By default, a Resource Access Management (RAM) user does not have the permissions to query or analyze logs of Cloud Firewall. If you want to grant a RAM user the permissions to query and analyze logs of Cloud Firewall, but do not want to grant the RAM user other permissions on Simple Log Service, you can create a custom policy in the RAM console and attach the policy to the RAM user. This allows the RAM user to query and analyze logs based on the principle of least privilege.
Prerequisites
The log analysis feature of Cloud Firewall is enabled. For more information, see Overview.
The names of the project and Logstore that are created for logs of Cloud Firewall are obtained.
After you enable the log analysis feature, Cloud Firewall automatically creates a dedicated project and a dedicated Logstore. You can log on to the Simple Log Service console to view the project and Logstore that are dedicated to Cloud Firewall.
A RAM user is created. For more information about how to create a RAM user, see Create a RAM user.
The system policy AliyunYundunCloudFirewallReadOnlyAccess is attached to the RAM user. The policy grants the read-only permissions on Cloud Firewall. For more information, see Grant permissions to a RAM user.
The following section describes how to grant a RAM user the permissions to query and analyze logs of Cloud Firewall. If you want to grant a RAM user full permissions or read-only permissions on Simple Log Service, you can attach the AliyunLogFullAccess or AliyunLogReadOnlyAccess policy to the RAM user.
Procedure
Log on to the RAM console with an Alibaba Cloud account or as a RAM user who has administrative rights.
Create a custom policy on the JSON tab.
In the left-side navigation pane, choose
.On the Policies page, click Create Policy. Then, click the JSON tab.
Copy and paste the following policy content to the code editor and click OK.
NoteReplace
${Project}
and${Logstore}
in the following policy content with the names of the Simple Log Service project and Logstore that are dedicated to Cloud Firewall.{ "Version": "1", "Statement": [ { "Action": "log:GetProject", "Resource": "acs:log:*:*:project/${Project}", "Effect": "Allow" }, { "Action": "log:ListLogStores", "Resource": "acs:log:*:*:project/${Project}/logstore/*", "Effect": "Allow" }, { "Action": "log:GetIndex", "Resource": "acs:log:*:*:project/${Project}/logstore/cloudfirewall-logstore", "Effect": "Allow" }, { "Action": "log:ListDashboard", "Resource": "acs:log:*:*:project/${Project}/dashboard/*", "Effect": "Allow" }, { "Action": "log:UpdateDashboard", "Resource": "acs:log:*:*:project/${Project}/dashboard/*", "Effect": "Allow" }, { "Action": "log:CreateDashboard", "Resource": "acs:log:*:*:project/${Project}/dashboard/*", "Effect": "Allow" }, { "Action": "log:UpdateDashboard", "Resource": "acs:log:*:*:project/${Project}/dashboard/*", "Effect": "Allow" }, { "Action": "log:CreateSavedSearch", "Resource": "acs:log:*:*:project/${Project}/savedsearch/*", "Effect": "Allow" }, { "Action": "log:ListSavedSearch", "Resource": "acs:log:*:*:project/${Project}/savedsearch/*", "Effect": "Allow" }, { "Action": "log:UpdateSavedSearch", "Resource": "acs:log:*:*:project/${Project}/savedsearch/*", "Effect": "Allow" }, { "Action": "log:GetLogStore", "Resource": "acs:log:*:*:project/${Project}/logstore/${Logstore}", "Effect": "Allow" }, { "Action": "log:GetLogStoreLogs", "Resource": "acs:log:*:*:project/${Project}/logstore/${Logstore}", "Effect": "Allow" } ] }
Specify the Name and Description fields.
Check and optimize the content of the custom policy.
Basic optimization
The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:
Deletes unnecessary conditions.
Deletes unnecessary arrays.
(Optional) Advanced optimization
You can move the pointer over Optional: advanced optimize and click Perform. The system performs the following operations during the advanced optimization:
Splits resources or conditions that are incompatible with actions.
Narrows down resources.
Deduplicates or merges policy statements.
Click OK.
Attach the custom policy to the RAM user. For more information, see Grant permissions to a RAM user.
Then, the RAM user can query and analyze logs of Cloud Firewall, but cannot use other features of Simple Log Service.
What to do next
You can query and analyze collected logs in real time to monitor traffic exceptions and protect your assets. For more information about how to query logs, see Query and analyze logs.