All Products
Search
Document Center

Cloud Firewall:Authorize Cloud Firewall to access cloud resources

Last Updated:Dec 04, 2025

When you log on to the Cloud Firewall console for the first time, you must authorize Cloud Firewall to access the required cloud resources to use the services provided by Cloud Firewall. This topic describes how to authorize cloud resource access using the Cloud Firewall service-linked role AliyunServiceRoleForCloudFW, and how to delete AliyunServiceRoleForCloudFW.

Prerequisites

You have an Alibaba Cloud account or a Resource Access Management (RAM) user that has the permissions to create and delete service-linked roles. For more information about how to grant a RAM user the required permissions, see FAQ.

Background information

Cloud Firewall provides features such as access control, traffic monitoring, and traffic analysis. To use these features, Cloud Firewall must access your resources in other Alibaba Cloud services. These services include Elastic Compute Service (ECS), Virtual Private Cloud (VPC), Server Load Balancer, Simple Log Service, Bastionhost, Cloud Enterprise Network (CEN), Security Center, and ApsaraDB RDS. You can grant the required permissions using the AliyunServiceRoleForCloudFW service-linked role, which is automatically created for Cloud Firewall. You do not need to manually create or modify the service-linked role. For more information, see Service-linked roles.

Procedure

Subscription

  1. Log on to the Cloud Firewall console.

  2. In the Service-Linked Role For Cloud Firewall dialog box, click OK.

    Note

    If you have already created the AliyunServiceRoleForCloudFW role, this dialog box does not appear. You can use Cloud Firewall in the console.

    云防火墙服务关联角色

Pay-as-you-go

  1. Go to the Cloud Firewall purchase page, and set Product Type to Pay-as-you-go 2.0.

  2. In the Service-linked Role section, click Create Service-Linked Role.

After you complete the authorization, Alibaba Cloud automatically creates the AliyunServiceRoleForCloudFW service-linked role for Cloud Firewall.

You can view the service-linked role that is automatically created for Cloud Firewall on the Roles page of the RAM console. After the AliyunServiceRoleForCloudFW service-linked role is created, your Cloud Firewall instance can access the resources of associated Alibaba Cloud services, such as Elastic Compute Service (ECS), Virtual Private Cloud (VPC), Server Load Balancer (SLB), Simple Log Service (SLS), Bastionhost, Cloud Enterprise Network (CEN), Security Center, and ApsaraDB RDS.

Permissions of AliyunServiceRoleForCloudFW

By default, the AliyunServiceRoleForCloudFW service-linked role is granted the permissions of the AliyunServiceRolePolicyForCloudFW system policy. The following code shows the permissions that are defined in the AliyunServiceRolePolicyForCloudFW policy.

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:DescribeInstances",
        "ecs:DescribeTags",
        "ecs:JoinSecurityGroup",
        "ecs:LeaveSecurityGroup",
        "ecs:AuthorizeSecurityGroupEgress",
        "ecs:DescribeRegions",
        "ecs:DescribeVpcs",
        "ecs:RevokeSecurityGroupEgress",
        "ecs:ModifySecurityGroupAttribute",
        "ecs:DeleteSecurityGroup",
        "ecs:RevokeSecurityGroup",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:CreateSecurityGroup",
        "ecs:AuthorizeSecurityGroup",
        "ecs:DescribeSecurityGroups",
        "ecs:DescribeSecurityGroupReferences",
        "ecs:ModifySecurityGroupPolicy",
        "ecs:ModifySecurityGroupRule",
        "ecs:ModifySecurityGroupEgressRule",
        "ecs:CreateNetworkInterface",
        "ecs:DeleteNetworkInterface",
        "ecs:DescribeNetworkInterfaces",
        "ecs:CreateNetworkInterfacePermission",
        "ecs:DescribeNetworkInterfacePermissions",
        "ecs:DeleteNetworkInterfacePermission",
        "ecs:AttachNetworkInterface",
        "ecs:DetachNetworkInterface",
        "ecs:ModifyNetworkInterfaceAttribute",
        "ecs:DescribePrefixLists",
        "ecs:ListTagResources",
        "ecs:ImportImage",
        "ecs:ModifyInstanceSpec",
        "ecs:CreateImage"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:DescribeVpcs",
        "vpc:DescribeNatGateways",
        "vpc:DescribeSnatTableEntries",
        "vpc:DescribeForwardTableEntries",
        "vpc:DescribeBandwidthPackages",
        "vpc:GetNatGatewayAttribute",
        "vpc:ModifyNatGatewayAttribute",
        "vpc:DescribeEipAddresses",
        "vpc:DescribeRouterInterfaces",
        "vpc:DescribeRouteTableList",
        "vpc:DescribeRouteTables",
        "vpc:DescribeVSwitches",
        "vpc:CreateRouteEntry",
        "vpc:DeleteRouteEntry",
        "vpc:CreateVpc",
        "vpc:DeleteVpc",
        "vpc:CreateVSwitch",
        "vpc:DeleteVSwitch",
        "vpc:DescribeZones",
        "vpc:CreateVirtualBorderRouter",
        "vpc:ConnectRouterInterface",
        "vpc:ModifyRouterInterfaceAttribute",
        "vpc:DeleteRouterInterface",
        "vpc:CreateRouterInterface",
        "vpc:DeleteVirtualBorderRouter",
        "vpc:DeactivateRouterInterface",
        "vpc:DescribeVirtualBorderRouters",
        "vpc:DescribePhysicalConnections",
        "vpc:ModifyVirtualBorderRouterAttribute",
        "vpc:DescribeVpcAttribute",
        "vpc:DescribeVSwitchAttributes",
        "vpc:DescribeHaVips",
        "vpc:DescribeVpnConnections",
        "vpc:DescribeVpnRouteEntries",
        "vpc:DescribeVpnPbrRouteEntries",
        "vpc:DescribeVpnGateways",
        "vpc:DescribeSslVpnServers",
        "vpc:AssociateEipAddress",
        "vpc:UnassociateEipAddress",
        "vpc:CreateRouteTable",
        "vpc:DeleteRouteTable",
        "vpc:AssociateRouteTable",
        "vpc:UnassociateRouteTable",
        "vpc:CreateSnatEntry",
        "vpc:DeleteSnatEntry",
        "vpc:DescribeSnatTableEntries",
        "vpc:DescribeRouteEntryList",
        "vpc:DescribeIpv6Addresses",
        "vpc:ListVpcPeerConnections",
        "vpc:CreateRouteEntries",
        "vpc:DeleteRouteEntries",
        "vpc:ModifyRouteEntry",
        "vpc:DescribeRegions",
        "vpc:CheckCanAllocateVpcPrivateIpAddress",
        "vpc:CreateTrafficMirrorFilterRules",
        "vpc:UpdateTrafficMirrorFilterAttribute",
        "vpc:AddSourcesToTrafficMirrorSession",
        "vpc:GetTrafficMirrorServiceStatus",
        "vpc:ListTrafficMirrorFilters",
        "vpc:CreateTrafficMirrorFilter",
        "vpc:DeleteTrafficMirrorFilter",
        "vpc:UpdateTrafficMirrorSessionAttribute",
        "vpc:DeleteTrafficMirrorFilterRules",
        "vpc:ListTrafficMirrorSessions",
        "vpc:CreateTrafficMirrorSession",
        "vpc:RemoveSourcesFromTrafficMirrorSession",
        "vpc:DeleteTrafficMirrorSession",
        "vpc:OpenTrafficMirrorService",
        "vpc:UpdateTrafficMirrorFilterRuleAttribute"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "slb:DescribeRegions",
        "slb:DescribeLoadBalancers",
        "slb:DescribeLoadBalancerAttribute",
        "slb:DescribeLoadBalancerUDPListenerAttribute",
        "slb:DescribeLoadBalancerTCPListenerAttribute",
        "slb:DescribeLoadBalancerHTTPListenerAttribute",
        "slb:DescribeLoadBalancerHTTPSListenerAttribute",
        "slb:DescribeHealthStatus",
        "slb:DescribeAccessControlListAttribute"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "alb:DescribeRegions",
        "alb:ListLoadBalancers",
        "alb:GetLoadBalancerAttribute",
        "alb:ListListeners",
        "alb:GetListenerAttribute",
        "alb:GetListenerHealthStatus",
        "alb:ListAcls",
        "alb:ListAclEntries"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "nlb:DescribeRegions",
        "nlb:ListLoadBalancers",
        "nlb:GetLoadBalancerAttribute",
        "nlb:ListListeners",
        "nlb:GetListenerAttribute",
        "nlb:GetListenerHealthStatus"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:PostLogStoreLogs",
        "log:GetProject",
        "log:ListProject",
        "log:GetLogStore",
        "log:ListLogStores",
        "log:CreateLogStore",
        "log:CreateProject",
        "log:DeleteProject",
        "log:GetLogStoreLogs",
        "log:GetIndex",
        "log:CreateIndex",
        "log:UpdateIndex",
        "log:CreateDashboard",
        "log:ClearLogStoreStorage",
        "log:UpdateLogStore",
        "log:UpdateDashboard",
        "log:CreateSavedSearch",
        "log:UpdateSavedSearch",
        "log:DeleteLogStore",
        "log:DeleteSavedSearch",
        "log:GetSavedSearch",
        "log:ListSavedSearch",
        "log:DeleteDashboard",
        "log:GetDashboard",
        "log:ListDashboard",
        "log:GetLogStoreHistogram"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "yundun-bastionhost:DescribeInstance",
        "yundun-bastionhost:DescribeRegions",
        "yundun-bastionhost:DescribeInstances",
        "yundun-bastionhost:DescribeInstanceBastionhost",
        "yundun-bastionhost:DescribeInstanceAttribute"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "cen:DescribeCens",
        "cen:DescribeCenAttachedChildInstances",
        "cen:DescribeCenAttachedChildInstanceAttribute",
        "cen:AttachCenChildInstance",
        "cen:DetachCenChildInstance",
        "cen:PublishRouteEntries",
        "cen:WithdrawPublishedRouteEntries",
        "cen:DescribePublishedRouteEntries",
        "cen:DescribeCenRegionDomainRouteEntries",
        "cen:ModifyCenAttribute",
        "cen:CreateCenRouteMap",
        "cen:DeleteCenRouteMap",
        "cen:ModifyCenRouteMap",
        "cen:DescribeCenRouteMaps",
        "cen:DescribeCenChildInstanceRouteEntries",
        "cen:CreateCenChildInstanceRouteEntryToCen",
        "cen:DeleteCenChildInstanceRouteEntryToCen",
        "cen:ListTransitRouters",
        "cen:CreateTransitRouter",
        "cen:DeleteTransitRouter",
        "cen:ListTransitRouterAttachments",
        "cen:CreateTransitRouterVpcAttachment",
        "cen:DeleteTransitRouterVpcAttachment",
        "cen:UpdateTransitRouterVpcAttachmentAttribute",
        "cen:UpdateTransitRouterPeerAttachmentAttribute",
        "cen:CreateTransitRouterVbrAttachment",
        "cen:DeleteTransitRouterVbrAttachment",
        "cen:ListTransitRouterPeerAttachments",
        "cen:ListTransitRouterVpcAttachments",
        "cen:ListTransitRouterVbrAttachments",
        "cen:ListTransitRouterAvailableResource",
        "cen:CreateTransitRouterRouteTable",
        "cen:UpdateTransitRouterRouteTable",
        "cen:DeleteTransitRouterRouteTable",
        "cen:ListTransitRouterRouteTables",
        "cen:CreateTransitRouterRouteEntry",
        "cen:DeleteTransitRouterRouteEntry",
        "cen:ListTransitRouterRouteEntries",
        "cen:ListTransitRouterRouteTableAssociations",
        "cen:AssociateTransitRouterAttachmentWithRouteTable",
        "cen:DissociateTransitRouterAttachmentFromRouteTable",
        "cen:ListTransitRouterRouteTablePropagations",
        "cen:EnableTransitRouterRouteTablePropagation",
        "cen:DisableTransitRouterRouteTablePropagation",
        "cen:ModifyCenUserQuota",
        "cen:ReplaceTransitRouterRouteTableAssociation",
        "cen:CheckTransitRouterService",
        "cen:ListTransitRouterPrefixListAssociation"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "netana:DescribeNetworkQuotas",
        "netana:DescribeNetworkQuotaRequestResult",
        "netana:CreateNetworkQuotaRequest"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "privatelink:CheckProductOpen",
        "privatelink:OpenPrivateLinkService",
        "privatelink:CreateVpcEndpoint",
        "privatelink:DeleteVpcEndpoint",
        "privatelink:ListVpcEndpoints",
        "privatelink:ListVpcEndpointZones",
        "privatelink:AddZoneToVpcEndpoint",
        "privatelink:RemoveZoneFromVpcEndpoint",
        "privatelink:ListVpcEndpointServicesByEndUser"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "yundun-sas:DescribeVulList",
        "yundun-sas:DescribeVulDetails",
        "yundun-sas:DescribeCloudCenterInstances"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "yundun-cert:DescribeCACertificateList",
        "yundun-cert:GetUserStatus",
        "yundun-cert:CreateTestOrder",
        "yundun-cert:CreateRootCACertificate",
        "yundun-cert:CreateSubCACertificate"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "cs:DescribeUserQuota",
        "cs:DescribeClusterNodes",
        "cs:DescribeClusterNodePools",
        "cs:DescribeClusterNodePoolDetail",
        "cs:DescribeUserClusterNamespaces",
        "cs:DescribeClustersV1",
        "cs:DescribeClusterUserKubeconfig",
        "cs:DescribeClusterResources",
        "cs:DescribeClusterDetail",
        "cs:GetClusters",
        "cs:DescribeUserPermission",
        "cs:UpdateUserPermissions",
        "cs:GrantPermissions",
        "cs:CleanClusterUserPermissions"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "rds:DescribeDBInstances"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "cen.aliyuncs.com"
        }
      }
    },
    {
      "Action": [
        "resourcemanager:ListAccounts"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "cms:QueryMetricList",
        "cms:QueryMetricData",
        "cms:QueryMetricLast"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "yundun-aegis:DescribeAccesskeyLeakList",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "cloudfw.aliyuncs.com"
        }
      }
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "privatelink.aliyuncs.com"
        }
      }
    }
  ]
}

For more information about access policy syntax, see Policy elements.

Delete a service-linked role

If you no longer need Cloud Firewall, you can delete the Cloud Firewall service-linked role AliyunServiceRoleForCloudFW. This role can be deleted only after your Cloud Firewall instance expires and is automatically released. For more information, see Delete a RAM role.

FAQ

Why can't my RAM user automatically create the Cloud Firewall service-linked role AliyunServiceRoleForCloudFW?

A RAM user requires specific permissions to automatically create or delete AliyunServiceRoleForCloudFW. If a RAM user cannot automatically create AliyunServiceRoleForCloudFW, you can attach the following access policy to the RAM user. For more information, see Grant permissions to a RAM user.

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:ID of your Alibaba Cloud account:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "cloudfw.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}