In specific scenarios, Security Center must obtain permissions to access the resources of other cloud services before it can implement a feature. To obtain the permissions, Security Center must assume a service-linked role. This topic describes the service-linked roles for Security Center, including the role definitions and scenarios.
A service-linked role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. To obtain the permissions to access other cloud services or resources, Security Center must assume a service-linked role.
In most cases, the system automatically creates a service-linked role when you perform an operation on Security Center. If the system fails to create a service-linked role or Security Center does not support automatic creation, you must manually create a service-linked role.
RAM provides a system policy for each service-linked role. You cannot modify the policy. To view information about the system policy of a specific service-linked role, you can go to the details page of the service-linked role. For more information, see System Policy Reference.
Scenarios
The following table lists the service-linked roles that are provided for Security Center.
Service-linked role | Service identifier | Scenario |
AliyunServiceRoleForSas | sas.aliyuncs.com |
|
AliyunServiceRoleForSasCloudSiem | cloudsiem.sas.aliyuncs.com | You can use this role to authorize Security Center to access the resources of cloud services such as VPC and Cloud Firewall. Then, you can use the Cloud Threat Detection and Response (CTDR) feature to monitor the logs of cloud services that you add to the feature, deliver logs, and handle security events. The CTDR feature provides centralized alert management and threat source tracing capabilities. |
AliyunServiceRoleForSasCspm | cspm.sas.aliyuncs.com | You can use this role to authorize Security Center to access the resources of cloud services such as ActionTrail. Then, you can enable the Cloud Security Posture Management (CSPM) feature to check the configurations of cloud services. |
AliyunServiceRoleForSasRd | rd.sas.aliyuncs.com | You can use this role to authorize the delegated administrator accounts of Security Center to log on to the Security Center console as members in the resource directory that is involved when the multi-account management feature is enabled. This way, you can configure security settings for multiple members of an enterprise in a centralized manner, and monitor the security status of the members in real time. |
AliyunServiceRoleForSasSecurityLake | security-lake.sas.aliyuncs.com | You can use this role to authorize Security Center to access the resources of OSS and Data Lake Formation (DLF). Then, you can use the cold data storage solution of the CTDR feature to manage log data and perform interactive queries and analysis on the data. |
Create a service-linked role
AliyunServiceRoleForSas
The first time you use one of the following features and obtain the required permissions, the AliyunServiceRoleForSas service-linked role is automatically created.
Module | Feature |
Risk governance |
|
Container security |
|
Host security |
|
Others |
|
AliyunServiceRoleForSasCloudSiem
The first time you use the CTDR feature and obtain the required permissions, the AliyunServiceRoleForSasCloudSiem service-linked role is automatically created. For more information, see Overview.
AliyunServiceRoleForSasCspm
The first time you use the CSPM feature and obtain the required permissions, the AliyunServiceRoleForSasCspm service-linked role is automatically created.
On November 21, 2022 (UTC+8), the policy for the CSPM feature is migrated from the AliyunServiceRoleForSas service-linked role to the AliyunServiceRoleForSasCspm service-linked role. To ensure that the CSPM feature can work as expected, go to the Cloud Security Posture Management page and click OK in the Role Policy Migration Reminder message. Then, click Authorize Now to complete authorization.
AliyunServiceRoleForSasRd
After the management account of your resource directory or a delegated administrator account uses the multi-account management feature to add a member of your resource directory to the list of managed accounts, the AliyunServiceRoleForSasRd service-linked role is automatically created for the member.
AliyunServiceRoleForSasSecurityLake
The first time you use the cold data storage solution of the CTDR feature and obtain the required permissions, the AliyunServiceRoleForSasSecurityLake service-linked role is automatically created.
View the information about a service-linked role
After a service-linked role is created, you can view the information about the service-linked role. To view the information, find the role on the Roles page of the RAM console and click the name of the role. Then, you can view the following information about the role on the details page of the role:
Basic information
In the Basic Information section, you can view the basic information about the role, including the name, creation time, Alibaba Cloud Resource Name (ARN), and description.
Policy
On the Permissions tab, you can click the policy name to view the policy document.
NoteYou cannot view the policy attached to a service-linked role on the Policies page of the RAM console. You can view the policy only on the role details page.
Trust policy
On the Trust Policy tab, you can view the content of the trust policy that is attached to the role. A trust policy describes the trusted entities of a RAM role. A trusted entity is an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. You can view the value of the
Service
field in the trust policy to obtain the trusted entity.
For more information about how to view a service-linked role, see View the information about a RAM role.
Delete a service-linked role
After a service-linked role is deleted, the features that depend on the role cannot be used. Proceed with caution.
If you do not use Security Center for a long period of time or want to delete your Alibaba Cloud account, you may need to manually delete service-linked roles in the RAM console. For more information, see Delete a RAM role.
References
For more information about service-linked roles, see Service-linked roles.