RAM authorization - ENS - Alibaba Cloud Documentation Center

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. You can use RAM to prevent RAM users from sharing the AccessKey pairs of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. RAM uses policies to define permissions.

This topic describes the elements, such as Action, Resource, and Condition, which are defined by ENS. You can use the elements to create policies in RAM. The code (RamCode) in RAM that is used to indicate ENS is ens. You can grant permissions on ENS at the RESOURCE.

General structure of a policy

Policies can be stored as JSON files. The following code provides an example on the general structure of a policy:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

The following list describes the fields in the policy:

Effect: specifies the authorization effect. Valid values: Allow, Deny.
Action: specifies one or more API operations that are allowed or denied. For more information, see the Action section of this topic.
Resource: specifies one or more resources to which the policy applies. You can use an Alibaba Cloud Resource Name (ARN) to specify a resource. For more information, see the Resource section of this topic.
Condition: specifies one or more conditions that are required for the policy to take effect. This is an optional field. For more information, see the Condition section of this topic.
- Condition_operator: specifies the conditional operators. Different types of conditions support different conditional operators. For more information, see Policy elements.
- Condition_key: specifies the condition keys.
- Condition_value: specifies the condition values.

Action

ENS defines the values that you can use in the Action element of a policy statement. The following table describes the values.

