All Products
Search

This Product

    Elastic Compute Service:RAM authorization

    Document Center

    Elastic Compute Service:RAM authorization

    最終更新日:Aug 28, 2024
    Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. You can use RAM to prevent RAM users from sharing the AccessKey pairs of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. RAM uses policies to define permissions.
    This topic describes the elements, such as Action, Resource, and Condition, which are defined by ECS. You can use the elements to create policies in RAM. The code (RamCode) in RAM that is used to indicate ECS is ecs,vpc. You can grant permissions on ECS at the RESOURCE.

    General structure of a policy

    Policies can be stored as JSON files. The following code provides an example on the general structure of a policy:
    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}
    The following list describes the fields in the policy:
    • Effect: specifies the authorization effect. Valid values: Allow, Deny.
    • Action: specifies one or more API operations that are allowed or denied. For more information, see the Action section of this topic.
    • Resource: specifies one or more resources to which the policy applies. You can use an Alibaba Cloud Resource Name (ARN) to specify a resource. For more information, see the Resource section of this topic.
    • Condition: specifies one or more conditions that are required for the policy to take effect. This is an optional field. For more information, see the Condition section of this topic.
      • Condition_operator: specifies the conditional operators. Different types of conditions support different conditional operators. For more information, see Policy elements.
      • Condition_key: specifies the condition keys.
      • Condition_value: specifies the condition values.

    Action

    ECS defines the values that you can use in the Action element of a policy statement. The following table describes the values.
    • Operation: the value that you can use in the Action element to specify the operation on a resource.
    • API operation: the API operation that you can call to perform the operation.
    • Access level: the access level of each operation. The levels are read, write, and list.
    • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
      • The required resource types are displayed in bold characters.
      • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
    • Condition key: the condition keys that are defined by the Alibaba Cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Generic Condition Keyword.
    • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
    ActionsAPI operationAccess levelResource typeCondition keyAssociated operation
    ecs:DescribePrefixListAssociationsDescribePrefixListAssociationsget
    PrefixList
    acs:ecs:{#regionId}:{#accountId}:prefixlist/{#PrefixListId}
    		NoneNone
    ecs:DescribeAutoProvisioningGroupInstancesDescribeAutoProvisioningGroupInstancesget
    AutoProvisioningGroup
    acs:ecs:{#regionId}:{#accountId}:autoprovisioninggroup/{#autoprovisioninggroupId}
    		NoneNone
    ecs:DescribeAutoProvisioningGroupsDescribeAutoProvisioningGroupsget
    All Resources
    *
    		NoneNone
    ecs:ListPluginStatusListPluginStatusget
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#InstanceId}
    		NoneNone
    ecs:DescribeDedicatedHostAutoRenewDescribeDedicatedHostAutoRenewget
    DedicatedHost
    acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}
    		NoneNone
    ecs:ModifyCloudAssistantSettingsModifyCloudAssistantSettingsupdate
    ServiceSettings
    acs:ecs:{#regionId}:{#accountId}:servicesettings/{#servicesettingId}
    		NoneNone
    ecs:DeleteAutoProvisioningGroupDeleteAutoProvisioningGroupdelete
    AutoProvisioningGroup
    acs:ecs:{#regionId}:{#accountId}:autoprovisioninggroup/{#autoprovisioninggroupId}
    		NoneNone
    ecs:DescribeCloudAssistantSettingsDescribeCloudAssistantSettingslist
    ServiceSettings
    acs:ecs:{#regionId}:{#accountId}:servicesettings/{#servicesettingId}
    		NoneNone
    ecs:DescribeStorageCapacityUnitsDescribeStorageCapacityUnitsget
    StorageCapacityUnit
    acs:ecs:{#regionId}:{#accountId}:scu/*
    StorageCapacityUnit
    acs:ecs:{#regionId}:{#accountId}:scu/{#scuId}
    		NoneNone
    ecs:RedeployDedicatedHostRedeployDedicatedHostupdate
    DedicatedHost
    acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}
    		NoneNone
    ecs:DeleteHpcClusterDeleteHpcClusterdelete
    All Resources
    *
    		NoneNone
    ecs:ModifySnapshotAttributeModifySnapshotAttributeupdate
    Snapshot
    acs:ecs:{#regionId}:{#accountId}:snapshot/{#snapshotId}
    		NoneNone
    ecs:DeleteInstancesDeleteInstancesdelete
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DeleteImageComponentDeleteImageComponentdelete
    ImageComponent
    acs:ecs:{#regionId}:{#accountId}:imagecomponent/{#imagecomponentId}
    		NoneNone
    ecs:DescribeInvocationsDescribeInvocationsget
    All Resources
    *
    		NoneNone
    ecs:ResetDiskResetDiskupdate
    Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    Snapshot
    acs:ecs:{#regionId}:{#accountId}:snapshot/{#snapshotId}
    		NoneNone
    ecs:DescribeAutoSnapshotPolicyEXDescribeAutoSnapshotPolicyExget
    AutoSnapshotPolicy
    acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/*
    AutoSnapshotPolicy
    acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/{#snapshotpolicyId}
    		NoneNone
    ecs:AllocateDedicatedHostsAllocateDedicatedHostscreate
    DedicatedHost
    acs:ecs:{#regionId}:{#accountId}:ddh/*
    		NoneNone
    ecs:AcceptInquiredSystemEventAcceptInquiredSystemEventupdate
    All Resources
    *
    		NoneNone
    ecs:ModifyHpcClusterAttributeModifyHpcClusterAttributeupdate
    All Resources
    *
    		NoneNone
    ecs:DescribeElasticityAssurancesDescribeElasticityAssurancesget
    ElasticityAssurance
    acs:ecs:{#regionId}:{#accountId}:elasticityassurance/*
    		NoneNone
    ecs:DescribeTerminalSessionsDescribeTerminalSessionslist
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#InstanceId}
    		NoneNone
    ecs:DescribeTaskAttributeDescribeTaskAttributeget
    All Resources
    *
    		NoneNone
    ecs:DescribeImageFromFamilyDescribeImageFromFamilyget
    All Resources
    *
    		NoneNone
    ecs:ModifyInstanceAutoRenewAttributeModifyInstanceAutoRenewAttributeupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:AttachKeyPairAttachKeyPairupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    KeyPair
    acs:ecs:{#regionId}:{#accountId}:keypair/{#keypairName}
    		NoneNone
    ecs:CreateDiagnosticMetricSetCreateDiagnosticMetricSetcreate
    All Resources
    *
    		NoneNone
    ecs:DescribeClassicLinkInstancesDescribeClassicLinkInstancesget
    All Resources
    *
    		NoneNone
    ecs:ReleaseCapacityReservationReleaseCapacityReservationdelete
    All Resources
    *
    		NoneNone
    ecs:ReplaceSystemDiskReplaceSystemDiskupdate
    Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    Image
    acs:ecs:{#regionId}:{#accountId}:image/{#imageId}
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DescribeDiskMonitorDataDescribeDiskMonitorDataget
    Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    		NoneNone
    ecs:DescribePriceDescribePriceget
    All Resources
    *
    		NoneNone
    ecs:CreateNetworkInterfaceCreateNetworkInterfacecreate
    NetworkInterface
    acs:ecs:{#regionId}:{#accountId}:eni/*
    SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    VSwitch
    acs:vpc:{#regionId}:{#accountId}:vswitch/{#vswitchId}
    vpc:IsDefaultVSwitch
    vpc:IsDefaultVpc
    vpc:VPC
    vpc:tag
    vpc:tag
    vpc:tag
    		None
    ecs:DescribeInstanceMaintenanceAttributesDescribeInstanceMaintenanceAttributesget
    All Resources
    *
    		NoneNone
    ecs:DescribeDisksDescribeDiskslist
    Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    Disk
    acs:ecs:{#regionId}:{#accountId}:disk/*
    		NoneNone
    ecs:DescribeSnapshotMonitorDataDescribeSnapshotMonitorDataget
    All Resources
    *
    		NoneNone
    ecs:DescribeBandwidthLimitationDescribeBandwidthLimitationget
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DescribeDeploymentSetsDescribeDeploymentSetsget
    DeploymentSet
    acs:ecs:{#regionId}:{#accountId}:deploymentset/*
    		NoneNone
    ecs:DescribeSnapshotLinksDescribeSnapshotLinksget
    All Resources
    *
    		NoneNone
    ecs:CreateSimulatedSystemEventsCreateSimulatedSystemEventscreate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DetachInstanceRamRoleDetachInstanceRamRoleupdate
    All Resources
    *
    		NoneNone
    ecs:DescribeSnapshotPackageDescribeSnapshotPackageget
    All Resources
    *
    		NoneNone
    ecs:DescribeNetworkInterfacesDescribeNetworkInterfacesget
    NetworkInterface
    acs:ecs:{#regionId}:{#accountId}:eni/{#eniId}
    		NoneNone
    ecs:ModifyInstanceDeploymentModifyInstanceDeploymentupdate
    DedicatedHost
    acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:CreateSnapshotGroupCreateSnapshotGroupcreate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ConvertNatPublicIpToEipConvertNatPublicIpToEipupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:CopySnapshotCopySnapshotcreate
    Snapshot
    acs:ecs:{#regionId}:{#accountId}:snapshot/{#snapshotId}
    		NoneNone
    ecs:DeleteDiskDeleteDiskdelete
    Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    		NoneNone
    ecs:RunInstancesRunInstancescreate
    All Resources
    *
    vpc:IsDefaultVSwitch
    vpc:IsDefaultVpc
    vpc:VPC
    ecs:IsDiskEncrypted
    ecs:InstanceTypeFamily
    ecs:InstanceType
    ecs:ImageOwnerId
    ecs:ImageSource
    ecs:NotSpecifySecurityGroupId
    		None
    ecs:CreateSnapshotCreateSnapshotcreate
    Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    Snapshot
    acs:ecs:{#regionId}:{#accountId}:snapshot/*
    		NoneNone
    ecs:DescribeDedicatedHostClustersDescribeDedicatedHostClustersget
    DedicatedHostCluster
    acs:ecs:{#regionId}:{#accountId}:ddhcluster/{#ddhclusterId}
    DedicatedHostCluster
    acs:ecs:{#regionId}:{#accountId}:ddhcluster/*
    		NoneNone
    ecs:ModifyStorageCapacityUnitAttributeModifyStorageCapacityUnitAttributeupdate
    StorageCapacityUnit
    acs:ecs:{#regionId}:{#accountId}:scu/{#scuId}
    		NoneNone
    ecs:DeleteDeploymentSetDeleteDeploymentSetdelete
    DeploymentSet
    acs:ecs:{#regionid}:{#accountId}:deploymentset/{#deploymentSetId}
    		NoneNone
    ecs:DeleteInstanceDeleteInstancedelete
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:UntagResourcesUntagResourcesdelete
    All Resources
    *
    		NoneNone
    ecs:DeleteSecurityGroupDeleteSecurityGroupdelete
    SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    		NoneNone
    ecs:ModifyInstanceAutoReleaseTimeModifyInstanceAutoReleaseTimeupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:RebootInstanceRebootInstanceupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DescribeSendFileResultsDescribeSendFileResultsget
    All Resources
    *
    		NoneNone
    ecs:ModifyPrepayInstanceSpecModifyPrepayInstanceSpecupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DeleteNetworkInterfaceDeleteNetworkInterfacedelete
    NetworkInterface
    acs:ecs:{#regionId}:{#accountId}:eni/{#eniId}
    		NoneNone
    ecs:ModifyImageSharePermissionModifyImageSharePermissionupdate
    Image
    acs:ecs:{#regionId}:{#accountId}:image/{#imageId}
    		NoneNone
    ecs:CancelImagePipelineExecutionCancelImagePipelineExecutionupdate
    ImagePipeline
    acs:ecs:{#regionId}:{#accountId}:imagepipeline/{#imagepipelineId}
    		NoneNone
    ecs:CopyImageCopyImageupdate
    All Resources
    *
    		NoneNone
    ecs:DeletePrefixListDeletePrefixListdelete
    PrefixList
    acs:ecs:{#regionId}:{#accountId}:prefixlist/{#PrefixListId}
    		NoneNone
    ecs:ModifyLaunchTemplateDefaultVersionModifyLaunchTemplateDefaultVersionupdate
    All Resources
    *
    		NoneNone
    ecs:DetachClassicLinkVpcDetachClassicLinkVpcupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    VPC
    acs:vpc:{#regionId}:{#accountId}:vpc/{#vpcId}
    		NoneNone
    ecs:DescribeSecurityGroupReferencesDescribeSecurityGroupReferencesget
    SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    		NoneNone
    ecs:DescribeNetworkInterfaceAttributeDescribeNetworkInterfaceAttributeget
    NetworkInterface
    acs:ecs:{#regionId}:{#accountId}:eni/{#eniId}
    		NoneNone
    ecs:AssignIpv6AddressesAssignIpv6Addressescreate
    NetworkInterface
    acs:ecs:{#regionId}:{#accountId}:eni/{#eniId}
    		NoneNone
    ecs:DescribeSnapshotsDescribeSnapshotsget
    Snapshot
    acs:ecs:{#regionId}:{#accountId}:snapshot/*
    Snapshot
    acs:ecs:{#regionId}:{#accountId}:snapshot/{#snapshotId}
    		NoneNone
    ecs:ModifyReservedInstancesModifyReservedInstancesupdate
    ReservedInstance
    acs:ecs:{#regionId}:{#accountId}:reservedinstance/{#reservedinstanceId}
    		NoneNone
    ecs:DetachDiskDetachDiskupdate
    Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DetachKeyPairDetachKeyPairupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    KeyPair
    acs:ecs:{#regionId}:{#accountId}:keypair/{#keypairName}
    		NoneNone
    ecs:DeleteLaunchTemplateVersionDeleteLaunchTemplateVersiondelete
    LaunchTemplate
    acs:ecs:{#regionId}:{#accountId}:launchtemplate/{#launchtemplateId}
    		NoneNone
    ecs:DeleteDiagnosticMetricSetsDeleteDiagnosticMetricSetsdelete
    All Resources
    *
    		NoneNone
    ecs:ExportImageExportImageupdate
    Image
    acs:ecs:{#regionId}:{#accountId}:image/{#imageId}
    		NoneNone
    ecs:DescribeInstancesFullStatusDescribeInstancesFullStatusget
    All Resources
    *
    		NoneNone
    ecs:RenewReservedInstancesRenewReservedInstancescreate
    ReservedInstance
    acs:ecs:{#regionId}:{#accountId}:reservedinstance/{#ReservedInstanceId}
    		NoneNone
    ecs:ModifySecurityGroupEgressRuleModifySecurityGroupEgressRuleupdate
    SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    ecs:tag
    ecs:tag
    ecs:SecurityGroupIpProtocols
    ecs:SecurityGroupSourceCidrIps
    		None
    ecs:PurchaseReservedInstancesOfferingPurchaseReservedInstancesOfferingcreate
    ReservedInstance
    acs:ecs:{#regionId}:{#accountId}:reservedinstance/*
    		NoneNone
    ecs:ImportKeyPairImportKeyPaircreate
    All Resources
    *
    		NoneNone
    ecs:CreateInstanceCreateInstancecreate
    All Resources
    *
    vpc:VPC
    vpc:IsDefaultVSwitch
    vpc:IsDefaultVpc
    ecs:IsDiskEncrypted
    ecs:InstanceType
    ecs:InstanceTypeFamily
    ecs:ImageOwnerId
    ecs:ImageSource
    ecs:NotSpecifySecurityGroupId
    		None
    ecs:DeleteImageDeleteImagedelete
    Image
    acs:ecs:{#regionId}:{#accountId}:image/{#imageId}
    		NoneNone
    ecs:DescribeCapacityReservationInstancesDescribeCapacityReservationInstancesget
    All Resources
    *
    		NoneNone
    ecs:DescribeEniMonitorDataDescribeEniMonitorDataget
    NetworkInterface
    acs:ecs:{#regionId}:{#accountId}:eni/{#eniId}
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DescribeImagesDescribeImagesget
    Image
    acs:ecs:{#regionId}:{#accountId}:image/*
    Image
    acs:ecs:{#regionId}:{#accountId}:image/{#imageId}
    		NoneNone
    ecs:CancelTaskCancelTaskupdate
    All Resources
    *
    		NoneNone
    ecs:DeleteDiagnosticReportsDeleteDiagnosticReportsdelete
    All Resources
    *
    		NoneNone
    ecs:CreateDedicatedHostClusterCreateDedicatedHostClustercreate
    All Resources
    *
    		NoneNone
    ecs:DescribeInstanceMonitorDataDescribeInstanceMonitorDataget
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:CreateAutoSnapshotPolicyCreateAutoSnapshotPolicycreate
    AutoSnapshotPolicy
    acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/*
    		NoneNone
    ecs:DescribeLaunchTemplatesDescribeLaunchTemplatesget
    LaunchTemplate
    acs:ecs:{#regionId}:{#accountId}:launchtemplate/*
    LaunchTemplate
    acs:ecs:{#regionId}:{#accountId}:launchtemplate/{#launchtemplateId}
    		NoneNone
    ecs:ModifyAutoProvisioningGroupModifyAutoProvisioningGroupupdate
    autoprovisioninggroup
    acs:ecs:{#regionId}:{#accountId}:autoprovisioninggroup/{#autoprovisioninggroupId}
    		NoneNone
    ecs:CreateElasticityAssuranceCreateElasticityAssurancecreate
    ElasticityAssurance
    acs:ecs:{#regionId}:{#accountId}:elasticityassurance/*
    		NoneNone
    ecs:DescribeActivationsDescribeActivationsget
    Activation
    acs:ecs:{#regionId}:{#accountId}:activation/*
    Activation
    acs:ecs:{#regionId}:{#accountId}:activation/{#activationId}
    		NoneNone
    ecs:DeleteLaunchTemplateDeleteLaunchTemplatedelete
    All Resources
    *
    		NoneNone
    ecs:DescribeRenewalPriceDescribeRenewalPriceget
    All Resources
    *
    		NoneNone
    ecs:GetInstanceConsoleOutputGetInstanceConsoleOutputget
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:StopInvocationStopInvocationupdate
    All Resources
    *
    		NoneNone
    ecs:RevokeSecurityGroupRevokeSecurityGroupdelete
    SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    ecs:tag
    ecs:tag
    ecs:tag
    		None
    ecs:AttachInstanceRamRoleAttachInstanceRamRoleupdate
    All Resources
    *
    		NoneNone
    ecs:StartTerminalSessionStartTerminalSessionupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:StartImagePipelineExecutionStartImagePipelineExecutionupdate
    ImagePipeline
    acs:ecs:{#regionId}:{#accountId}:imagepipeline/{#imagepipelineId}
    		NoneNone
    ecs:DeleteKeyPairsDeleteKeyPairsdelete
    KeyPair
    acs:ecs:{#regionId}:{#accountId}:keypair/{#keypairName}
    		NoneNone
    ecs:UnassignPrivateIpAddressesUnassignPrivateIpAddressesdelete
    NetworkInterface
    acs:ecs:{#regionId}:{#accountId}:eni/{#eniId}
    		NoneNone
    ecs:CancelAutoSnapshotPolicyCancelAutoSnapshotPolicyupdate
    All Resources
    *
    		NoneNone
    ecs:ModifyDiskAttributeModifyDiskAttributeupdate
    Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    		NoneNone
    ecs:ModifyImageAttributeModifyImageAttributeupdate
    Image
    acs:ecs:{#regionId}:{#accountId}:image/{#imageId}
    		NoneNone
    ecs:DescribeUserDataDescribeUserDataget
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:StartInstancesStartInstancesupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ModifyInstanceMaintenanceAttributesModifyInstanceMaintenanceAttributesupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DescribeDiagnosticMetricsDescribeDiagnosticMetricsget
    All Resources
    *
    		NoneNone
    ecs:RenewInstanceRenewInstanceupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ModifyInstanceNetworkSpecModifyInstanceNetworkSpecupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ModifyAutoSnapshotPolicyExModifyAutoSnapshotPolicyExupdate
    All Resources
    *
    		NoneNone
    ecs:ModifyReservedInstanceAttributeModifyReservedInstanceAttributeupdate
    ReservedInstance
    acs:ecs:{#regionId}:{#accountId}:reservedinstance/{#reservedinstanceId}
    		NoneNone
    ecs:AuthorizeSecurityGroupEgressAuthorizeSecurityGroupEgresscreate
    SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    ecs:SecurityGroupIpProtocols
    ecs:SecurityGroupSourceCidrIps
    		None
    ecs:ModifySnapshotGroupModifySnapshotGroupupdate
    SnapshotGroup
    acs:ecs:{#regionId}:{#accountId}:snapshotgroup/{#SnapshotGroupId}
    		NoneNone
    ecs:DescribeInstanceHistoryEventsDescribeInstanceHistoryEventsget
    All Resources
    *
    		NoneNone
    ecs:ModifyDiskChargeTypeModifyDiskChargeTypeupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ModifyPrefixListModifyPrefixListupdate
    PrefixList
    acs:ecs:{#regionId}:{#accountId}:prefixlist/{#PrefixListId}
    		NoneNone
    ecs:CreateLaunchTemplateVersionCreateLaunchTemplateVersioncreate
    LaunchTemplate
    acs:ecs:{#regionId}:{#accountId}:launchtemplate/{#launchtemplateId}
    		NoneNone
    ecs:DescribeResourcesModificationDescribeResourcesModificationget
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DescribeHpcClustersDescribeHpcClustersget
    HpcCluster
    acs:ecs:{#regionId}:{#accountId}:hpc/*
    		NoneNone
    ecs:DescribeSecurityGroupsDescribeSecurityGroupsget
    SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/*
    SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    		NoneNone
    ecs:DescribeTasksDescribeTasksget
    All Resources
    *
    		NoneNone
    ecs:ModifyDedicatedHostAttributeModifyDedicatedHostAttributeupdate
    DedicatedHost
    acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}
    DedicatedHostCluster
    acs:ecs:{#regionId}:{#accountId}:ddhcluster/{#ddhclusterId}
    		NoneNone
    ecs:DescribeDiagnosticReportsDescribeDiagnosticReportsget
    All Resources
    *
    		NoneNone
    ecs:ModifyDiskSpecModifyDiskSpecupdate
    Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    		NoneNone
    ecs:AttachClassicLinkVpcAttachClassicLinkVpcupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    VPC
    acs:vpc:{#regionId}:{#accountId}:vpc/{#vpcId}
    vpc:tag
    		None
    ecs:DeleteAutoSnapshotPolicyDeleteAutoSnapshotPolicydelete
    AutoSnapshotPolicy
    acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/{#SnapshotPolicyId}
    		NoneNone
    ecs:DetachNetworkInterfaceDetachNetworkInterfaceupdate
    NetworkInterface
    acs:ecs:{#regionId}:{#accountId}:eni/{#eniId}
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ModifyCapacityReservationModifyCapacityReservationupdate
    All Resources
    *
    		NoneNone
    ecs:ModifyDedicatedHostAutoReleaseTimeModifyDedicatedHostAutoReleaseTimeupdate
    DedicatedHost
    acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}
    		NoneNone
    ecs:DescribeDiagnosticReportAttributesDescribeDiagnosticReportAttributesget
    All Resources
    *
    		NoneNone
    ecs:ModifySecurityGroupAttributeModifySecurityGroupAttributeupdate
    SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    		NoneNone
    ecs:TagResourcesTagResourcescreate
    DedicatedHost
    acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}
    Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    NetworkInterface
    acs:ecs:{#regionId}:{#accountId}:eni/{#eniId}
    Image
    acs:ecs:{#regionId}:{#accountId}:image/{#imageId}
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    KeyPair
    acs:ecs:{#regionId}:{#accountId}:keypair/{#keypairId}
    LaunchTemplate
    acs:ecs:{#regionId}:{#accountId}:launchtemplate/{#launchtemplateId}
    ReservedInstance
    acs:ecs:{#regionId}:{#accountId}:reservedinstance/{#reservedinstanceId}
    SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    Snapshot
    acs:ecs:{#regionId}:{#accountId}:snapshot/{#snapshotId}
    AutoSnapshotPolicy
    acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/{#SnapshotPolicyId}
    		NoneNone
    ecs:ReActivateInstancesReActivateInstancesupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:CreateImagePipelineCreateImagePipelinecreate
    ImagePipeline
    acs:ecs:{#regionId}:{#accountId}:imagepipeline/*
    		NoneNone
    ecs:UnassignIpv6AddressesUnassignIpv6Addressesdelete
    NetworkInterface
    acs:ecs:{#regionId}:{#accountId}:eni/{#eniId}
    		NoneNone
    ecs:CreateLaunchTemplateCreateLaunchTemplatecreate
    LaunchTemplate
    acs:ecs:{#regionId}:{#accountId}:launchtemplate/*
    		NoneNone
    ecs:CreateActivationCreateActivationcreate
    Activation
    acs:ecs:{#regionId}:{#accountId}:activation/*
    		NoneNone
    ecs:DescribeReservedInstanceAutoRenewAttributeDescribeReservedInstanceAutoRenewAttributeget
    ReservedInstance
    acs:ecs:{#regionId}:{#accountId}:reservedinstance/{#ReservedInstanceId}
    		NoneNone
    ecs:JoinSecurityGroupJoinSecurityGroupupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    		NoneNone
    ecs:CreatePrefixListCreatePrefixListcreate
    All Resources
    *
    		NoneNone
    ecs:AuthorizeSecurityGroupAuthorizeSecurityGroupcreate
    SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    ecs:SecurityGroupIpProtocols
    ecs:SecurityGroupSourceCidrIps
    		None
    ecs:CreateCommandCreateCommandcreate
    Command
    acs:ecs:{#regionId}:{#accountId}:command/*
    		NoneNone
    ecs:DescribeSnapshotsUsageDescribeSnapshotsUsageget
    All Resources
    *
    		NoneNone
    ecs:DescribeDedicatedHostsDescribeDedicatedHostsget
    DedicatedHost
    acs:ecs:{#regionId}:{#accountId}:ddh/*
    DedicatedHost
    acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}
    		NoneNone
    ecs:CancelSimulatedSystemEventsCancelSimulatedSystemEventsupdate
    All Resources
    *
    		NoneNone
    ecs:DescribeLaunchTemplateVersionsDescribeLaunchTemplateVersionsget
    All Resources
    *
    		NoneNone
    ecs:RedeployInstanceRedeployInstanceupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DeleteImagePipelineDeleteImagePipelinedelete
    ImagePipeline
    acs:ecs:{#regionId}:{#accountId}:imagepipeline/{#imagepipelineId}
    		NoneNone
    ecs:DescribeInstanceAttributeDescribeInstanceAttributeget
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DescribePrefixListAttributesDescribePrefixListAttributesget
    PrefixList
    acs:ecs:{#regionId}:{#accountId}:prefixlist/{#PrefixListId}
    		NoneNone
    ecs:CreateHpcClusterCreateHpcClustercreate
    HpcCluster
    acs:ecs:{#regionId}:{#accountId}:hpc/*
    		NoneNone
    ecs:ReInitDiskReInitDiskupdate
    Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    		NoneNone
    ecs:DescribePrefixListsDescribePrefixListsget
    PrefixList
    acs:ecs:{#regionId}:{#accountId}:prefixlist/{#PrefixListId}
    		NoneNone
    ecs:DescribeInvocationResultsDescribeInvocationResultsget
    All Resources
    *
    		NoneNone
    ecs:DescribeReservedInstancesDescribeReservedInstancesget
    ReservedInstance
    acs:ecs:{#regionId}:{#accountId}:reservedinstance/*
    ReservedInstance
    acs:ecs:{#regionId}:{#accountId}:reservedinstance/{#reservedinstanceId}
    		NoneNone
    ecs:DeleteActivationDeleteActivationdelete
    activation
    acs:ecs:{#regionId}:{#accountId}:activation/{#activationId}
    		NoneNone
    ecs:RenewDedicatedHostsRenewDedicatedHostsupdate
    DedicatedHost
    acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}
    		NoneNone
    ecs:ModifyCommandModifyCommandupdate
    Command
    acs:ecs:{#regionId}:{#accountId}:command/{#commandId}
    		NoneNone
    ecs:ModifyDeploymentSetAttributeModifyDeploymentSetAttributeupdate
    DeploymentSet
    acs:ecs:{#regionId}:{#accountId}:deploymentset/{#DeploymentSetId}
    		NoneNone
    ecs:DescribeInstanceVncUrlDescribeInstanceVncUrlget
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ModifyNetworkInterfaceAttributeModifyNetworkInterfaceAttributeupdate
    NetworkInterface
    acs:ecs:{#regionId}:{#accountId}:eni/{#eniId}
    SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    		NoneNone
    ecs:DescribeSnapshotGroupsDescribeSnapshotGroupsget
    SnapshotGroup
    acs:ecs:{#regionId}:{#accountId}:snapshotgroup/*
    SnapshotGroup
    acs:ecs:{#regionId}:{#accountId}:snapshotgroup/{#snapshotgroupId}
    		NoneNone
    ecs:ModifyInstanceAttachmentAttributesModifyInstanceAttachmentAttributesupdate
    All Resources
    *
    		NoneNone
    ecs:StartInstanceStartInstanceupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:RunCommandRunCommandupdate
    All Resources
    *
    ecs:CommandRunAs
    		None
    ecs:DeleteDedicatedHostClusterDeleteDedicatedHostClusterdelete
    DedicatedHostCluster
    acs:ecs:{#regionId}:{#accountId}:ddhcluster/{#ddhclusterId}
    		NoneNone
    ecs:DescribeSecurityGroupAttributeDescribeSecurityGroupAttributeget
    SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    ecs:tag
    		None
    ecs:CreateImageCreateImagecreate
    Image
    acs:ecs:{#regionId}:{#accountId}:image/*
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    Snapshot
    acs:ecs:{#regionId}:{#accountId}:snapshot/{#snapshotId}
    		NoneNone
    ecs:GetInstanceScreenshotGetInstanceScreenshotget
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DescribeCapacityReservationsDescribeCapacityReservationsget
    CapacityReservation
    acs:ecs:{#regionId}:{#accountId}:capacityreservation/*
    		NoneNone
    ecs:DeleteCommandDeleteCommanddelete
    Command
    acs:ecs:{#regionId}:{#accountId}:command/{#commandId}
    		NoneNone
    ecs:StopInstancesStopInstancesupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:LeaveSecurityGroupLeaveSecurityGroupupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    		NoneNone
    ecs:RebootInstancesRebootInstancesupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DescribeInstanceRamRoleDescribeInstanceRamRoleget
    All Resources
    *
    		NoneNone
    ecs:ModifyDedicatedHostClusterAttributeModifyDedicatedHostClusterAttributeupdate
    ddhcluster
    acs:ecs:{#regionId}:{#accountId}:ddhcluster/{#ddhclusterId}
    		NoneNone
    ecs:ModifyInstanceVpcAttributeModifyInstanceVpcAttributeupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    VSwitch
    acs:vpc:{#regionId}:{#accountId}:vswitch/{#vswitchId}
    vpc:tag
    vpc:VPC
    		None
    ecs:DescribeInstanceStatusDescribeInstanceStatusget
    All Resources
    *
    		NoneNone
    ecs:ModifyManagedInstanceModifyManagedInstanceupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ImportImageImportImageupdate
    All Resources
    *
    		NoneNone
    ecs:ModifySecurityGroupRuleModifySecurityGroupRuleupdate
    SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    ecs:SecurityGroupIpProtocols
    ecs:SecurityGroupSourceCidrIps
    		None
    ecs:ModifyInstanceChargeTypeModifyInstanceChargeTypeupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ReportInstancesStatusReportInstancesStatusget
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ModifyInstanceAttributeModifyInstanceAttributeupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#SecurityGroupId}
    ecs:tag
    ecs:tag
    ecs:tag
    ecs:tag
    		None
    ecs:PurchaseStorageCapacityUnitPurchaseStorageCapacityUnitcreate
    StorageCapacityUnit
    acs:ecs:{#regionId}:{#accountId}:scu/*
    		NoneNone
    ecs:DescribeManagedInstancesDescribeManagedInstancesget
    All Resources
    *
    		NoneNone
    ecs:ModifyInstanceMetadataOptionsModifyInstanceMetadataOptionsupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:CreateDiskCreateDiskcreate
    Disk
    acs:ecs:{#regionId}:{#accountId}:disk/*
    Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    Snapshot
    acs:ecs:{#regionId}:{#accountId}:snapshot/{#snapshotId}
    ecs:IsDiskEncrypted
    		None
    ecs:ReleaseDedicatedHostReleaseDedicatedHostdelete
    DedicatedHost
    acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}
    		NoneNone
    ecs:DescribeInstanceAutoRenewAttributeDescribeInstanceAutoRenewAttributeget
    All Resources
    *
    		NoneNone
    ecs:InstallCloudAssistantInstallCloudAssistantupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DescribeAccountAttributesDescribeAccountAttributesget
    All Resources
    *
    		NoneNone
    ecs:AssignPrivateIpAddressesAssignPrivateIpAddressescreate
    NetworkInterface
    acs:ecs:{#regionId}:{#accountId}:eni/{#eniId}
    		NoneNone
    ecs:DescribeInstanceModificationPriceDescribeInstanceModificationPriceget
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#InstanceId}
    		NoneNone
    ecs:DescribeKeyPairsDescribeKeyPairsget
    KeyPair
    acs:ecs:{#regionId}:{#accountId}:keypair/{#keypairName}
    KeyPair
    acs:ecs:{#regionId}:{#accountId}:keypair/*
    		NoneNone
    ecs:ModifyDedicatedHostAutoRenewAttributeModifyDedicatedHostAutoRenewAttributeupdate
    DedicatedHost
    acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}
    		NoneNone
    ecs:AttachNetworkInterfaceAttachNetworkInterfaceupdate
    NetworkInterface
    acs:ecs:{#regionId}:{#accountId}:eni/{#eniId}
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ModifyElasticityAssuranceModifyElasticityAssuranceupdate
    All Resources
    *
    		NoneNone
    ecs:DescribeElasticityAssuranceInstancesDescribeElasticityAssuranceInstancesget
    All Resources
    *
    		NoneNone
    ecs:ModifyDedicatedHostsChargeTypeModifyDedicatedHostsChargeTypeupdate
    All Resources
    *
    		NoneNone
    ecs:ModifyInstanceSpecModifyInstanceSpecupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ModifyInstanceVncPasswdModifyInstanceVncPasswdupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:AttachDiskAttachDiskupdate
    Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DescribeImageSupportInstanceTypesDescribeImageSupportInstanceTypesget
    Image
    acs:ecs:{#regionId}:{#accountId}:image/{#imageId}
    		NoneNone
    ecs:ResizeDiskResizeDiskupdate
    Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    		NoneNone
    ecs:CreateAutoProvisioningGroupCreateAutoProvisioningGroupcreate
    All Resources
    *
    		NoneNone
    ecs:StopInstanceStopInstanceupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:CreateKeyPairCreateKeyPaircreate
    KeyPair
    acs:ecs:{#regionId}:{#accountId}:keypair/*
    		NoneNone
    ecs:DescribeInstancesDescribeInstancesget
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/*
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    ResourceOwner
    		None
    ecs:DeregisterManagedInstanceDeregisterManagedInstanceupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:AllocatePublicIpAddressAllocatePublicIpAddresscreate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DescribeCloudAssistantStatusDescribeCloudAssistantStatusget
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DeleteSnapshotDeleteSnapshotdelete
    Snapshot
    acs:ecs:{#regionId}:{#accountId}:snapshot/{#snapshotId}
    		NoneNone
    ecs:CreateImageComponentCreateImageComponentcreate
    ImageComponent
    acs:ecs:{#regionId}:{#accountId}:imagecomponent/*
    		NoneNone
    ecs:CreateCapacityReservationCreateCapacityReservationcreate
    CapacityReservation
    acs:ecs:{#regionId}:{#accountId}:capacityreservation/*
    		NoneNone
    ecs:DescribeInstanceAttachmentAttributesDescribeInstanceAttachmentAttributesget
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:JoinResourceGroupJoinResourceGroupupdate
    DedicatedHost
    acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}
    Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    NetworkInterface
    acs:ecs:{#regionId}:{#accountId}:eni/{#eniId}
    Image
    acs:ecs:{#regionId}:{#accountId}:image/{#imageId}
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    KeyPair
    acs:ecs:{#regionId}:{#accountId}:keypair/{#keypairId}
    LaunchTemplate
    acs:ecs:{#regionId}:{#accountId}:launchtemplate/{#launchtemplateId}
    SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    Snapshot
    acs:ecs:{#regionId}:{#accountId}:snapshot/{#SnapshotId}
    		NoneNone
    ecs:RevokeSecurityGroupEgressRevokeSecurityGroupEgressdelete
    SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    ecs:tag
    ecs:tag
    ecs:tag
    		None
    ecs:DeleteSnapshotGroupDeleteSnapshotGroupdelete
    SnapshotGroup
    acs:ecs:{#regionId}:{#accountId}:snapshotgroup/{#snapshotgroupId}
    		NoneNone
    ecs:SendFileSendFileupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DescribeImagePipelineExecutionsDescribeImagePipelineExecutionsget
    All Resources
    *
    		NoneNone
    ecs:DescribeImageComponentsDescribeImageComponentsget
    ImageComponent
    acs:ecs:{#regionId}:{#accountId}:imagecomponent/*
    ImageComponent
    acs:ecs:{#regionId}:{#accountId}:imagecomponent/{#imagecomponentId}
    		NoneNone
    ecs:InvokeCommandInvokeCommandupdate
    Command
    acs:ecs:{#regionId}:{#accountId}:command/{#commandId}
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    ecs:CommandRunAs
    		None
    ecs:CancelCopyImageCancelCopyImageupdate
    Image
    acs:ecs:{#regionId}:{#accountId}:image/{#imageId}
    		NoneNone
    ecs:DescribeAutoProvisioningGroupHistoryDescribeAutoProvisioningGroupHistoryget
    All Resources
    *
    		NoneNone
    ecs:ListTagResourcesListTagResourcesget
    All Resources
    *
    		NoneNone
    ecs:CreateDeploymentSetCreateDeploymentSetcreate
    All Resources
    *
    		NoneNone
    ecs:ApplyAutoSnapshotPolicyApplyAutoSnapshotPolicyupdate
    Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    AutoSnapshotPolicy
    acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/{#snapshotpolicyId}
    		NoneNone
    ecs:CreateSecurityGroupCreateSecurityGroupcreate
    SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/*
    VPC
    acs:vpc:{#regionId}:{#accountId}:vpc/{#vpcId}
    		NoneNone
    ecs:DescribeImagePipelinesDescribeImagePipelinesget
    ImagePipeline
    acs:ecs:{#regionId}:{#accountId}:imagepipeline/*
    ImagePipeline
    acs:ecs:{#regionId}:{#accountId}:imagepipeline/{#imagepipelineId}
    		NoneNone
    ecs:DisableActivationDisableActivationupdate
    Activation
    acs:ecs:{#regionId}:{#accountId}:activation/{#ActivationId}
    		NoneNone
    ecs:ModifyReservedInstanceAutoRenewAttributeModifyReservedInstanceAutoRenewAttributeupdate
    ReservedInstance
    acs:ecs:{#regionId}:{#accountId}:reservedinstance/{#ReservedInstanceId}
    		NoneNone
    ecs:ModifyInvocationAttributeModifyInvocationAttributeupdate
    All Resources
    *
    		NoneNone
    ecs:CreateDiagnosticReportCreateDiagnosticReportcreate
    All Resources
    *
    		NoneNone
    ecs:ModifyDiagnosticMetricSetModifyDiagnosticMetricSetupdate
    All Resources
    *
    		NoneNone
    ecs:DescribeCommandsDescribeCommandsget
    Command
    acs:ecs:{#regionId}:{#accountId}:command/*
    Command
    acs:ecs:{#regionId}:{#accountId}:command/{#commandId}
    		NoneNone
    ecs:DescribeDisksFullStatusDescribeDisksFullStatusget
    All Resources
    *
    		NoneNone
    ecs:ModifySecurityGroupPolicyModifySecurityGroupPolicyupdate
    SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    		NoneNone
    ecs:DescribeDiagnosticMetricSetsDescribeDiagnosticMetricSetsget
    All Resources
    *
    		NoneNone

    Resource

    ECS defines the values that you can use in the Resource. You can attach the policy to a RAM user or a RAM role so that the RAM user or the RAM role can perform a specific operation on a specific resource. The ARN is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:
    • {#}indicates a variable. {#} must be replaced with an actual value. For example, {#ramcode} must be replaced with the actual code of an Alibaba Cloud service in RAM.
    • An asterisk (*) is used as a wildcard. Examples:
      • {#resourceType} is set to *, all resources are specified.
      • {#regionId} is set to *, all regions are specified.
      • {#accountId} is set to *, all Alibaba Cloud accounts are specified.
    Resource typeARN
    PrefixListacs:ecs:{#regionId}:{#accountId}:prefixlist/{#PrefixListId}
    AutoProvisioningGroupacs:ecs:{#regionId}:{#accountId}:autoprovisioninggroup/{#autoprovisioninggroupId}
    AutoProvisioningGroupacs:ecs:{#regionId}:{#accountId}:autoprovisioninggroup/*
    Instanceacs:ecs:{#regionId}:{#accountId}:instance/{#InstanceId}
    DedicatedHostacs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}
    ServiceSettingsacs:ecs:{#regionId}:{#accountId}:servicesettings/{#servicesettingId}
    DedicatedHostacs:ecs:{#regionId}:{#accountId}:ddh/*
    DedicatedHostClusteracs:ecs:{#regionId}:{#accountId}:ddhcluster/*
    Diskacs:ecs:{#regionId}:{#accountId}:disk/*
    NetworkInterfaceacs:ecs:{#regionId}:{#accountId}:eni/*
    Imageacs:ecs:{#regionId}:{#accountId}:image/*
    Instanceacs:ecs:{#regionId}:{#accountId}:instance/*
    KeyPairacs:ecs:{#regionId}:{#accountId}:keypair/*
    SecurityGroupacs:ecs:{#regionId}:{#accountId}:securitygroup/*
    Snapshotacs:ecs:{#regionId}:{#accountId}:snapshot/*
    AutoSnapshotPolicyacs:ecs:{#regionId}:{#accountId}:snapshotpolicy/*
    StorageCapacityUnitacs:ecs:{#regionId}:{#accountId}:scu/*
    StorageCapacityUnitacs:ecs:{#regionId}:{#accountId}:scu/{#scuId}
    Diskacs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    NetworkInterfaceacs:ecs:{#regionId}:{#accountId}:eni/{#eniId}
    Imageacs:ecs:{#regionId}:{#accountId}:image/{#imageId}
    Instanceacs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    SecurityGroupacs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    Snapshotacs:ecs:{#regionId}:{#accountId}:snapshot/{#snapshotId}
    HpcClusteracs:ecs:{#regionId}:{#accountId}:hpc/*
    ImageComponentacs:ecs:{#regionId}:{#accountId}:imagecomponent/{#imagecomponentId}
    Commandacs:ecs:{#regionId}:{#accountId}:command/*
    Commandacs:ecs:{#regionId}:{#accountId}:command/{#CommandId}
    AutoSnapshotPolicyacs:ecs:{#regionId}:{#accountId}:snapshotpolicy/{#snapshotpolicyId}
    ElasticityAssuranceacs:ecs:{#regionId}:{#accountId}:elasticityassurance/*
    KeyPairacs:ecs:{#regionId}:{#accountId}:keypair/{#keypairName}
    CapacityReservationacs:ecs:{#regionId}:{#accountId}:capacityreservation/*
    VSwitchacs:vpc:{#regionId}:{#accountId}:vswitch/{#vswitchId}
    Volumeacs:ecs:{#regionId}:{#accountId}:volume/{#volumeId}
    DeploymentSetacs:ecs:{#regionId}:{#accountId}:deploymentset/*
    Volumeacs:ecs:{#regionId}:{#accountId}:volume/*
    Roleacs:ram:*:{#accountId}:role/{#roleName}
    KeyPairacs:ecs:{#regionId}:{#accountId}:keypair/{#keypairId}
    VSwitchacs:vpc:{#regionId}:{#accountId}:vswitch/*
    DedicatedHostClusteracs:ecs:{#regionId}:{#accountId}:ddhcluster/{#ddhclusterId}
    DeploymentSetacs:ecs:{#regionid}:{#accountId}:deploymentset/{#deploymentSetId}
    ReservedInstanceacs:ecs:{#regionId}:{#accountId}:reservedinstance/{#reservedinstanceId}
    LaunchTemplateacs:ecs:{#regionId}:{#accountId}:launchtemplate/{#launchtemplateId}
    AutoSnapshotPolicyacs:ecs:{#regionId}:{#accountId}:snapshotpolicy/{#SnapshotPolicyId}
    snapshotpolicyacs:ecs:{#regionId}:{#accountId}:snapshotpolicy/{#snapshotpolicyId}
    ImagePipelineacs:ecs:{#regionId}:{#accountId}:imagepipeline/{#imagepipelineId}
    LaunchTemplateacs:ecs:{#regionId}:{#accountId}:launchtemplate/*
    VPCacs:vpc:{#regionId}:{#accountId}:vpc/{#vpcId}
    ReservedInstanceacs:ecs:{#regionId}:{#accountId}:reservedinstance/{#ReservedInstanceId}
    ReservedInstanceacs:ecs:{#regionId}:{#accountId}:reservedinstance/*
    ElasticityAssuranceacs:ecs:{#regionId}:{#accountId}:elasticityassurance/{#ElasticityAssuranceId}
    ddhclusteracs:ecs:{#regionId}:{#accountId}:ddhcluster/*
    DeploymentSetacs:ecs:{#regionId}:{#accountId}:deploymentset/{#DeploymentSetId}
    autoprovisioninggroupacs:ecs:{#regionId}:{#accountId}:autoprovisioninggroup/{#autoprovisioninggroupId}
    Activationacs:ecs:{#regionId}:{#accountId}:activation/*
    Activationacs:ecs:{#regionId}:{#accountId}:activation/{#activationId}
    SnapshotGroupacs:ecs:{#regionId}:{#accountId}:snapshotgroup/{#SnapshotGroupId}
    ImagePipelineacs:ecs:{#regionId}:{#accountId}:imagepipeline/*
    activationacs:ecs:{#regionId}:{#accountId}:activation/{#activationId}
    Commandacs:ecs:{#regionId}:{#accountId}:command/{#commandId}
    SnapshotGroupacs:ecs:{#regionId}:{#accountId}:snapshotgroup/*
    SnapshotGroupacs:ecs:{#regionId}:{#accountId}:snapshotgroup/{#snapshotgroupId}
    ddhclusteracs:ecs:{#regionId}:{#accountId}:ddhcluster/{#ddhclusterId}
    Demandacs:ecs:*:{#accountId}:*
    SecurityGroupacs:ecs:{#regionId}:{#accountId}:securitygroup/{#SecurityGroupId}
    AutoSnapshotPolicyacs:ecs:{#regionId}:{#accountId}:autosnapshotpolicy/*
    Fleetacs:ecs:{#regionId}:{#accountId}:fleet/*
    ImageComponentacs:ecs:{#regionId}:{#accountId}:imagecomponent/*
    Snapshotacs:ecs:{#regionId}:{#accountId}:snapshot/{#SnapshotId}
    Demandacs:ecs:{#regionId}:{#accountId}:ecsdemand/*
    Activationacs:ecs:{#regionId}:{#accountId}:activation/{#ActivationId}
    Invocationacs:ecs:{#regionId}:{#accountId}:invocation/{#InvocationId}
    Addressacs:vpc:{#regionId}:{#accountId}:eip/*
    HaVipacs:vpc:{#regionId}:{#accountId}:havip/*
    VSwitchacs:vpc:{#regionId}:{#accountId}:vswitch/{#VSwitchId}
    VPCacs:vpc:{#regionId}:{#accountId}:vpc/*
    ForwardTableacs:vpc:{#regionId}:{#accountId}:forwardtable/{#ForwardTableId}
    HaVipacs:vpc:{#regionId}:{#accountId}:havip/{#HaVipId}
    Addressacs:vpc:{#regionId}:{#accountId}:eip/{#AllocationId}
    NatGatewayacs:vpc:{#regionId}:{#accountId}:natgateway/{#natgatewayid}
    PhysicalConnectionacs:vpc:{#regionId}:{#accountId}:physicalconnection/{#PhysicalConnectionId}
    PhysicalConnectionacs:vpc:{#regionId}:{#accountId}:physicalconnection/*
    NatGatewayacs:vpc:{#regionId}:{#accountId}:natgateway/{#NatGatewayId}
    Instanceacs:vpc:{#regionId}:{#accountId}:instance/{#InstanceId}
    Associationacs:vpc:{#regionId}:{#accountId}:havip/{#HaVipId}
    RouterInterfaceacs:vpc:{#regionId}:{#accountId}:routerinterface/{#RouterInterfaceId}
    VPCacs:vpc:{#regionId}:{#accountId}:vpc/{#VPCId}
    BandwidthPackageacs:vpc:{#regionId}:{#accountId}:bandwidthpackage/{#BandwidthPackageId}
    RouteTableacs:vpc:{#regionId}:{#accountId}:routetable/{#RouteTableId}
    VirtualBorderRouteracs:vpc:{#regionId}:{#accountId}:virtualborderrouter/{#VirtualBorderRouterId}
    VRouteracs:vpc:{#regionId}:{#accountId}:vrouter/*
    VirtualBorderRouteracs:vpc:{#regionId}:{#accountId}:virtualborderrouter/{#VbrId}
    RouterInterfaceacs:vpc:{#regionId}:{#accountId}:routerinterface/*
    VPCacs:vpc:{#regionId}:{#accountId}:vpc/{#VpcId}
    NatGatewayacs:vpc:{#regionId}:{#accountId}:natgateway/*
    VirtualBorderRouteracs:vpc:{#regionId}:{#AccountId}:virtualborderrouter/{#VbrId}
    VRouteracs:vpc:{#regionId}:{#accountId}:vrouter/{#VRouterId}
    VirtualBorderRouteracs:vpc:{#regionId}:{#AccountId}:virtualborderrouter/*
    BandwidthPackageacs:vpc:{#regionId}:{#accountId}:bandwidthpackage/*

    Condition

    ECS defines the values that you can use in the Condition element of a policy statement. The following table describes the values. The following table describes the service-specific condition keys. The common condition keys that are defined by Alibaba Cloud also apply to ECS. For more information about the common condition keys, see Generic Condition Keyword.
    The data type determines the conditional operators that you can use to compare the value in a request with the value in a policy statement. You must use conditional operators that are supported by the data type. Otherwise, you cannot compare the value in the request with the value in the policy statement. In this case, the authorization is invalid. For more information about the conditional operators that are supported by each data type, see Policy elements.
    Condition keyDescriptionData type
    vpc:VPCVPC InformationString
    vpc:IsDefaultVSwitchWhether it is the default VSwitch and whether the default VSwitch can be usedBoolean
    vpc:IsDefaultVpcWhether it is the default VPCBoolean
    ecs:IsDiskEncryptedWhether it is an encrypted data diskString
    ecs:InstanceTypeInstance specificationsString
    ecs:InstanceTypeFamilyinstance specification familyString
    ecs:ImagePlatformOperating system type of the imageString
    ecs:ImageSourceImage SourceString
    ecs:CommandRunAsUser in the operating system that executes cloud assistant commandsString
    ecs:IsSystemDiskEncryptedWhether it is an encryption system diskString
    ecs:ImageOwnerIdOwner UID of the image.String
    ecs:AssociatePublicIpAddressWhether to support the allocation of public network IP in the process of resource creation and change, that is, whether to allow the operation of resources to make the public network bandwidth greater than 0.Boolean
    ecs:PasswordCustomizedWhether a custom password is usedBoolean
    ecs:PasswordInheritWhether the instance inherits the image password.Boolean
    ecs:SecurityEnhancementStrategyWhether to open security reinforcement.String
    ecs:SecurityHardeningModeWhether to enforce hardened mode (IMDSv2) when accessing instance metadataBoolean
    vpc:CreateDefaultVpcWhether a default VPC can be createdBoolean
    ecs:SecurityGroupIpProtocolsTransport layer protocol with security group openString
    ecs:SecurityGroupSourceCidrIpsThe source IPv4 CIDR segment of the security group that sets access permissionsString
    ecs:NotSpecifySecurityGroupIdWhether the security group ID is not specifiedBoolean

    What to do next

    You can create a custom policy and attach the policy to a RAM user, RAM user group, or RAM role. For more information, see the following topics: