All Products
Search

This Product

    Cloud Firewall:Grant a RAM user the permissions to query and analyze logs of Cloud Firewall

    Document Center

    Cloud Firewall:Grant a RAM user the permissions to query and analyze logs of Cloud Firewall

    Last Updated:Jan 03, 2025

    By default, a Resource Access Management (RAM) user does not have the permissions to query or analyze logs of Cloud Firewall. If you want to grant a RAM user the permissions to query and analyze logs of Cloud Firewall, but do not want to grant the RAM user other permissions on Simple Log Service, you can create a custom policy in the RAM console and attach the policy to the RAM user. This allows the RAM user to query and analyze logs based on the principle of least privilege.

    Prerequisites

    • The log analysis feature of Cloud Firewall is enabled. For more information, see Overview.

    • The names of the project and Logstore that are created for logs of Cloud Firewall are obtained.

      After you enable the log analysis feature, Cloud Firewall automatically creates a dedicated project and a dedicated Logstore. You can log on to the Simple Log Service console to view the project and Logstore that are dedicated to Cloud Firewall.

    • A RAM user is created. For more information about how to create a RAM user, see Create a RAM user.

    • The system policy AliyunYundunCloudFirewallReadOnlyAccess is attached to the RAM user. The policy grants the read-only permissions on Cloud Firewall. For more information, see Grant permissions to a RAM user.

    Note

    The following section describes how to grant a RAM user the permissions to query and analyze logs of Cloud Firewall. If you want to grant a RAM user full permissions or read-only permissions on Simple Log Service, you can attach the AliyunLogFullAccess or AliyunLogReadOnlyAccess policy to the RAM user.

    Procedure

    1. Log on to the RAM console with an Alibaba Cloud account or as a RAM user who has administrative rights.

    2. Create a custom policy on the JSON tab.

      1. In the left-side navigation pane, choose Permissions > Policies.

      2. On the Policies page, click Create Policy. Then, click the JSON tab.

      3. Copy and paste the following policy content to the code editor.

        Note

        Replace ${Project} and ${Logstore} in the following policy content with the names of the Simple Log Service project and Logstore that are dedicated to Cloud Firewall. 

        {
  "Version": "1",
  "Statement": [
    {
      "Action": "log:GetProject",
      "Resource": "acs:log:*:*:project/${Project}",
      "Effect": "Allow"
    },
    {
      "Action": "log:ListLogStores",
      "Resource": "acs:log:*:*:project/${Project}/logstore/*",
      "Effect": "Allow"
    },
    {
      "Action": "log:GetIndex",
      "Resource": "acs:log:*:*:project/${Project}/logstore/cloudfirewall-logstore",
      "Effect": "Allow"
    },
    {
      "Action": "log:ListDashboard",
      "Resource": "acs:log:*:*:project/${Project}/dashboard/*",
      "Effect": "Allow"
    },
    {
      "Action": "log:UpdateDashboard",
      "Resource": "acs:log:*:*:project/${Project}/dashboard/*",
      "Effect": "Allow"
    },
    {
      "Action": "log:CreateDashboard",
      "Resource": "acs:log:*:*:project/${Project}/dashboard/*",
      "Effect": "Allow"
    },
    {
      "Action": "log:UpdateDashboard",
      "Resource": "acs:log:*:*:project/${Project}/dashboard/*",
      "Effect": "Allow"
    },
    {
      "Action": "log:CreateSavedSearch",
      "Resource": "acs:log:*:*:project/${Project}/savedsearch/*",
      "Effect": "Allow"
    },
    {
      "Action": "log:ListSavedSearch",
      "Resource": "acs:log:*:*:project/${Project}/savedsearch/*",
      "Effect": "Allow"
    },
    {
      "Action": "log:UpdateSavedSearch",
      "Resource": "acs:log:*:*:project/${Project}/savedsearch/*",
      "Effect": "Allow"
    },
    {
      "Action": "log:GetLogStore",
      "Resource": "acs:log:*:*:project/${Project}/logstore/${Logstore}",
      "Effect": "Allow"
    },
    {
      "Action": "log:GetLogStoreLogs",
      "Resource": "acs:log:*:*:project/${Project}/logstore/${Logstore}",
      "Effect": "Allow"
    }
  ]
}

      4. Click Optional advanced optimize in the upper part. In the Optional advanced optimize message, click Perform to optimize the policy.

        The system performs the following operations during the advanced optimization:

        • Split resources or conditions that are incompatible with actions.

        • Narrow down resources.

        • Deduplicate or merge policy statements.

      5. On the Create Policy page, click OK.

      6. In the Create Policy dialog box, configure the Name and Description parameters and click OK.

    3. Attach the custom policy to the RAM user. For more information, see Grant permissions to a RAM user.

      Then, the RAM user can query and analyze logs of Cloud Firewall, but cannot use other features of Simple Log Service.

    What to do next

    You can query and analyze collected logs in real time to monitor traffic exceptions and protect your assets. For more information about how to query logs, see Query and analyze logs.