Operation: the value that you can use in the Action element to specify the operation on a resource.
API operation: the API operation that you can call to perform the operation.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition key: the condition keys that are defined by the Alibaba Cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Generic Condition Keyword.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Actions	API operation	Access level	Resource type	Condition key	Associated operation
ens:CreateLoadBalancerTCPListener	CreateLoadBalancerTCPListener	create	All Resources *	None	None
ens:DescribeDataDistResult	DescribeDataDistResult	get	All Resources *	None	None
ens:DescribePrePaidInstanceStock	DescribePrePaidInstanceStock	get	All Resources *	None	None
ens:CreateClassicNetwork	CreateClassicNetwork		All Resources *	None	None
ens:DescribeDataDownloadURL	DescribeDataDownloadURL	get	All Resources *	None	None
ens:DeleteStorageVolume	DeleteStorageVolume	delete	All Resources *	None	None
ens:DeployInstanceSDG	DeployInstanceSDG	none	All Resources *	None	None
ens:RenewInstance	RenewInstance	none	All Resources *	None	None
ens:DescribeStorageVolume	DescribeStorageVolume	list	All Resources *	None	None
ens:DescribeAvailableResource	DescribeAvailableResource		All Resources *	None	None
ens:CreateApplication	CreateApplication	create	All Resources *	None	None
ens:ReinitInstance	ReinitInstance	update	All Resources *	None	None
ens:CreateInstance	CreateInstance	create	Instance acs:ens::{#accountId}:instance/	None	None
ens:CreateNetworkAcl	CreateNetworkAcl		All Resources *	None	None
ens:AddSnatIpForSnatEntry	AddSnatIpForSnatEntry		All Resources *	None	None
ens:CopySnapshot	CopySnapshot	create	All Resources *	None	None
ens:DescribeRegionIsps	DescribeRegionIsps		All Resources *	None	None
ens:AuthorizeSecurityGroupEgress	AuthorizeSecurityGroupEgress	update	All Resources *	None	None
ens:CreateForwardEntry	CreateForwardEntry	create	All Resources *	None	None
ens:DescribeSnapshots	DescribeSnapshots		All Resources *	None	None
ens:AssignPrivateIpAddresses	AssignPrivateIpAddresses	create	All Resources *	None	None
ens:DescribeLoadBalancerSpec	DescribeLoadBalancerSpec	get	All Resources *	None	None
ens:CreateStorageVolume	CreateStorageVolume	create	All Resources *	None	None
ens:CopySDG	CopySDG	none	All Resources *	None	None
ens:DeleteSnapshot	DeleteSnapshot	delete	All Resources *	None	None
ens:DescribeLoadBalancerUDPListenerAttribute	DescribeLoadBalancerUDPListenerAttribute	get	All Resources *	None	None
ens:DescribeStorageGateway	DescribeStorageGateway	list	All Resources *	None	None
ens:DetachNetworkInterface	DetachNetworkInterface	update	All Resources *	None	None
ens:DescribeInstanceMonitorData	DescribeInstanceMonitorData	get	All Resources *	None	None
ens:ExportBillDetailData	ExportBillDetailData	get	All Resources *	None	None
ens:DeleteNetworkAclEntry	DeleteNetworkAclEntry		All Resources *	None	None
ens:StopLoadBalancerListener	StopLoadBalancerListener	update	All Resources *	None	None
ens:AddBackendServers	AddBackendServers	create	All Resources *	None	None
ens:CreateStorageGateway	CreateStorageGateway	create	All Resources *	None	None
ens:ModifyImageSharePermission	ModifyImageSharePermission	update	Image acs:ens::{#accountId}:image/{#ImageId}	None	None
ens:ModifyFileSystem	ModifyFileSystem		All Resources *	None	None
ens:DescribeDataPushResult	DescribeDataPushResult	get	All Resources *	None	None
ens:DeleteKeyPairs	DeleteKeyPairs	delete	All Resources *	None	None
ens:CreateLoadBalancerHTTPSListener	CreateLoadBalancerHTTPSListener	create	All Resources *	None	None
ens:CreateEipInstance	CreateEipInstance	create	All Resources *	None	None
ens:CreateMountTarget	CreateMountTarget		All Resources *	None	None
ens:ResizeDisk	ResizeDisk	update	All Resources *	None	None
ens:DescribeAICImages	DescribeAICImages		All Resources *	None	None
ens:RescaleDeviceService	RescaleDeviceService		All Resources *	None	None
ens:DescribeExportImageInfo	DescribeExportImageInfo	get	All Resources *	None	None
ens:DeleteSecurityGroup	DeleteSecurityGroup	delete	All Resources *	None	None
ens:ModifyEnsEipAddressAttribute	ModifyEnsEipAddressAttribute	update	All Resources *	None	None
ens:CreateEnsRouteEntry	CreateEnsRouteEntry		All Resources *	None	None
ens:DeleteForwardEntry	DeleteForwardEntry	delete	All Resources *	None	None
ens:UnassignPrivateIpAddresses	UnassignPrivateIpAddresses	update	All Resources *	None	None
ens:ReleaseARMServerInstance	ReleaseARMServerInstance	delete	All Resources *	None	None
ens:RevokeSecurityGroupEgress	RevokeSecurityGroupEgress	update	All Resources *	None	None
ens:DescribeCloudDiskTypes	DescribeCloudDiskTypes	get	All Resources *	None	None
ens:ReInitDisk	ReInitDisk	create	All Resources *	None	None
ens:CreateFileSystem	CreateFileSystem		All Resources *	None	None
ens:DescribeEpnInstances	DescribeEpnInstances	get	All Resources *	None	None
ens:DistApplicationData	DistApplicationData		All Resources *	None	None
ens:DescribeFileSystems	DescribeFileSystems	list	All Resources *	None	None
ens:DeleteEnsRouteEntry	DeleteEnsRouteEntry		All Resources *	None	None
ens:GetBucketInfo	GetBucketInfo	get	All Resources *	None	None
ens:DescribeEnsNetSaleDistrict	DescribeEnsNetSaleDistrict		All Resources *	None	None
ens:DescribeSecurityGroupAttribute	DescribeSecurityGroupAttribute	get	All Resources *	None	None
ens:SetLoadBalancerUDPListenerAttribute	SetLoadBalancerUDPListenerAttribute	update	All Resources *	None	None
ens:ModifyNetworkInterfaceAttribute	ModifyNetworkInterfaceAttribute	update	All Resources *	None	None
ens:CreateLoadBalancer	CreateLoadBalancer	create	All Resources *	None	None
ens:RescaleApplication	RescaleApplication		All Resources *	None	None
ens:AddDeviceInternetPort	AddDeviceInternetPort	create	All Resources *	None	None
ens:GetOssStorageAndAccByBuckets	GetOssStorageAndAccByBuckets		All Resources *	None	None
ens:PutBucketLifecycle	PutBucketLifecycle	none	All Resources *	None	None
ens:DeleteSnatEntry	DeleteSnatEntry	delete	All Resources *	None	None
ens:PutBucket	PutBucket	create	All Resources *	None	None
ens:ModifyHaVipAttribute	ModifyHaVipAttribute	update	All Resources *	None	None
ens:DescribeInstanceTypes	DescribeInstanceTypes	get	All Resources *	None	None
ens:JoinVSwitchesToEpnInstance	JoinVSwitchesToEpnInstance	update	All Resources *	None	None
ens:ModifyVSwitchAttribute	ModifyVSwitchAttribute	update	All Resources *	None	None
ens:PushApplicationData	PushApplicationData		All Resources *	None	None
ens:DescribeDiskIopsList	DescribeDiskIopsList	none	All Resources *	None	None
ens:DescribeMountTargets	DescribeMountTargets		All Resources *	None	None
ens:DescribeKeyPairs	DescribeKeyPairs	get	All Resources *	None	None
ens:GetDeviceInternetPort	GetDeviceInternetPort	get	All Resources *	None	None
ens:DescribeUserBandWidthData	DescribeUserBandWidthData	get	All Resources *	None	None
ens:DescribeImageSharePermission	DescribeImageSharePermission	get	All Resources *	None	None
ens:ImportKeyPair	ImportKeyPair	create	All Resources *	None	None
ens:DescribeNetworkInterfaces	DescribeNetworkInterfaces	list	All Resources *	None	None
ens:AttachNetworkInterface	AttachNetworkInterface	update	All Resources *	None	None
ens:RollbackApplication	RollbackApplication		All Resources *	None	None
ens:UnloadRegionSDG	UnloadRegionSDG	none	All Resources *	None	None
ens:RevokeSecurityGroup	RevokeSecurityGroup	update	All Resources *	None	None
ens:DeleteLoadBalancerListener	DeleteLoadBalancerListener	delete	All Resources *	None	None
ens:DeleteImage	DeleteImage		All Resources *	None	None
ens:PrepareUpload	PrepareUpload	none	All Resources *	None	None
ens:StartSnatIpForSnatEntry	StartSnatIpForSnatEntry		All Resources *	None	None
ens:JoinPublicIpsToEpnInstance	JoinPublicIpsToEpnInstance	update	All Resources *	None	None
ens:RemoveInstanceSDG	RemoveInstanceSDG	update	All Resources *	None	None
ens:RemoveBackendServers	RemoveBackendServers	update	All Resources *	None	None
ens:ReleasePostPaidInstance	ReleasePostPaidInstance	update	Instance acs:ens:*:{#accountId}:instance/{#InstanceId}	None	None
ens:ModifySecurityGroupAttribute	ModifySecurityGroupAttribute	update	All Resources *	None	None
ens:DescribeNetworkAttribute	DescribeNetworkAttribute	get	All Resources *	None	None
ens:DescribeInstanceVncUrl	DescribeInstanceVncUrl	get	All Resources *	None	None
ens:DescribeNatGateways	DescribeNatGateways		All Resources *	None	None
ens:DescribeInstanceSpec	DescribeInstanceSpec	get	All Resources *	None	None
ens:DescribeEnsResourceUsage	DescribeEnsResourceUsage	get	All Resources *	None	None
ens:UpgradeApplication	UpgradeApplication	update	All Resources *	None	None
ens:DescribeLoadBalancerHTTPSListenerAttribute	DescribeLoadBalancerHTTPSListenerAttribute	get	All Resources *	None	None
ens:SetLoadBalancerHTTPListenerAttribute	SetLoadBalancerHTTPListenerAttribute	update	All Resources *	None	None
ens:DescribeEpnBandWidthData	DescribeEpnBandWidthData	get	All Resources *	None	None
ens:DescribeEnsRegionIdResource	DescribeEnsRegionIdResource	get	All Resources *	None	None
ens:DescribeDisks	DescribeDisks	get	All Resources *	None	None
ens:CreateLoadBalancerUDPListener	CreateLoadBalancerUDPListener	create	All Resources *	None	None
ens:CreateKeyPair	CreateKeyPair	create	All Resources *	None	None
ens:StartEpnInstance	StartEpnInstance	update	All Resources *	None	None
ens:ReleaseInstance	ReleaseInstance	delete	All Resources *	None	None
ens:AssociateEnsEipAddress	AssociateEnsEipAddress	update	All Resources *	None	None
ens:UnAssociateEnsEipAddress	UnAssociateEnsEipAddress	update	All Resources *	None	None
ens:DeleteVSwitch	DeleteVSwitch	delete	All Resources *	None	None
ens:DescribeEpnBandwitdhByInternetChargeType	DescribeEpnBandwitdhByInternetChargeType	get	All Resources *	None	None
ens:RunInstances	RunInstances	create	Instance acs:ens::{#accountId}:instance/	None	None
ens:DescribeNetworks	DescribeNetworks	get	All Resources *	None	None
ens:RemoveVSwitchesFromEpnInstance	RemoveVSwitchesFromEpnInstance	update	All Resources *	None	None
ens:DescribePrice	DescribePrice	get	All Resources *	None	None
ens:DescribeLoadBalancerTCPListenerAttribute	DescribeLoadBalancerTCPListenerAttribute	get	All Resources *	None	None
ens:ModifyInstanceAutoRenewAttribute	ModifyInstanceAutoRenewAttribute	update	All Resources *	None	None
ens:StartLoadBalancerListener	StartLoadBalancerListener	update	All Resources *	None	None
ens:ModifyInstanceAttribute	ModifyInstanceAttribute	update	Instance acs:ens:*:{#accountId}:instance/{#InstanceId}	None	None
ens:AttachEnsInstances	AttachEnsInstances	update	All Resources *	None	None
ens:DescribeApplication	DescribeApplication	get	All Resources *	None	None
ens:DeleteDeviceInternetPort	DeleteDeviceInternetPort	delete	All Resources *	None	None
ens:ListTagResources	ListTagResources	list	All Resources *	None	None
ens:GetOssUsageData	GetOssUsageData		All Resources *	None	None
ens:ExportImage	ExportImage	get	All Resources *	None	None
ens:SetLoadBalancerHTTPSListenerAttribute	SetLoadBalancerHTTPSListenerAttribute	update	All Resources *	None	None
ens:DescribeMeasurementData	DescribeMeasurementData	get	All Resources *	None	None
ens:AttachDisk	AttachDisk	update	All Resources *	None	None
ens:DeleteNatGateway	DeleteNatGateway		All Resources *	None	None
ens:ModifyEpnInstance	ModifyEpnInstance	update	All Resources *	None	None
ens:DescribeLoadBalancerAttribute	DescribeLoadBalancerAttribute	get	All Resources *	None	None
ens:ModifyLoadBalancerAttribute	ModifyLoadBalancerAttribute	update	All Resources *	None	None
ens:DeleteNetwork	DeleteNetwork	delete	All Resources *	None	None
ens:DescribeBandwitdhByInternetChargeType	DescribeBandwitdhByInternetChargeType	get	All Resources *	None	None
ens:UpgradeAICInstanceImage	UpgradeAICInstanceImage		All Resources *	None	None
ens:StartInstance	StartInstance	update	Instance acs:ens:*:{#accountId}:instance/{#InstanceId}	None	None
ens:DescribeEpnInstanceAttribute	DescribeEpnInstanceAttribute	get	All Resources *	None	None
ens:CreateSnapshot	CreateSnapshot	create	All Resources *	None	None
ens:RunServiceSchedule	RunServiceSchedule		All Resources *	None	None
ens:DeleteFileSystem	DeleteFileSystem		All Resources *	None	None
ens:SetLoadBalancerTCPListenerAttribute	SetLoadBalancerTCPListenerAttribute	update	All Resources *	None	None
ens:DescribeEnsRegions	DescribeEnsRegions	list	All Resources *	None	None
ens:CreateNatGateway	CreateNatGateway	create	All Resources *	None	None
ens:DescribeSDGDeploymentStatus	DescribeSDGDeploymentStatus	none	All Resources *	None	None
ens:DeleteSnatIpForSnatEntry	DeleteSnatIpForSnatEntry	delete	All Resources *	None	None
ens:ListApplications	ListApplications	get	All Resources *	None	None
ens:ModifyNetworkAttribute	ModifyNetworkAttribute	update	All Resources *	None	None
ens:ListBuckets	ListBuckets	list	All Resources *	None	None
ens:TagResources	TagResources	create	All Resources *	None	None
ens:DescribeEnsEipAddresses	DescribeEnsEipAddresses	list	All Resources *	None	None
ens:DescribeSelfImages	DescribeSelfImages	get	All Resources *	None	None
ens:DescribeEnsRegionIdIpv6Info	DescribeEnsRegionIdIpv6Info		All Resources *	None	None
ens:DescribeCreatePrePaidInstanceResult	DescribeCreatePrePaidInstanceResult	get	All Resources *	None	None
ens:SetLoadBalancerStatus	SetLoadBalancerStatus	update	All Resources *	None	None
ens:UnassociateHaVip	UnassociateHaVip	update	All Resources *	None	None
ens:ListObjects	ListObjects	list	All Resources *	None	None
ens:DescribeDeviceService	DescribeDeviceService	get	All Resources *	None	None
ens:DescribeAvailableResourceInfo	DescribeAvailableResourceInfo		All Resources *	None	None
ens:ModifyInstanceChargeType	ModifyInstanceChargeType	update	Instance acs:ens:*:{#accountId}:instance/{#InstanceId}	None	None
ens:DeleteObject	DeleteObject	delete	All Resources *	None	None
ens:DescribeImageInfos	DescribeImageInfos	get	All Resources *	None	None
ens:DescribeSnatTableEntries	DescribeSnatTableEntries	list	All Resources *	None	None
ens:CreateLoadBalancerHTTPListener	CreateLoadBalancerHTTPListener	create	All Resources *	None	None
ens:PutBucketAcl	PutBucketAcl	none	All Resources *	None	None
ens:DescribeLoadBalancerHTTPListenerAttribute	DescribeLoadBalancerHTTPListenerAttribute	get	All Resources *	None	None
ens:DescribeSecurityGroups	DescribeSecurityGroups	get	All Resources *	None	None
ens:RestartDeviceInstance	RestartDeviceInstance		All Resources *	None	None
ens:GetBucketLifecycle	GetBucketLifecycle	get	All Resources *	None	None
ens:RenewARMServerInstance	RenewARMServerInstance	update	All Resources *	None	None
ens:DescribeSDG	DescribeSDG	none	All Resources *	None	None
ens:DeploySDG	DeploySDG		All Resources *	None	None
ens:SetBackendServers	SetBackendServers	update	All Resources *	None	None
ens:DescribeEnsNetLevel	DescribeEnsNetLevel		All Resources *	None	None
ens:CreateDisk	CreateDisk	create	All Resources *	None	None
ens:JoinSecurityGroup	JoinSecurityGroup	update	All Resources *	None	None
ens:DeleteMountTarget	DeleteMountTarget		All Resources *	None	None
ens:DescribeImages	DescribeImages	get	All Resources *	None	None
ens:AddNetworkInterfaceToInstance	AddNetworkInterfaceToInstance	create	All Resources *	None	None
ens:DescribeExportImageStatus	DescribeExportImageStatus	get	All Resources *	None	None
ens:DetachDisk	DetachDisk	update	All Resources *	None	None
ens:CreateNetworkAclEntry	CreateNetworkAclEntry		All Resources *	None	None
ens:DeleteNetworkAcl	DeleteNetworkAcl		All Resources *	None	None
ens:CreateNetwork	CreateNetwork	create	All Resources *	None	None
ens:CreateSDG	CreateSDG	none	All Resources *	None	None
ens:DescribeInstances	DescribeInstances	list	Instance acs:ens:*:{#accountId}:instance/{#InstanceId}	None	None
ens:DeleteBucket	DeleteBucket	delete	All Resources *	None	None
ens:DescribeServcieSchedule	DescribeServcieSchedule		All Resources *	None	None
ens:StopInstance	StopInstance	update	Instance acs:ens:*:{#accountId}:instance/{#InstanceId}	None	None
ens:DescribeEnsNetDistrict	DescribeEnsNetDistrict	get	All Resources *	None	None
ens:ModifyImageAttribute	ModifyImageAttribute	update	All Resources *	None	None
ens:CreateEnsService	CreateEnsService	create	All Resources *	None	None
ens:ResetAICInstance	ResetAICInstance		All Resources *	None	None
ens:AccosicateNetworkAcl	AccosicateNetworkAcl	update	All Resources *	None	None
ens:CreateSnatEntry	CreateSnatEntry	create	All Resources *	None	None
ens:UnassociateNetworkAcl	UnassociateNetworkAcl	update	All Resources *	None	None
ens:DescribeReservedResource	DescribeReservedResource	get	All Resources *	None	None
ens:DescribeVSwitches	DescribeVSwitches	get	All Resources *	None	None
ens:DeleteDisk	DeleteDisk		All Resources *	None	None
ens:RebootInstance	RebootInstance	update	Instance acs:ens:*:{#accountId}:instance/{#InstanceId}	None	None
ens:DescribeEpnMeasurementData	DescribeEpnMeasurementData	get	All Resources *	None	None
ens:DescribeNetworkAcls	DescribeNetworkAcls		All Resources *	None	None
ens:DescribeLoadBalancers	DescribeLoadBalancers	get	All Resources *	None	None
ens:DescribeCloudDiskAvailableResourceInfo	DescribeCloudDiskAvailableResourceInfo	get	All Resources *	None	None
ens:DeleteBucketLifecycle	DeleteBucketLifecycle	delete	All Resources *	None	None
ens:StopEpnInstance	StopEpnInstance	update	All Resources *	None	None
ens:CreateVSwitch	CreateVSwitch	create	All Resources *	None	None
ens:CreateEpnInstance	CreateEpnInstance	create	All Resources *	None	None
ens:DescribeInstanceAutoRenewAttribute	DescribeInstanceAutoRenewAttribute	get	All Resources *	None	None
ens:LeaveSecurityGroup	LeaveSecurityGroup	update	All Resources *	None	None
ens:CreateARMServerInstances	CreateARMServerInstances	create	All Resources *	None	None
ens:RemoveSDG	RemoveSDG		All Resources *	None	None
ens:UntagResources	UntagResources	update	All Resources *	None	None
ens:ReleaseAICInstance	ReleaseAICInstance		All Resources *	None	None
ens:DeleteApplication	DeleteApplication	delete	All Resources *	None	None
ens:DescribeARMServerInstances	DescribeARMServerInstances	get	All Resources *	None	None
ens:PreloadRegionSDG	PreloadRegionSDG	none	All Resources *	None	None
ens:GetBucketAcl	GetBucketAcl	get	All Resources *	None	None
ens:DescribeSecondaryPublicIpAddresses	DescribeSecondaryPublicIpAddresses	list	All Resources *	None	None
ens:CreateImage	CreateImage	create	All Resources *	None	None
ens:DescribeSDGs	DescribeSDGs	none	All Resources *	None	None
ens:SaveSDG	SaveSDG	none	All Resources *	None	None
ens:DescribeBandWithdChargeType	DescribeBandWithdChargeType	get	All Resources *	None	None
ens:ModifySnapshotAttribute	ModifySnapshotAttribute		All Resources *	None	None
ens:RecoverAICInstance	RecoverAICInstance		All Resources *	None	None
ens:ExportMeasurementData	ExportMeasurementData	get	All Resources *	None	None
ens:DeleteEpnInstance	DeleteEpnInstance	delete	All Resources *	None	None
ens:DeleteSDG	DeleteSDG	none	All Resources *	None	None
ens:DescribeSnatAttribute	DescribeSnatAttribute	get	All Resources *	None	None
ens:ResetDeviceInstance	ResetDeviceInstance		All Resources *	None	None
ens:AuthorizeSecurityGroup	AuthorizeSecurityGroup	update	All Resources *	None	None
ens:CreateSecurityGroup	CreateSecurityGroup		All Resources *	None	None
ens:ModifyPrepayInstanceSpec	ModifyPrepayInstanceSpec	update	All Resources *	None	None
ens:DeleteStorageGateway	DeleteStorageGateway	delete	All Resources *	None	None
ens:RemovePublicIpsFromEpnInstance	RemovePublicIpsFromEpnInstance	update	All Resources *	None	None
ens:DescribeForwardTableEntries	DescribeForwardTableEntries	list	All Resources *	None	None
ens:StopSnatIpForSnatEntry	StopSnatIpForSnatEntry		All Resources *	None	None
ens:RebootAICInstance	RebootAICInstance		All Resources *	None	None
ens:ModifyForwardEntry	ModifyForwardEntry		All Resources *	None	None
ens:ResetDisk	ResetDisk	update	All Resources *	None	None
ens:ReleasePrePaidInstance	ReleasePrePaidInstance	delete	Instance acs:ens:*:{#accountId}:instance/{#InstanceId}	None	None
ens:DescribeEnsRouteEntryList	DescribeEnsRouteEntryList		All Resources *	None	None
ens:RebootARMServerInstance	RebootARMServerInstance		All Resources *	None	None

Resource

ENS defines the values that you can use in the Resource. You can attach the policy to a RAM user or a RAM role so that the RAM user or the RAM role can perform a specific operation on a specific resource. The ARN is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:

{#}indicates a variable. {#} must be replaced with an actual value. For example, {#ramcode} must be replaced with the actual code of an Alibaba Cloud service in RAM.
An asterisk (*) is used as a wildcard. Examples:
- {#resourceType} is set to *, all resources are specified.
- {#regionId} is set to *, all regions are specified.
- {#accountId} is set to *, all Alibaba Cloud accounts are specified.

Resource type	ARN
HaVip	acs:ens::{#accountId}:havip/{#HaVipId}
KeyPair	acs:ens::{#accountId}:keyPair/{#KeyPairId}
Instance	acs:ens::{#accountId}:instance/{#InstanceIds}
KeyPair	acs:ens::{#accountId}:keyPair/{#KeyPairName}
Instance	acs:ens:*:{#accountId}:instance/{#InstanceId}
HaVip	acs:ens::{#accountId}:havip/{#HaVipIds}
Instance	acs:ens::{#accountId}:instance/
cluster	acs:ens::{#accountId}:cluster/{#ClusterId}
SecurityGroup	acs:ens::{#accountId}:securitygroup/{#SecurityGroupId}
NatGatewayForwardEntry	acs:ens::{#accountId}:natgatewayforwardentry/{#ForwardEntryId}
Image	acs:ens::{#accountId}:image/{#ImageId}
Instance	acs:ens::{#accountId}:instance/{#InstanceId}
Disk	acs:ens::{#accountId}:disk/{#DiskId}
disk	acs:ens::{#accountId}:disk/{#DiskId}
NatGatewaySnatEntry	acs:ens::{#accountId}:natgatewaysnatentry/{#SnatEntryId}
havip	acs:ens::{#accountId}:havip/*
Disk	acs:ens::{#accountId}:disk/*
Instance	acs:ens::{#AccountId}:instance/{#InstanceId}

Condition

ENS does not define service-specific condition keys. For more information about common condition keys that are defined by Alibaba Cloud, see Generic Condition Keyword.

What to do next

You can create a custom policy and attach the policy to a RAM user, RAM user group, or RAM role. For more information, see the following topics: