Before a Resource Access Management (RAM) user calls the CloudMonitor API, the Alibaba Cloud account to which the RAM user belongs must attach policies to the RAM user.
Resources
In CloudMonitor, you can grant only the permissions on specific actions. You cannot grant the permissions on specific resources. You can describe resources only by using the wildcard character (*
), which indicates all resources.
Actions
The actions on CloudMonitor are divided into two types: the actions on monitoring data and the actions on the instances of the Alibaba Cloud services monitored by CloudMonitor. The RAM user must have the permissions to perform both types of actions because the monitoring data in CloudMonitor is collected from the monitored instances of the Alibaba Cloud services. If the RAM user does not have the permissions to perform the actions on the monitored instances, the RAM user cannot query the monitored instances, query the monitoring data collected from the instances, or configure alerts based on the monitoring data.
If you have no special requirements, we recommend that you use the default system policies provided by RAM: AliyunCloudMonitorFullAccess and AliyunCloudMonitorReadOnlyAccess. These two system policies contain the permissions to read and manage CloudMonitor data and the permissions to read the data of the monitored instances.
If system policies cannot meet your requirements, you can configure a custom policy. When you customize a policy, use the wildcard character (*
) to describe resources. Example: cms:Describe*
.
To grant the permissions to manage CloudMonitor, set the action to
cms:*
.The following actions can be used to grant the read-only permissions on CloudMonitor.
cms:Get*
cms:List*
cms:Query*
cms:BatchQuery*
cms:Describe*
cms:Cursor
cms:BatchGet
cms:BatchExport
The following table lists the actions for querying the instances of the Alibaba Cloud services monitored by CloudMonitor.
NoteThe Alibaba Cloud services that can be monitored by CloudMonitor are continually updated. The following table lists only the actions for querying the instances of main Alibaba Cloud services.
Alibaba Cloud service
Action
Elastic Compute Service (ECS)
ecs:DescribeInstances
ApsaraDB RDS
rds:DescribeDBInstances
rds:DescribeReplicas
Server Load Balancer (SLB)
DescribeLoadBalancer*
Virtual Private Cloud (VPC)
vpc:DescribeEipAddresses
vpc:DescribeRouterInterfaces
vpc:DescribeGlobalAccelerationInstances
vpc:DescribeVpnGateways
vpc:DescribeNatGateways
vpc:DescribeBandwidthPackages
vpc:DescribeCommonBandwidthPackages
Object Storage Service (OSS)
oss:ListBuckets
Simple Log Service
log:ListProject
Alibaba Cloud CDN
cdn:DescribeUserDomains
Simple Message Queue (formerly MNS)
mns:ListQueue
mns:ListTopic
Auto Scaling (ESS)
ess:DescribeScalingGroups
ApsaraDB for Memcache
ocs:DescribeInstances
ApsaraDB for Redis
kvstore:DescribeInstances
kvstore:DescribeLogicInstanceTopology
ApsaraDB for HBase
hbase:DescribeClusterList
Time Series Database (TSDB)
hitsdb:DescribeHiTSDBInstanceList
HybridDB for MySQL
petadata:DescribeInstances
petadata:DescribeDatabases
AnalyticDB for PostgreSQL
gpdb:DescribeDBInstances
E-MapReduce
emr:ListClusters
OpenSearch
opensearch:ListApps
Elasticsearch
elasticsearch:ListInstance
ApsaraDB for MongoDB
mongodb:DescribeDBInstances
NAT Gateway
netgateway:DescribeNatGateways
Anti-DDoS Proxy
ddos:DescribeInstancePage
Cloud Enterprise Network (CEN)
cen:DescribeCens
cen:DescribeCenAttachedChildInstances
ApsaraMQ for Kafka
kafka:GetKafkaInstanceList
SCDN
scdn:DescribeScdnUserDomains
Dynamic Content Delivery Network (DCDN)
dcdn:DescribeDcdnUserDomains
PolarDB
polardb:DescribeDBInstances
In most cases, you can specify the action in the
cms:{Operation name}
format to grant the permissions on specific API operations. For example, to grant only the permissions on CreateMonitorGroupNotifyPolicy, set the action tocms:CreateMonitorGroupNotifyPolicy
. The actions for a few API operations do not comply with the preceding format. The following table lists the actions for these API operations.API operation
Action
CreateHybridMonitorNamespace
cms:CreateCustomNamespace
DeleteHybridMonitorNamespace
cms:DeleteCustomNamespace
PutCustomEvent
cms:PutEvent
DescribeMetricTop
cms:QueryMetricTop
DescribeMetricList
cms:QueryMetricList
DescribeMetricLast
cms:QueryMetricLast
DescribeMetricData
cms:QueryMetricData
DescribeMetricEventList
cms:QueryEvent