Simple Log Service allows you to use the policies of Resource Access Management (RAM) to perform RAM user authorization, RAM role authorization, tag-based authentication, and cross-service access authorization. This topic describes the policy elements that are defined by Simple Log Service, such as Action and Resource. You can configure policies to perform fine-grained access control.
Policy
A policy defines a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. For more information about the policy elements, structure, and syntax, see Policy elements and Policy structure and syntax.
RAM supports the following two types of policy:
System policy: System policies are created and upgraded by Alibaba Cloud. You can use system policies but cannot modify them.
Custom policy: You can create, modify, delete, and upgrade custom policies to meet your business requirements.
You can attach one or more policies to RAM identities. For more information, see Grant permissions to a RAM user, Grant permissions to a RAM user group, and Grant permissions to a RAM role.
Policy elements
For more information about the concepts and syntax of policies, see Policy elements.
Element | Description |
Effect | Specifies whether a statement result is an explicit allow or an explicit deny. Valid values: Allow and Deny. |
Action | Describes one or more API operations that are allowed or denied. |
Resource | Specifies one or more objects that the statement covers. |
Condition | Specifies the conditions that are required for a policy to take effect. |
Principal | Specifies the principal that is allowed or denied access to a resource. This element is available only for resource-based policies, such as a trust policy that specifies a trusted entity to assume a RAM role. |
Procedure
Create an account administrator.
An Alibaba Cloud account has full management permissions on the resources within the account. You cannot impose limits such as limits on source IP addresses and time periods of access by using an Alibaba Cloud account. If an Alibaba Cloud account is shared by multiple users, you cannot identify a specific user in audit logs. If an Alibaba Cloud account is disclosed, security risks may arise. We recommend that you do not use an Alibaba Cloud account to perform daily O&M operations.
You can use an Alibaba Cloud account to create a RAM user in RAM and attach the AdministratorAccess policy to the RAM user. Then, you can use the RAM user as an account administrator to manage all cloud resources that belong to the Alibaba Cloud account. You can use the account administrator to create multiple RAM users for access control.
RAM provides two types of policies: system policies and custom policies. System policies are created and updated by Alibaba Cloud. You can use system policies, but you cannot modify them. If system policies cannot meet your requirements, you can create a custom policy to perform fine-grained access control.
Create a RAM user or RAM role and grant the required permissions.
Create a RAM user and grant permissions to the user.
You can create RAM users and grant the RAM users the permissions to access different resources.
If multiple users in your enterprise need to access resources, you can use RAM to assign permissions to the users by following the principle of least privilege. This prevents the users from sharing the username and password or AccessKey pair of an Alibaba Cloud account and reduces security risks.
Create a RAM user group and grant permissions to the group.
RAM user groups are physical identities. You can create RAM user groups to classify RAM users and grant permissions to the RAM users that have the same responsibilities. This simplifies the management of RAM users and their permissions.
Create a RAM role and attach the required policies to the role.
A RAM role is a virtual identity to which policies can be attached. A RAM role does not have permanent identity credentials, such as a logon password or an AccessKey pair. A RAM role can be used only after the role is assumed by a trusted entity. After a RAM role is assumed by a trusted entity, the trusted entity can obtain a Security Token Service (STS) token. Then, the trusted entity can use the STS token to access Alibaba Cloud resources as the RAM role. For more information about how to use a RAM role, see Assume a RAM role.
Action
The Action element is in the log:${API name}
format. ${API name}
specifies the name of a Simple Log Service API operation. For more information about the API operations provided by Simple Log Service, see List of operations by function.
When you create a policy, separate multiple actions with commas (,). You can use asterisks (*) as wildcard characters. Example: log:Create*
. Create*
specifies an API operation name that starts with Create
, such as CreateProduct
, CreateThingModel
, and CreateProductTopic
.
If you want to grant permissions on the GetCursor or GetCursorTime operation, you must specify log:GetCursorOrData
for the Action element when you create a policy.
Resource
Resources in Simple Log Service are organized into a hierarchy. Projects are root resources. Logstores, Logtail configurations, and machine groups are parallel sub-resources of projects. Log shipping jobs and consumer groups are sub-resources of Logstores.
Resource type | ARN |
Project |
|
| |
Project:Logstore |
|
| |
Project:Logstore:Shipper |
|
| |
Project:Config |
|
| |
Project:MachineGroup |
|
| |
Project:ConsumerGroup |
|
| |
Project:SavedSearch |
|
| |
Project:Dashboard |
|
| |
Project:Alarm |
|
| |
All types of resources |
|
|
Parameters
Parameter | Description |
| The name of a region. |
| The ID of an Alibaba Cloud account. |
| The name of a project. |
| The name of a Logstore. |
| The name of a Logtail configuration. |
| The name of a machine group. |
| The name of a log shipping job. |
| The name of a consumer group. |
| The name of a saved search. |
| The name of a dashboard. |
| The name of an alert rule. |