "ecs:DescribeBandwidthHistory",
        "ecs:DescribeCarePlans",
        "ecs:DescribeChargeTypeModificationPrice",
        "ecs:DescribeClassicLinkInstances",
        "ecs:DescribeCloudAssistantSettings",
        "ecs:DescribeClusters",
        "ecs:DescribeCustomerIssueCategory",
        "ecs:DescribeDedicatedBlockStorageClusterDisks",
        "ecs:DescribeDeploymentSetTopology",
        "ecs:DescribeDeploymentSets",
        "ecs:DescribeDiagnosisOperateRecords",
        "ecs:DescribeDiagnosticMetrics",
        "ecs:DescribeDiagnosticReportAttributes",
        "ecs:DescribeDiskDefaultKMSKeyId",
        "ecs:DescribeDiskEncryptionByDefaultStatus",
        "ecs:DescribeEcsScenarioFacade",
        "ecs:DescribeEipAddresses",
        "ecs:DescribeEipPrice",
        "ecs:DescribeFunctionFeedback",
        "ecs:DescribeHpcClusters",
        "ecs:DescribeImageFromFamily",
        "ecs:DescribeInsightCheckItems",
        "ecs:DescribeInsightChecks",
        "ecs:DescribeInsightStatus",
        "ecs:DescribeInsightSummaries",
        "ecs:DescribeInstanceCrossZoneModifyConstraint",
        "ecs:DescribeInstanceMigrationLog",
        "ecs:DescribeInstanceStatus",
        "ecs:DescribeInstanceTypeResource",
        "ecs:DescribeInstanceTypes",
        "ecs:DescribeKMSKeyAttribute",
        "ecs:DescribeKMSKeys",
        "ecs:DescribeLimitation",
        "ecs:DescribeLinkedKMSKeys",
        "ecs:DescribeMigrationInstancesTask",
        "ecs:DescribeMigrationPlans",
        "ecs:DescribeMigrationPreferences",
        "ecs:DescribeNetworkInsightsAnalysisResult",
        "ecs:DescribeNetworkInsightsAnalysises",
        "ecs:DescribeNetworkInsightsPaths",
        "ecs:DescribeOrderAutoRebootTime",
        "ecs:DescribePlanMaintenanceWindows",
        "ecs:DescribePortRangeListAssociations",
        "ecs:DescribePortRangeListEntries",
        "ecs:DescribePurchaseRecommendation",
        "ecs:DescribeRegions",
        "ecs:DescribeReservationDemandCommittedAmount",
        "ecs:DescribeReservationDemands",
        "ecs:DescribeReservedInstanceCategories",
        "ecs:DescribeResourceByTags",
        "ecs:DescribeResourceDisplay",
        "ecs:DescribeResourceStatusDiagnosis",
        "ecs:DescribeSecurityGroupSnapshotAttributes",
        "ecs:DescribeSecurityGroupSnapshotPolicies",
        "ecs:DescribeSecurityGroupSnapshots",
        "ecs:DescribeSnapshotBusinessStatus",
        "ecs:DescribeSnapshotCampaign",
        "ecs:DescribeSnapshotMonitorData",
        "ecs:DescribeSnapshotPackage",
        "ecs:DescribeSnapshotPolicyAssociatedSecurityGroups",
        "ecs:DescribeSnapshotPrice",
        "ecs:DescribeSnapshotsUsage",
        "ecs:DescribeSpotPriceHistory",
        "ecs:DescribeStorageCapacityUnitDeductFactor",
        "ecs:DescribeStorageSetDetails",
        "ecs:DescribeTaskAttribute",
        "ecs:DescribeTasks",
        "ecs:DescribeUserBusinessBehavior",
        "ecs:DescribeVSwitches",
        "ecs:DescribeVolumes",
        "ecs:DescribeVpcHavsInstances",
        "ecs:DescribeVpcs",
        "ecs:DescribeVscs",
        "ecs:DescribeWaitingOrders",
        "ecs:DescribeZones",
        "ecs:ListAccountEcsQuotas",
        "ecs:ListBandwidthHistory",
        "ecs:ListChangedBlocks",
        "ecs:ListServiceSettings",
        "ecs:ListSnapshotBlocks",
        "ecs:QueryConstraints",
        "ecs:QueryCopyImageSupportRegions",
        "ecs:QueryNeedKeepUsing",
        "ecs:QueryUsableSnapshots",
        "ecs:QueryUserInfo"
      ],
      "Resource": "*"
    }
  ]
}

允许不支持资源组级别授权的全部操作：Action中列举不支持资源组级别授权的全部操作。

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecs:AddInstancesToCarePlan",
        "ecs:AddInvisibleChecks",
        "ecs:AllocateEipAddress",
        "ecs:ApplySecurityGroupSnapshot",
        "ecs:AssociateEipAddress",
        "ecs:AssociateSecurityGroupSnapshotPolicy",
        "ecs:CancelMigrationPlan",
        "ecs:CancelSystemEvent",
        "ecs:CancelTask",
        "ecs:CheckOpenSnapshotService",
        "ecs:ConfirmCarePlanBill",
        "ecs:CreateCarePlan",
        "ecs:CreateClassicToVpcRollbackTask",
        "ecs:CreateDeploymentSet",
        "ecs:CreateDiagnosisOperateRecords",
        "ecs:CreateDiagnosticMetricSet",
        "ecs:CreateFunctionFeedback",
        "ecs:CreateHpcCluster",
        "ecs:CreateIssueCategoryReportRelation",
        "ecs:CreateNetworkInsightsPath",
        "ecs:CreatePlanMaintenanceWindow",
        "ecs:CreatePortRangeList",
        "ecs:CreateSecurityGroupSnapshotPolicy",
        "ecs:CreateSystemEvent",
        "ecs:DeleteCarePlan",
        "ecs:DeleteDeploymentSet",
        "ecs:DeleteDiagnosticMetricSets",
        "ecs:DeleteDiagnosticReports",
        "ecs:DeleteHpcCluster",
        "ecs:DeleteNetworkInsightsAnalysis",
        "ecs:DeleteNetworkInsightsPath",
        "ecs:DeletePlanMaintenanceWindow",
        "ecs:DeletePortRangeList",
        "ecs:DeleteReservationDemand",
        "ecs:DeleteSecurityGroupSnapshotPolicy",
        "ecs:DeleteVolume",
        "ecs:DeleteWaitingOrders",
        "ecs:DescribeAccountAttributes",
        "ecs:DescribeAccountCommonQuotas",
        "ecs:DescribeAccountLimits",
        "ecs:DescribeAvailableResource",
        "ecs:DescribeBandwidthHistory",
        "ecs:DescribeCarePlans",
        "ecs:DescribeChargeTypeModificationPrice",
        "ecs:DescribeClassicLinkInstances",
        "ecs:DescribeCloudAssistantSettings",
        "ecs:DescribeClusters",
        "ecs:DescribeCustomerIssueCategory",
        "ecs:DescribeDedicatedBlockStorageClusterDisks",
        "ecs:DescribeDeploymentSetTopology",
        "ecs:DescribeDeploymentSets",
        "ecs:DescribeDiagnosisOperateRecords",
        "ecs:DescribeDiagnosticMetrics",
        "ecs:DescribeDiagnosticReportAttributes",
        "ecs:DescribeDiskDefaultKMSKeyId",
        "ecs:DescribeDiskEncryptionByDefaultStatus",
        "ecs:DescribeEcsScenarioFacade",
        "ecs:DescribeEipAddresses",
        "ecs:DescribeEipPrice",
        "ecs:DescribeFunctionFeedback",
        "ecs:DescribeHpcClusters",
        "ecs:DescribeImageFromFamily",
        "ecs:DescribeInsightCheckItems",
        "ecs:DescribeInsightChecks",
        "ecs:DescribeInsightStatus",
        "ecs:DescribeInsightSummaries",
        "ecs:DescribeInstanceCrossZoneModifyConstraint",
        "ecs:DescribeInstanceMigrationLog",
        "ecs:DescribeInstanceStatus",
        "ecs:DescribeInstanceTypeResource",
        "ecs:DescribeInstanceTypes",
        "ecs:DescribeKMSKeyAttribute",
        "ecs:DescribeKMSKeys",
        "ecs:DescribeLimitation",
        "ecs:DescribeLinkedKMSKeys",
        "ecs:DescribeMigrationInstancesTask",
        "ecs:DescribeMigrationPlans",
        "ecs:DescribeMigrationPreferences",
        "ecs:DescribeNetworkInsightsAnalysisResult",
        "ecs:DescribeNetworkInsightsAnalysises",
        "ecs:DescribeNetworkInsightsPaths",
        "ecs:DescribeOrderAutoRebootTime",
        "ecs:DescribePlanMaintenanceWindows",
        "ecs:DescribePortRangeListAssociations",
        "ecs:DescribePortRangeListEntries",
        "ecs:DescribePurchaseRecommendation",
        "ecs:DescribeRegions",
        "ecs:DescribeReservationDemandCommittedAmount",
        "ecs:DescribeReservationDemands",
        "ecs:DescribeReservedInstanceCategories",
        "ecs:DescribeResourceByTags",
        "ecs:DescribeResourceDisplay",
        "ecs:DescribeResourceStatusDiagnosis",
        "ecs:DescribeSecurityGroupSnapshotAttributes",
        "ecs:DescribeSecurityGroupSnapshotPolicies",
        "ecs:DescribeSecurityGroupSnapshots",
        "ecs:DescribeSnapshotBusinessStatus",
        "ecs:DescribeSnapshotCampaign",
        "ecs:DescribeSnapshotMonitorData",
        "ecs:DescribeSnapshotPackage",
        "ecs:DescribeSnapshotPolicyAssociatedSecurityGroups",
        "ecs:DescribeSnapshotPrice",
        "ecs:DescribeSnapshotsUsage",
        "ecs:DescribeSpotPriceHistory",
        "ecs:DescribeStorageCapacityUnitDeductFactor",
        "ecs:DescribeStorageSetDetails",
        "ecs:DescribeTaskAttribute",
        "ecs:DescribeTasks",
        "ecs:DescribeUserBusinessBehavior",
        "ecs:DescribeVSwitches",
        "ecs:DescribeVolumes",
        "ecs:DescribeVpcHavsInstances",
        "ecs:DescribeVpcs",
        "ecs:DescribeVscs",
        "ecs:DescribeWaitingOrders",
        "ecs:DescribeZones",
        "ecs:DisableDiskEncryptionByDefault",
        "ecs:DiskDefaultEncryptionQueryByParam",
        "ecs:EnableDiskEncryptionByDefault",
        "ecs:EnableInsight",
        "ecs:GetSnapshotBlock",
        "ecs:GetSnapshotInfo",
        "ecs:GetXXX",
        "ecs:InnerCreateDiagnosticReport",
        "ecs:InnerOpenSnapShotService",
        "ecs:InnerReleaseDedicatedHost",
        "ecs:InnerReleaseElasticAssurance",
        "ecs:JoinSnapshotCampaign",
        "ecs:KeepUsing",
        "ecs:ListAccountEcsQuotas",
        "ecs:ListBandwidthHistory",
        "ecs:ListChangedBlocks",
        "ecs:ListServiceSettings",
        "ecs:ListSnapshotBlocks",
        "ecs:ModifyCarePlanAttribute",
        "ecs:ModifyCloudAssistantSettings",
        "ecs:ModifyDeploymentSetAttribute",
        "ecs:ModifyDiskDefaultKMSKeyId",
        "ecs:ModifyEipAddressAttribute",
        "ecs:ModifyHpcClusterAttribute",
        "ecs:ModifyOrderAutoRebootTime",
        "ecs:ModifyPlanMaintenanceWindow",
        "ecs:ModifyPortRangeList",
        "ecs:ModifyReservationDemand",
        "ecs:ModifyResourceMeta",
        "ecs:ModifySecurityGroupSnapshotPolicy",
        "ecs:ModifySnapshotBusinessStatus",
        "ecs:ModifySystemEventAttribute",
        "ecs:ModifyUserBusinessBehavior",
        "ecs:ModifyVolumeAttribute",
        "ecs:OpenSnapShotService",
        "ecs:OpenSnapshotService",
        "ecs:PurchaseSavingPlanOffering",
        "ecs:PurchaseStorageCapacityUnit",
        "ecs:QueryConstraints",
        "ecs:QueryCopyImageSupportRegions",
        "ecs:QueryNeedKeepUsing",
        "ecs:QueryUsableSnapshots",
        "ecs:QueryUserInfo",
        "ecs:ReAddMigrationTaskInPlan",
        "ecs:ReInitVolume",
        "ecs:ReleaseCapacityReservation",
        "ecs:ReleaseEipAddress",
        "ecs:RemoveInvisibleChecks",
        "ecs:RepairDiagnosticReports",
        "ecs:RepairReportIssues",
        "ecs:ResetDiskDefaultKMSKeyId",
        "ecs:ResizeVolume",
        "ecs:RollbackVolume",
        "ecs:RunInstance",
        "ecs:StartNetworkInsightsAnalysis",
        "ecs:UnassociateEipAddress",
        "ecs:UnassociateSecurityGroupSnapshotPolicy",
        "ecs:UpdateServiceSettings",
        "ecs:ValidatePurchaseRule",
        "ecs:WithdrawCarePlan",
        "ecs:describeImageFromFamily",
        "ecs:describeInstances",
        "ecs:describenetworkinterfaces",
        "ecs:invokecommand",
        "ecs:modifyDiskAttribute",
        "ecs:modifyinstancenetworkspec",
        "ecs:runInstances",
        "ecs:unmountPEDisk"
      ],
      "Resource": "*"
    }
  ]
}

重要

获得账号级别权限的RAM用户或RAM角色，能够操作整个账号范围内的相关资源。请务必确认所授予的权限是否符合预期，遵从最小授权原则谨慎分配权限。

常见问题

如何查看当前资源属于哪个资源组？

方式一：单击资源名称，进入资源的详情页面，即可查看到当前资源的资源组。
方式二：登录资源管理控制台，单击资源中心 > 资源搜索，在左侧选择目标资源所属账号（默认为当前账号），通过筛选条件定位目标资源，即可查看其所属资源组。

如何查看当前产品在某个资源组下的所有资源？

方式一：登录资源管理控制台，单击资源中心 > 资源搜索，然后在左侧的资源所属账号（默认为当前账号）下选择单击目标资源组名称，最后在右侧的选择资源类型中选择当前产品，即可查看当前产品在某个资源组下的所有资源。
方式二：登录资源管理控制台，单击资源组 > 资源组，然后找到目标资源组，单击其所在行的操作列下的资源管理，最后在资源管理页面上方的产品下拉框中选择当前产品，即可查看当前产品在某个资源组下的所有资源。

如何批量修改多个资源的资源组？

登录资源管理控制台，单击资源组 > 资源组，在目标资源组所在行的操作列下，单击资源管理以进入资源管理页面。通过筛选条件定位多个目标资源，批量勾选第一列的复选框后单击下方转移资源组，并按页面提示完成资源组修改。