Resource Access Management:AliyunServiceRolePolicyForResourceGroup

AliyunServiceRolePolicyForResourceGroup is the authorization policy dedicated to a service-linked role. The policy is automatically attached to a service role when the service role is created. Then, the service-linked role is authorized to access other cloud services. This policy is updated by the relevant Alibaba Cloud service. Do not attach this policy to a RAM identity other than a service-linked role.

Policy details

• Type: service system policy

• Creation time: 02:38:37 on January 10, 2023

• Update time: 02:38:37 on January 10, 2023

• Current version: v1

Policy content

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:JoinResourceGroup",
                "vpc:MoveResourceGroup"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "actiontrail:CreateServiceTrail",
                "actiontrail:DeleteServiceTrail",
                "actiontrail:GetServiceTrail",
                "actiontrail:GetServiceTrailDeliveryStatus",
                "oos:ListExecutions",
                "vpc:DescribeEipAddresses",
                "ecs:DescribeSnapshots",
                "ecs:DescribeNetworkInterfaces",
                "ecs:DescribeDisks"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "config:StartConfigurationRecorder",
                "config:GetConfigurationRecorder",
                "config:CreateConfigRule",
                "config:ActiveConfigRules",
                "config:GetConfigRule",
                "config:ListConfigRules",
                "config:UpdateConfigRule",
                "config:DryRunConfigRule",
                "config:CreateRemediation",
                "config:ListRemediations",
                "config:GetRemediationTemplate",
                "config:StartConfigRuleEvaluation",
                "config:DeactiveConfigRules",
                "config:DeleteConfigRules",
                "config:GetResourceComplianceByConfigRule"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "config:ServiceChannel": "ResourceGroup"
                }
            }
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "acs:ram:*:*:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "rmc.resourcemanager.aliyuncs.com",
                        "config.aliyuncs.com",
                        "remediation.config.aliyuncs.com"
                    ]
                }
            }
        },
        {
            "Action": "resourcecenter:EnableResourceCenter",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "resourcegroup.resourcemanager.aliyuncs.com"
                }
            }
        }
    ]
}

References

• Policy elements

• Service-linked roles