Control access to ECS using RAM users - Elastic Compute Service

Alibaba Cloud provides Resource Access Management (RAM), which offers powerful granular access control. It is suitable for enterprise scenarios where multiple departments or roles require access to Elastic Compute Service (ECS) resources. By assigning different access permissions based on departmental or role-specific duties, you can ensure the security of sensitive information and key business processes. Implementing a strategy where duties are separated not only improves management efficiency but also mitigates the risk of data breaches. This topic describes how to manage RAM user permissions for controlling access to ECS resources.

Scenarios

Assume that your company uses ECS for hosting applications and services. Managers oversee IT architecture planning, with full control over ECS resources, including resource creation, resource allocation adjustments, and security policy configurations. Developers focus on continuous project iteration and feature development, deploying projects to ECS. Operators ensure system stability by creating snapshots, generating images, and executing maintenance scripts.

For these roles, we recommend the following permission schemes:

Managers are granted full ECS operational permissions, such as instance creation, instance release, and security group rule modifications.
Developers can view all ECS instance details but cannot change the settings. They are authorized to log on to instances to perform operational tasks.
Operators are permitted to create certain resources but cannot delete them. These permissions include generating snapshots and images, and executing scripts.

Procedure

1. Create RAM users

Log on to the RAM console with your Alibaba Cloud account and create three RAM users: manager, developer, and operator. Assign them appropriate permissions. Ensure console logon is enabled for these users. For more information, see Create a RAM user.

2. Create custom policies

Create three custom policies for fine-grained access control and management. For more information, see Create custom policies.

Manager_Policy

This policy is defined for managers, with full ECS operational permissions granted.

{
    "Version": "1",
    "Statement": [
        {
            "Action": "ecs:*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:CheckCanAllocateVpcPrivateIpAddress",
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches",
                "bss:ModifyAgreementRecord"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Developer_Policy

This policy specifies view-only permissions for developers for certain resources and allows remote ECS login by using Workbench. Developers do not have permission for creation or modification.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:List*",
                "ecs:Describe*",
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches",
                "ecs-workbench:LoginInstance"
            ],
            "Resource": "*"
        }
    ]
}

Operator_Policy

This policy grants operators permission to view resources, create images and snapshots, and execute commands.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:Describe*",
                "ecs:AttachDisk",
                "ecs:CreateSnapshot",
                "ecs:CreateImage",
                "ecs:RunCommand",
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

3. Grant permissions to RAM users

Attach the custom policies to RAM users to manage their access to specific resources. When a RAM user performs unauthorized actions, you can revoke their authorization or reduce the scope of their permissions, so that you can mitigate risks. For more information, see Grant permissions to a RAM user.

RAM User	Policy to Grant
Manager	Manager_Policy
Developer	Developer_Policy
Operator	Operator_Policy

4. Verify the access control

Go to the RAM user logon page and sign in with the created RAM users.
Log on to the ECS console and perform operations such as viewing ECS instances, creating instances, and generating images to check whether the access control takes effect.
As a manager
- You can view the ECS instance list.
- You can create ECS instances.
- You can release ECS instances.
- You can create images.
As a developer
- You can view the ECS instance list.
- You cannot create ECS instances.
- You cannot create images.
- You can log on to an ECS instance by using Workbench and deploy projects with commands on the instance.
As an operator
- You can view the ECS instance list.
- You cannot create ECS instances.
- You can create images.

References

RAM is a service provided by Alibaba Cloud that allows you to manage user identities and resource access permissions. For more information, see What is RAM?
You can check usage notes and limits of multi-factor authentication (MFA) in RAM. For more information, see What is multi-factor authentication?
ECS offers various custom policies. For more information, see Custom policies for ECS.
For information about how to connect to an ECS instance by using Workbench, see Connect to an instance by using Workbench.