AliyunServiceRolePolicyForSasRd is the authorization policy dedicated to a service-linked role. The policy is automatically attached to a service role when the service role is created. Then, the service-linked role is authorized to access other cloud services. This policy is updated by the relevant Alibaba Cloud service. Do not attach this policy to a RAM identity other than a service-linked role.
Policy details
Type: service system policy
Creation time: 11:14:18 on February 22, 2023
Update time: 08:58:10 on May 15, 2025
Current version: v7
Policy content
{
"Version": "1",
"Statement": [
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "rd.sas.aliyuncs.com"
}
}
},
{
"Action": [
"yundun-sas:*",
"yundun-aegis:*",
"sasti:*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"hbr:OpenHbrService",
"hbr:CheckRole",
"hbr:CheckSlrRole",
"hbr:GetSnapshotErrorFileDownloadLink",
"hbr:DeleteSnapshot",
"hbr:DescribeUserBusinessStatus"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecs:CreateSnapshot",
"ecs:DescribeSnapshots",
"ecs:DescribeDisks",
"ecs:ResetDisk",
"ecs:DescribeInstances",
"ecs:StartInstance",
"ecs:StopInstance",
"ecs:RebootInstance",
"ecs:DescribeSendFileResults",
"ecs:DescribeInvocations",
"ecs:DescribeTags",
"ecs:DescribeRegions",
"ecs:DescribeCommands",
"ecs:DescribeInvocationResults",
"ecs:CreateCommand",
"ecs:RunCommand",
"ecs:InvokeCommand",
"ecs:DeleteCommand",
"ecs:SendFile",
"ecs:InstallCloudAssistant",
"ecs:DescribeCloudAssistantStatus",
"ecs:StopInvocation"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-cloudfirewall:DescribeVulnDefenseStatus",
"yundun-cloudfirewall:DescribeUserBuyVersion"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cms:DescribeMetricList",
"cms:QueryMetricList",
"cms:DescribeMonitoringAgentStatuses",
"cms:DescribeMonitoringAgentHosts",
"cms:InstallMonitoringAgent"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"kms:DescribeRegions",
"kms:ListKeys",
"kms:DescribeKey",
"kms:ListKeyVersions",
"kms:ListAliasesByKeyId"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-sddp:DescribeUserStatus"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-ddoscoo:DescribeInstances"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-waf:DescribeInstance",
"yundun-waf:DescribeSasSaleMsg",
"yundun-waf:DescribeSasApplicationsCount",
"yundun-waf:DescribeSasApplications",
"yundun-waf:ModifySasApplicationInfo",
"yundun-waf:DeleteSasApplication",
"yundun-waf:CreateSasApplication",
"yundun-waf:ModifySasProtectionConfig",
"yundun-waf:DescribeSasInstancesCount",
"yundun-waf:AddSasEcsRaspAgent",
"yundun-waf:DescribeAttacks",
"yundun-waf:DescribeProtectionStatisticsInfo",
"yundun-waf:DescribeAttackStatisticsInfo",
"yundun-waf:ModifySasProtectionMode",
"yundun-waf:DescribeSasEcsAccessList",
"yundun-waf:DescribeSasInstances",
"yundun-waf:DescribeAttackCount",
"yundun-waf:DescribeAgentFileInfo",
"yundun-waf:DescribeSasApplicationKey",
"yundun-waf:DescribeSasApplicationById",
"yundun-waf:DescribeRaspWhitelist",
"yundun-waf:AddRaspWhitelist",
"yundun-waf:DeleteRaspWhitelist",
"yundun-waf:ModifyRaspWhitelist",
"yundun-waf:DescribeRaspWhitelistAppRelation",
"yundun-waf:DescribePayInfo",
"yundun-waf:AddAccessWhitelist",
"yundun-waf:AddSasRuleGroup",
"yundun-waf:AddSasWhitelist",
"yundun-waf:CopySasRuleGroup",
"yundun-waf:DeleteAccessWhitelist",
"yundun-waf:DeleteSasEcsAttachRecords",
"yundun-waf:DeleteSasJsRuleByConfig",
"yundun-waf:DeleteSasRuleGroup",
"yundun-waf:DescribeAccessWhitelist",
"yundun-waf:DescribeAgentDownloadUrl",
"yundun-waf:DescribeApplications",
"yundun-waf:DescribeAttackApplicationCount",
"yundun-waf:DescribeAttackProtectionCount",
"yundun-waf:DescribeInstanceCountByProtectionMode",
"yundun-waf:DescribeMemoryDetail",
"yundun-waf:DescribeMemoryDetailInner",
"yundun-waf:DescribeMemoryDetectList",
"yundun-waf:DescribeMemorySeverityTrend",
"yundun-waf:DescribeProtectionConfig",
"yundun-waf:DescribeRaspAttachState",
"yundun-waf:DescribeRaspAttackAnalysis",
"yundun-waf:DescribeRaspUserPermit",
"yundun-waf:DescribeRaspVulDefenseMsg",
"yundun-waf:DescribeSasAllRuleGroup",
"yundun-waf:DescribeSasAllRules",
"yundun-waf:DescribeSasAppCount",
"yundun-waf:DescribeSasAppNameByAttachedEcsId",
"yundun-waf:DescribeSasAttachRecords",
"yundun-waf:DescribeSasAttackProtectionTrend",
"yundun-waf:DescribeSasEcsAttachMsg",
"yundun-waf:DescribeSasMemoryStatistics",
"yundun-waf:DescribeSasRuleGroupDetail",
"yundun-waf:DescribeSasRuleGroupList",
"yundun-waf:DescribeSasSaleInstanceCount",
"yundun-waf:DescribeSasSaleOverLimit",
"yundun-waf:DescribeSasShowMode",
"yundun-waf:DescribeSasTopNAttackIPs",
"yundun-waf:DescribeSasWeakConfirmTrend",
"yundun-waf:DescribeSasWeakGroupList",
"yundun-waf:DescribeSasWeakItemDetail",
"yundun-waf:DescribeSasWeakItemList",
"yundun-waf:DescribeSasWeakItemRecord",
"yundun-waf:DescribeSasWeakOverview",
"yundun-waf:DescribeSasWeakSeverityTrend",
"yundun-waf:DescribeSasWeakStatistics",
"yundun-waf:DescribeSasWhitelistByPage",
"yundun-waf:DownloadRaspAccessZip",
"yundun-waf:DownloadRaspMemoryFile",
"yundun-waf:ModifyAccessWhitelistSwitch",
"yundun-waf:ModifyApplicationsRaspState",
"yundun-waf:ModifyMemoryHandleState",
"yundun-waf:ModifyProtectionConfig",
"yundun-waf:ModifyRaspUserPermit",
"yundun-waf:ModifyRaspWhitelistSwitch",
"yundun-waf:ModifySasApplicationName",
"yundun-waf:ModifySasAttachSwitchClose",
"yundun-waf:ModifySasAttachSwitchOpen",
"yundun-waf:ModifySasJsRuleByConfig",
"yundun-waf:ModifySasRuleGroup",
"yundun-waf:ModifySasShowMode",
"yundun-waf:ModifySasWeakCheckState"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-bastionhost:DescribeOpenService"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-cert:DescribeCertificateList",
"yundun-cert:DescribeOrderList"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-sddp:DescribeUserStatus"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"resourcemanager:GetResourceDirectory"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "magpiebridge.hbr.aliyuncs.com"
}
}
}
]
}