All Products
Search
Document Center

Security Center:Service-linked roles for Security Center

Last Updated:Dec 13, 2024

In specific scenarios, Security Center must obtain permissions to access the resources of other cloud services before it can implement a feature. To obtain the permissions, Security Center must assume a service-linked role. This topic describes the service-linked roles for Security Center, including the role definitions and scenarios.

A service-linked role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. To obtain the permissions to access other cloud services or resources, Security Center must assume a service-linked role.

In most cases, the system automatically creates a service-linked role when you perform an operation on Security Center. If the system fails to create a service-linked role or Security Center does not support automatic creation, you must manually create a service-linked role.

RAM provides a system policy for each service-linked role. You cannot modify the policy. To view information about the system policy of a specific service-linked role, you can go to the details page of the service-linked role. For more information, see System Policy Reference.

Scenarios

The following table lists the service-linked roles that are provided for Security Center.

Service-linked role

Service identifier

Scenario

AliyunServiceRoleForSas

sas.aliyuncs.com

  • You can use this role to authorize Security Center to access the resources of cloud services such as Container Registry and ApsaraDB RDS to detect security risks in your container assets.

  • You can use this role to authorize Security Center to access the resources of cloud services such as Virtual Private Cloud (VPC) and Elastic Compute Service (ECS). Then, you can enable the cloud honeypot feature to obtain attack detection and attack source tracing capabilities in and outside the cloud.

  • You can use this role to authorize Security Center to access the resources of cloud services such as ECS. Then, you can enable the feature of defense against brute-force attacks to protect your server passwords from being cracked.

  • You can use this role to authorize Security Center to access the resources of cloud services such as Simple Log Service. Then, you can enable the log analysis feature to obtain log query and analysis capabilities.

  • You can use this role to authorize Security Center to access the resources such as ECS instances and ECS images. Then, you can enable the agentless detection feature to share ECS images with the Security Center service account and perform security scanning on data in the images.

  • You can use this role to authorize Security Center to access the resources of cloud services such as Cloud Backup and ECS. Then, you can enable the anti-ransomware feature to defend against ransomware and back up your data.

  • You can use this role to authorize Security Center to access the resources of cloud services such as Resource Directory by using the management account of a resource directory or a delegated administrator account. Then, you can enable the multi-account management feature to manage the security risks of multiple members in a centralized manner.

  • You can use this role to authorize Security Center to access Object Storage Service (OSS) resources. Then, you can enable the SDK for malicious file detection feature to check OSS objects for viruses.

  • You can use this role to authorize Security Center to access Key Management Service (KMS) resources. Then, you can enable the SDK for malicious file detection feature to decrypt and check Object Storage Service (OSS) objects that are encrypted by using SSE-KMS.

AliyunServiceRoleForSasCloudSiem

cloudsiem.sas.aliyuncs.com

You can use this role to authorize Security Center to access the resources of cloud services such as VPC and Cloud Firewall. Then, you can use the Cloud Threat Detection and Response (CTDR) feature to monitor the logs of cloud services that you add to the feature, deliver logs, and handle security events. The CTDR feature provides centralized alert management and threat source tracing capabilities.

AliyunServiceRoleForSasCspm

cspm.sas.aliyuncs.com

You can use this role to authorize Security Center to access the resources of cloud services such as ActionTrail. Then, you can enable the Cloud Security Posture Management (CSPM) feature to check the configurations of cloud services.

AliyunServiceRoleForSasRd

rd.sas.aliyuncs.com

You can use this role to authorize the delegated administrator accounts of Security Center to log on to the Security Center console as members in the resource directory that is involved when the multi-account management feature is enabled. This way, you can configure security settings for multiple members of an enterprise in a centralized manner, and monitor the security status of the members in real time.

AliyunServiceRoleForSasSecurityLake

security-lake.sas.aliyuncs.com

You can use this role to authorize Security Center to access the resources of OSS and Data Lake Formation (DLF). Then, you can use the cold data storage solution of the CTDR feature to manage log data and perform interactive queries and analysis on the data.

Create a service-linked role

AliyunServiceRoleForSas

The first time you use one of the following features and obtain the required permissions, the AliyunServiceRoleForSas service-linked role is automatically created.

Module

Feature

Risk governance

  • SDK for malicious file detection

  • Log analysis

Container security

  • Container management

  • Container image scan

  • Container signature

  • Threat detection on Kubernetes containers

Host security

  • Cloud honeypot

  • Defense against brute-force attacks

  • Agentless detection

  • Anti-ransomware

  • Virus detection and removal

  • Adaptive threat detection

Others

  • Playbook

  • Multi-account management

AliyunServiceRoleForSasCloudSiem

The first time you use the CTDR feature and obtain the required permissions, the AliyunServiceRoleForSasCloudSiem service-linked role is automatically created. For more information, see Overview.

AliyunServiceRoleForSasCspm

The first time you use the CSPM feature and obtain the required permissions, the AliyunServiceRoleForSasCspm service-linked role is automatically created.

Note

On November 21, 2022 (UTC+8), the policy for the CSPM feature is migrated from the AliyunServiceRoleForSas service-linked role to the AliyunServiceRoleForSasCspm service-linked role. To ensure that the CSPM feature can work as expected, go to the Cloud Security Posture Management page and click OK in the Role Policy Migration Reminder message. Then, click Authorize Now to complete authorization.

AliyunServiceRoleForSasRd

After the management account of your resource directory or a delegated administrator account uses the multi-account management feature to add a member of your resource directory to the list of managed accounts, the AliyunServiceRoleForSasRd service-linked role is automatically created for the member.

AliyunServiceRoleForSasSecurityLake

The first time you use the cold data storage solution of the CTDR feature and obtain the required permissions, the AliyunServiceRoleForSasSecurityLake service-linked role is automatically created.

View the information about a service-linked role

After a service-linked role is created, you can view the information about the service-linked role. To view the information, find the role on the Roles page of the RAM console and click the name of the role. Then, you can view the following information about the role on the details page of the role:

  • Basic information

    In the Basic Information section, you can view the basic information about the role, including the name, creation time, Alibaba Cloud Resource Name (ARN), and description.

  • Policy

    On the Permissions tab, you can click the policy name to view the policy document.

    Note

    You cannot view the policy attached to a service-linked role on the Policies page of the RAM console. You can view the policy only on the role details page.

  • Trust policy

    On the Trust Policy tab, you can view the content of the trust policy that is attached to the role. A trust policy describes the trusted entities of a RAM role. A trusted entity is an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. You can view the value of the Service field in the trust policy to obtain the trusted entity.

For more information about how to view a service-linked role, see View the information about a RAM role.

Delete a service-linked role

Important

After a service-linked role is deleted, the features that depend on the role cannot be used. Proceed with caution.

If you do not use Security Center for a long period of time or want to delete your Alibaba Cloud account, you may need to manually delete service-linked roles in the RAM console. For more information, see Delete a RAM role.

References

For more information about service-linked roles, see Service-linked roles.