Service-linked role for Application Security - Application Real-Time Monitoring Service

This topic describes the AliyunServiceRoleForARMSSecurity service-linked role and the method to delete the role.

Background information

Application Real-Time Monitoring Service (ARMS) provides the AliyunServiceRoleForARMSSecurity service-linked role to obtain the permissions to access other cloud services. For more information about service-linked roles, see Service-linked roles.

Scenarios

When Application Security needs to access the resources of Web Application Firewall (WAF), you can use the AliyunServiceRoleForARMSSecurity service-linked role to obtain access permissions.

Permissions

The AliyunServiceRoleForARMSSecurity service-linked role grants the following permissions to access WAF:

Permissions to access WAF

{
      "Action": [
        "yundun-waf:ModifyProtectionConfig",
        "yundun-waf:ModifyApplicationsRaspState",
        "yundun-waf:DescribeRiskDependencyStatisticsInfo",
        "yundun-waf:DescribeRiskDependencies",
        "yundun-waf:DescribeRiskCount",
        "yundun-waf:DescribeProtectionStatisticsInfo",
        "yundun-waf:DescribeProtectionConfig",
        "yundun-waf:DescribeMiddlewareInstances",
        "yundun-waf:DescribeDependencyInstances",
        "yundun-waf:DescribeDependencies",
        "yundun-waf:DescribeAttackStatisticsInfo",
        "yundun-waf:DescribeAttacks",
        "yundun-waf:DescribeAttackCount",
        "yundun-waf:DescribeAttackApplicationCount",
        "yundun-waf:DescribeApplications"
        "yundun-waf:GetRaspCommercialStatus"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }

Delete AliyunServiceRoleForARMSSecurity

If you want to delete the AliyunServiceRoleForARMSSecurity service-linked role, you must take note of the consequences. After you delete AliyunServiceRoleForARMSSecurity, you cannot view the console pages that are related to Application Security. If you want to use Application Security, you must grant the permissions again.

To delete AliyunServiceRoleForARMSSecurity, perform the following steps:

Note

If an application that belongs to the current account is connected to Application Security, disconnect and restart the application before you delete the role. Otherwise, the delete operation fails. For more information about how to disconnect an application, see Connect an application to Application Security.

Log on to the RAM console by using your Alibaba Cloud account.
In the left-side navigation pane, click RAM Roles.
On the Roles page, enter AliyunServiceRoleForARMSSecurity in the search box to search for the role.
In the Actions column of the AliyunServiceRoleForARMSSecurity role, click Delete.
In the message that appears, click OK.

FAQ

Q: Why is the AliyunServiceRoleForARMSSecurity service-linked role not automatically created for my RAM user?

A: The AliyunServiceRoleForARMSSecurity service-linked role can be automatically created or deleted for a RAM user only after you grant the required permissions to the RAM user. If the AliyunServiceRoleForARMSSecurity service-linked role is not automatically created for a RAM user, you must attach a custom policy or the AliyunARMSFullAccess system policy to the RAM user.

A custom policy or the AliyunARMSFullAccess system policy can be used in the following scenarios:

A custom policy can be used to grant RAM users only the permissions to use Application Security in read-only mode.
The AliyunARMSFullAccess system policy can be used to grant RAM users all the permissions required to manage ARMS, including the permissions to use Application Security.

(Optional) Step 1: Create a custom policy

Log on to the RAM console with an Alibaba Cloud account.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.

On the Create Policy page, click the JSON tab. Enter the following script in the policy document.

{
  "Statement": [{
    "Action": [
      "ram:CreateServiceLinkedRole"
    ],
    "Resource": "acs:ram:*:Alibaba Cloud account ID:role/*",
    "Effect": "Allow",
    "Condition": {
      "StringEquals": {
        "ram:ServiceName": [
          "security.arms.aliyuncs.com"
        ]
      }
    }
  }, {
    "Action": "arms:CreateSecurityAuth",
    "Effect": "Allow",
    "Resource": "*"
  }],
  "Version": "1"
}

Note

Replace ID of your Alibaba Cloud account with the actual account ID.

Click Next to edit policy information.
Specify the Name and Description fields.
Click OK.

Step 2: Attach the custom policy to a RAM user

Log on to the RAM console with an Alibaba Cloud account.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
In the Add Permissions panel, grant permissions to the RAM user.
1. Select the authorization scope.
  - Alibaba Cloud Account: The permissions take effect on the current Alibaba Cloud account.
  - Specific Resource Group: The permissions take effect in a specific resource group.
    Note If you select Specific Resource Group for Authorized Scope, you must make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
2. Specify the principal.
  The principal is the RAM user to which you want to grant permissions.
3. Select policies.
  Note You can attach a maximum of five policies to a RAM user at a time. If you need to attach more than five policies to a RAM user, perform the operation multiple times.
Click OK.
Click Complete.