# ecs-security

Part of **ECS**

# ECS Security Console Guide

## Operations Overview

| Operation | Console Entry Path | Prerequisites | Description |
|----------|-------------------|---------------|-------------|
| Create RAM Role for ECS | Console > RAM > Roles > Manage Roles | User must have RAM administrator privileges; A target ECS instance or service to assign the role to | Creates a new RAM role that can be assumed by ECS to access other Alibaba Cloud services securely |

## Operation Steps

### Create RAM Role for ECS

**Navigation**: Console > RAM > Roles > Manage Roles

**Prerequisites**:
- User must have RAM administrator privileges
- A target ECS instance or service to assign the role to

1. Navigate to the RAM console  
   - Element: **RAM** (link) — left navigation panel  
   - Notes: Ensure you are logged into the Alibaba Cloud console with sufficient permissions.

2. Click on **Roles** in the left navigation panel  
   - Element: **Roles** (link) — left navigation panel  
   - Notes: This opens the Roles management page.

3. Click the **Create Role** button  
   - Element: **Create Role** (button) — top-right corner  
   - Notes: A new role creation wizard appears.

4. Select the trusted entity type as **Aliyun Service** and choose the service that will assume the role  
   - Element: **Trusted Entity Type** (dropdown) — main content area  
   - Notes: For ECS instances, select "Aliyun Service". Common services include ECS, Function Compute, and OSS.

5. Assign permissions policies to the role  
   - Element: **Add Permissions** (button) — main content area  
   - Notes: Policies can be managed via the policy library or custom JSON. After adding policies, review and confirm the role configuration before finalizing creation.

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| Role Name | text_input | Yes | — | Unique name for the RAM role. Must be globally unique across the account. |
| Description | text_input | No | — | Optional description to help identify the purpose of the role. |
| Trusted Entity Type | dropdown | Yes | Aliyun Service, User, Federated User | Specifies who can assume this role. For ECS, select 'Aliyun Service'. |
| Service | dropdown | Yes | ECS, Function Compute, OSS, RDS | The service that will assume this role. Must match the trusted entity selected above. |

## FAQ

Q: Where do I find the RAM console in the Alibaba Cloud dashboard?  
A: In the Alibaba Cloud console, look for **RAM** in the left navigation panel under the "Security" or "Identities" section. You can also go directly to https://ram.console.aliyun.com.

Q: Can I modify the trusted entity of a RAM role after it's created?  
A: No. The trusted entity (e.g., "Aliyun Service") and associated service (e.g., "ECS") cannot be changed after role creation. You must create a new role if these need to be updated.

Q: What permissions does a user need to manage RAM roles?  
A: The user must have RAM administrator privileges, typically granted via the `AdministratorAccess` policy or a custom policy that includes `ram:CreateRole`, `ram:AttachPolicyToRole`, and related actions.

Q: Is there a limit to how many RAM roles I can create?  
A: Yes. Each Alibaba Cloud account can create up to 1000 RAM roles.

Q: Do I need to restart my ECS instance after assigning a RAM role?  
A: No. Once a RAM role is attached to an ECS instance (via instance metadata configuration), applications running on the instance can immediately retrieve temporary credentials without restarting.

## Pricing & Billing

### Billing Model  
All RAM role management operations are free of charge.

### Free Tier  
All RAM role management operations are free of charge.

### Billing Notes  
No additional charges apply for creating, modifying, or deleting RAM roles.