All Products
Search
Document Center

CloudMonitor:RAM authorization

Last Updated:Sep 02, 2024
Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. You can use RAM to prevent RAM users from sharing the AccessKey pairs of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. RAM uses policies to define permissions.
This topic describes the elements, such as Action, Resource, and Condition, which are defined by CloudMonitorService. You can use the elements to create policies in RAM. The code (RamCode) in RAM that is used to indicate CloudMonitorService is cms. You can grant permissions on CloudMonitorService at the RESOURCE.

General structure of a policy

Policies can be stored as JSON files. The following code provides an example on the general structure of a policy:
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}
The following list describes the fields in the policy:
  • Effect: specifies the authorization effect. Valid values: Allow, Deny.
  • Action: specifies one or more API operations that are allowed or denied. For more information, see the Action section of this topic.
  • Resource: specifies one or more resources to which the policy applies. You can use an Alibaba Cloud Resource Name (ARN) to specify a resource. For more information, see the Resource section of this topic.
  • Condition: specifies one or more conditions that are required for the policy to take effect. This is an optional field. For more information, see the Condition section of this topic.
    • Condition_operator: specifies the conditional operators. Different types of conditions support different conditional operators. For more information, see Policy elements.
    • Condition_key: specifies the condition keys.
    • Condition_value: specifies the condition values.

Action

CloudMonitorService defines the values that you can use in the Action element of a policy statement. The following table describes the values.
  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • API operation: the API operation that you can call to perform the operation.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition key: the condition keys that are defined by the Alibaba Cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Generic Condition Keyword.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
ActionsAPI operationAccess levelResource typeCondition keyAssociated operation
cms:EnableEventRulesEnableEventRulesupdate
All Resources
*
NoneNone
cms:DescribeCustomEventAttributeDescribeCustomEventAttributeget
All Resources
*
NoneNone
cms:ModifyHybridMonitorTaskModifyHybridMonitorTaskupdate
All Resources
*
NoneNone
cms:PutContactGroupPutContactGroupcreate
All Resources
*
NoneNone
cms:DescribeLogMonitorListDescribeLogMonitorListget
All Resources
*
NoneNone
cms:PutCustomMetricRulePutCustomMetricRulecreate
All Resources
*
NoneNone
cms:DescribeMonitorGroupDynamicRulesDescribeMonitorGroupDynamicRulesget
All Resources
*
NoneNone
cms:PutCustomEventPutCustomEventcreate
All Resources
*
NoneNone
cms:PutResourceMetricRulesPutResourceMetricRulescreate
All Resources
*
NoneNone
cms:DescribeSiteMonitorStatisticsDescribeSiteMonitorStatisticsget
All Resources
*
NoneNone
cms:DescribeMetricRuleCountDescribeMetricRuleCountget
All Resources
*
NoneNone
cms:CreateGroupMonitoringAgentProcessCreateGroupMonitoringAgentProcesscreate
GroupMonitoringAgentProcess
acs:cms::{#accountId}:group/{#groupId}
NoneNone
cms:DescribeMetricRuleListDescribeMetricRuleListget
All Resources
*
NoneNone
cms:DescribeSystemEventAttributeDescribeSystemEventAttributeget
All Resources
*
NoneNone
cms:DescribeContactGroupListDescribeContactGroupListget
All Resources
*
NoneNone
cms:CreateMetricRuleTemplateCreateMetricRuleTemplatecreate
All Resources
*
NoneNone
cms:CreateHybridMonitorTaskCreateHybridMonitorTaskcreate
All Resources
*
NoneNone
cms:UpdateCustomNamespaceModifyHybridMonitorNamespacecreate
All Resources
*
NoneNone
cms:DeleteCustomNamespaceDeleteHybridMonitorNamespacecreate
All Resources
*
NoneNone
cms:DeleteMetricRulesDeleteMetricRulesdelete
All Resources
*
NoneNone
cms:CreateDynamicTagGroupCreateDynamicTagGroupcreate
All Resources
*
NoneNone
cms:DescribeMonitorGroupNotifyPolicyListDescribeMonitorGroupNotifyPolicyListget
All Resources
*
NoneNone
cms:DescribeHybridMonitorTaskListDescribeHybridMonitorTaskListlist
All Resources
*
NoneNone
cms:DisableEventRulesDisableEventRulesupdate
All Resources
*
NoneNone
cms:CreateMetricRuleBlackListCreateMetricRuleBlackListcreate
All Resources
*
NoneNone
cms:DisableHostAvailabilityDisableHostAvailabilityupdate
HostAvailability
acs:cms::{#accountId}:group/{#groupId}
NoneNone
cms:DescribeCustomNamespaceDescribeHybridMonitorNamespaceListcreate
All Resources
*
NoneNone
cms:CreateMonitorGroupByResourceGroupIdCreateMonitorGroupByResourceGroupIdcreate
All Resources
*
NoneNone
cms:DescribeMonitorGroupInstancesDescribeMonitorGroupInstancesget
All Resources
*
NoneNone
cms:DeleteHostAvailabilityDeleteHostAvailabilitydelete
HostAvailability
acs:cms::{#accountId}:group/{#groupId}
NoneNone
cms:EnableHostAvailabilityEnableHostAvailabilityupdate
All Resources
*
NoneNone
cms:DescribeHostAvailabilityListDescribeHostAvailabilityListget
All Resources
*
NoneNone
cms:DeleteMonitorGroupDynamicRuleDeleteMonitorGroupDynamicRuledelete
All Resources
*
NoneNone
cms:DescribeAlertLogHistogramDescribeAlertLogHistogramget
All Resources
*
NoneNone
cms:DeleteContactGroupDeleteContactGroupdelete
All Resources
*
NoneNone
cms:DescribeCustomEventHistogramDescribeCustomEventHistogramget
All Resources
*
NoneNone
cms:DeleteMetricRuleTemplateDeleteMetricRuleTemplatedelete
All Resources
*
NoneNone
cms:DescribeEventRuleListDescribeEventRuleListget
All Resources
*
NoneNone
cms:ModifySiteMonitorModifySiteMonitorupdate
All Resources
*
NoneNone
cms:QueryMetricListDescribeMetricListget
All Resources
*
NoneNone
cms:QueryMetricTopDescribeMetricTopget
All Resources
*
NoneNone
cms:DescribeMonitoringAgentAccessKeyDescribeMonitoringAgentAccessKeyget
All Resources
*
NoneNone
cms:AddTagsAddTagscreate
All Resources
*
NoneNone
cms:DeleteEventRuleTargetsDeleteEventRuleTargetsdelete
All Resources
*
NoneNone
cms:DeleteMetricRuleTargetsDeleteMetricRuleTargetsdelete
All Resources
*
NoneNone
cms:DescribeContactListByContactGroupDescribeContactListByContactGroupget
All Resources
*
NoneNone
cms:ApplyMetricRuleTemplateApplyMetricRuleTemplatecreate
MetricRuleTemplate
acs:cms::{#accountId}:group/{#groupId}
NoneNone
cms:DeleteGroupMonitoringAgentProcessDeleteGroupMonitoringAgentProcessdelete
All Resources
*
NoneNone
cms:DeleteMonitoringAgentProcessDeleteMonitoringAgentProcessdelete
All Resources
*
NoneNone
cms:PutGroupMetricRulePutGroupMetricRulecreate
GroupMetricRule
acs:cms::{#accountId}:group/{#groupId}
NoneNone
cms:CreateMonitorGroupInstancesCreateMonitorGroupInstancescreate
All Resources
*
NoneNone
cms:DescribeHybridMonitorSLSGroupDescribeHybridMonitorSLSGroupcreate
All Resources
*
NoneNone
cms:DescribeMetricRuleBlackListDescribeMetricRuleBlackListlist
All Resources
*
NoneNone
cms:DescribeMonitoringAgentStatusesDescribeMonitoringAgentStatusesget
All Resources
*
NoneNone
cms:EnableMetricRuleBlackListEnableMetricRuleBlackListupdate
All Resources
*
NoneNone
cms:CreateHybridMonitorSLSGroupCreateHybridMonitorSLSGroupcreate
All Resources
*
NoneNone
cms:ModifyMonitorGroupModifyMonitorGroupupdate
MonitorGroup
acs:cms::{#accountId}:group/{#groupId}
NoneNone
cms:DeleteMetricRuleBlackListDeleteMetricRuleBlackListdelete
All Resources
*
NoneNone
cms:DeleteHybridMonitorSLSGroupDeleteHybridMonitorSLSGroupcreate
All Resources
*
NoneNone
cms:DescribeUnhealthyHostAvailabilityDescribeUnhealthyHostAvailabilityget
All Resources
*
NoneNone
cms:DescribeSiteMonitorLogDescribeSiteMonitorLoglist
All Resources
*
NoneNone
cms:EnableSiteMonitorsEnableSiteMonitorsupdate
All Resources
*
NoneNone
cms:DeleteSiteMonitorsDeleteSiteMonitorsdelete
All Resources
*
NoneNone
cms:DeleteDynamicTagGroupDeleteDynamicTagGroupdelete
All Resources
*
NoneNone
cms:ModifyMonitorGroupInstancesModifyMonitorGroupInstancesupdate
All Resources
*
NoneNone
cms:DescribeMonitorGroupInstanceAttributeDescribeMonitorGroupInstanceAttributeget
MonitorGroupInstances
acs:cms::{#accountId}:group/{#groupId}
NoneNone
cms:SendDryRunSystemEventSendDryRunSystemEventnone
All Resources
*
NoneNone
cms:DescribeMonitoringAgentHostsDescribeMonitoringAgentHostsget
All Resources
*
NoneNone
cms:PutCustomMetricPutCustomMetriccreate
All Resources
*
NoneNone
cms:DescribeMetricRuleTemplateAttributeDescribeMetricRuleTemplateAttributeget
All Resources
*
NoneNone
cms:DescribeSiteMonitorQuotaDescribeSiteMonitorQuotaget
All Resources
*
NoneNone
cms:ModifyMetricRuleTemplateModifyMetricRuleTemplateupdate
All Resources
*
NoneNone
cms:DescribeGroupMonitoringAgentProcessDescribeGroupMonitoringAgentProcessget
All Resources
*
NoneNone
cms:RemoveTagsRemoveTagsdelete
All Resources
*
NoneNone
cms:PutContactPutContactcreate
All Resources
*
NoneNone
cms:DeleteEventRulesDeleteEventRulesdelete
All Resources
*
NoneNone
cms:PutCustomEventRulePutCustomEventRulecreate
All Resources
*
NoneNone
cms:DescribeSiteMonitorListDescribeSiteMonitorListget
All Resources
*
NoneNone
cms:DeleteHybridMonitorTaskDeleteHybridMonitorTaskdelete
All Resources
*
NoneNone
cms:ModifyGroupMonitoringAgentProcessModifyGroupMonitoringAgentProcessupdate
MonitoringAgentProcess
acs:cms::{#accountId}:group/{#groupId}
NoneNone
cms:BatchCreateInstantSiteMonitorBatchCreateInstantSiteMonitorcreate
All Resources
*
NoneNone
cms:CreateInstantSiteMonitorCreateInstantSiteMonitorcreate
All Resources
*
NoneNone
cms:InstallMonitoringAgentInstallMonitoringAgentcreate
All Resources
*
NoneNone
cms:DescribeMetricRuleTargetsDescribeMetricRuleTargetslist
All Resources
*
NoneNone
cms:PutMonitoringConfigPutMonitoringConfigcreate
All Resources
*
NoneNone
cms:DescribeMetricRuleTemplateListDescribeMetricRuleTemplateListget
All Resources
*
NoneNone
cms:DescribeSiteMonitorAttributeDescribeSiteMonitorAttributeget
All Resources
*
NoneNone
cms:DisableMetricRulesDisableMetricRulesupdate
All Resources
*
NoneNone
cms:PutMonitorGroupDynamicRulePutMonitorGroupDynamicRulecreate
MonitorGroup
acs:cms::{#accountId}:group/{#groupId}
NoneNone
cms:DisableSiteMonitorsDisableSiteMonitorsupdate
All Resources
*
NoneNone
cms:DescribeAlertingMetricRuleResourcesDescribeAlertingMetricRuleResourcesget
All Resources
*
NoneNone
cms:DescribeDynamicTagRuleListDescribeDynamicTagRuleListget
All Resources
*
NoneNone
cms:DeleteMonitorGroupInstancesDeleteMonitorGroupInstancesdelete
MonitorGroupInstances
acs:cms::{#accountId}:group/{#groupId}
NoneNone
cms:DescribeContactListDescribeContactListget
All Resources
*
NoneNone
cms:DeleteLogMonitorDeleteLogMonitordelete
All Resources
*
NoneNone
cms:PutMetricRuleTargetsPutMetricRuleTargetscreate
All Resources
*
NoneNone
cms:DescribeAlertLogCountDescribeAlertLogCountget
All Resources
*
NoneNone
cms:DescribeLogMonitorAttributeDescribeLogMonitorAttributeget
All Resources
*
NoneNone
cms:CreateMonitorGroupNotifyPolicyCreateMonitorGroupNotifyPolicycreate
All Resources
*
NoneNone
cms:DeleteMetricRuleResourcesDeleteMetricRuleResourcesdelete
All Resources
*
NoneNone
cms:DescribeMonitoringAgentConfigDescribeMonitoringAgentConfigget
All Resources
*
NoneNone
cms:PutEventRuleTargetsPutEventRuleTargetscreate
All Resources
*
NoneNone
cms:CreateGroupMetricRulesCreateGroupMetricRulescreate
GroupMetricRule
acs:cms::{#accountId}:group/{#groupId}
NoneNone
cms:CreateMonitoringAgentProcessCreateMonitoringAgentProcesscreate
All Resources
*
NoneNone
cms:DescribeActiveMetricRuleListDescribeActiveMetricRuleListget
All Resources
*
NoneNone
cms:DeleteMonitorGroupDeleteMonitorGroupdelete
All Resources
*
NoneNone
cms:DescribeTagValueListDescribeTagValueListget
All Resources
*
NoneNone
cms:DescribeSiteMonitorISPCityListDescribeSiteMonitorISPCityListget
All Resources
*
NoneNone
cms:CreateHostAvailabilityCreateHostAvailabilitycreate
HostAvailability
acs:cms::{#accountId}:group/{#groupId}
NoneNone
cms:DescribeMonitorGroupsDescribeMonitorGroupsget
All Resources
*
NoneNone
cms:DescribeSystemEventCountDescribeSystemEventCountget
All Resources
*
NoneNone
cms:PutHybridMonitorMetricDataPutHybridMonitorMetricDatacreate
All Resources
*
NoneNone
cms:DisableActiveMetricRuleDisableActiveMetricRuleupdate
All Resources
*
NoneNone
cms:CreateMonitorAgentProcessCreateMonitorAgentProcesscreate
All Resources
*
NoneNone
cms:DescribeMonitorGroupCategoriesDescribeMonitorGroupCategoriesget
MonitorGroup
acs:cms::{#accountId}:group/{#groupId}
NoneNone
cms:DescribeTagKeyListDescribeTagKeyListget
All Resources
*
NoneNone
cms:QueryMetricLastDescribeMetricLastget
All Resources
*
NoneNone
cms:PutEventRulePutEventRulecreate
All Resources
*
NoneNone
cms:CreateMonitorGroupCreateMonitorGroupcreate
All Resources
*
NoneNone
cms:UninstallMonitoringAgentUninstallMonitoringAgentdelete
All Resources
*
NoneNone
cms:EnableActiveMetricRuleEnableActiveMetricRuleupdate
All Resources
*
NoneNone
cms:DescribeMonitoringAgentProcessesDescribeMonitoringAgentProcessesget
All Resources
*
NoneNone
cms:EnableMetricRulesEnableMetricRulesupdate
All Resources
*
NoneNone
cms:ModifyHostAvailabilityModifyHostAvailabilityupdate
All Resources
*
NoneNone
cms:QueryMetricDataDescribeMetricDataget
All Resources
*
NoneNone
cms:CreateCustomNamespaceCreateHybridMonitorNamespacecreate
All Resources
*
NoneNone
cms:CreateSiteMonitorCreateSiteMonitorcreate
All Resources
*
NoneNone
cms:DescribeMonitoringConfigDescribeMonitoringConfigget
All Resources
*
NoneNone
cms:CreateMetricRuleResourcesCreateMetricRuleResourcescreate
All Resources
*
NoneNone
cms:ModifyMetricRuleBlackListModifyMetricRuleBlackListupdate
All Resources
*
NoneNone
cms:DescribeAlertLogListDescribeAlertLogListget
All Resources
*
NoneNone
cms:DescribeProductResourceTagKeyListDescribeProductResourceTagKeyListget
All Resources
*
NoneNone
cms:PutLogMonitorPutLogMonitorcreate
All Resources
*
NoneNone
cms:PutResourceMetricRulePutResourceMetricRulecreate
All Resources
*
NoneNone
cms:DescribeCustomEventCountDescribeCustomEventCountget
All Resources
*
NoneNone
cms:DescribeProductsOfActiveMetricRuleDescribeProductsOfActiveMetricRuleget
All Resources
*
NoneNone
cms:ModifyHostInfoModifyHostInfoupdate
All Resources
*
NoneNone
cms:DeleteMonitorGroupNotifyPolicyDeleteMonitorGroupNotifyPolicydelete
All Resources
*
NoneNone
cms:DescribeSiteMonitorDataDescribeSiteMonitorDataget
All Resources
*
NoneNone
cms:DescribeEventRuleTargetListDescribeEventRuleTargetListget
All Resources
*
NoneNone
cms:DescribeCustomMetricListDescribeCustomMetricListget
All Resources
*
NoneNone
cms:DescribeEventRuleAttributeDescribeEventRuleAttributeget
All Resources
*
NoneNone
cms:DeleteCustomMetricDeleteCustomMetricdelete
All Resources
*
NoneNone
cms:DescribeMonitorResourceQuotaAttributeDescribeMonitorResourceQuotaAttributeget
All Resources
*
NoneNone
cms:DescribeSystemEventHistogramDescribeSystemEventHistogramget
All Resources
*
NoneNone
cms:DeleteContactDeleteContactdelete
All Resources
*
NoneNone
cms:ModifyHybridMonitorSLSGroupModifyHybridMonitorSLSGroupcreate
All Resources
*
NoneNone

Resource

CloudMonitorService defines the values that you can use in the Resource. You can attach the policy to a RAM user or a RAM role so that the RAM user or the RAM role can perform a specific operation on a specific resource. The ARN is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:
  • {#}indicates a variable. {#} must be replaced with an actual value. For example, {#ramcode} must be replaced with the actual code of an Alibaba Cloud service in RAM.
  • An asterisk (*) is used as a wildcard. Examples:
    • {#resourceType} is set to *, all resources are specified.
    • {#regionId} is set to *, all regions are specified.
    • {#accountId} is set to *, all Alibaba Cloud accounts are specified.
Resource typeARN
LogMonitoracs:cms::{#accountId}:group/{#groupId}
GroupMonitoringAgentProcessacs:cms::{#accountId}:group/{#groupId}
HostAvailabilityacs:cms::{#accountId}:group/{#groupId}
HybridMonitorNamespaceacs:cms::{#accountId}:
MetricRuleTemplateacs:cms::{#accountId}:group/{#groupId}
GroupMetricRuleacs:cms::{#accountId}:group/{#groupId}
SlsGroupacs:cms:{#regionId}:{#accountId}:SlsGroup/*
MonitorGroupacs:cms::{#accountId}:group/{#groupId}
SlsGroupacs:cms:{#regionId}:{#accountId}:SlsGroup/SlsGroupId
SiteMonitoracs:cloudmonitorservice:{#regionId}:{#accountId}:sitemonitor/{#TaskId}
HostAvailabilityacs:cms:{#regionId}:{#accountId}:HostAvailability/*
MonitorGroupInstancesacs:cms::{#accountId}:group/{#groupId}
SystemEventacs:cms::{#accountId}:group/{#groupId}
AlarmContactacs:cms:{#regionId}:{#accountId}:AlarmContact/*
MonitoringAgentProcessacs:cms::{#accountId}:group/{#groupId}
MetricRuleTargetsacs:cms::{#accountId}:*

Condition

CloudMonitorService does not define service-specific condition keys. For more information about common condition keys that are defined by Alibaba Cloud, see Generic Condition Keyword.

What to do next

You can create a custom policy and attach the policy to a RAM user, RAM user group, or RAM role. For more information, see the following topics: