If you want to enable the Log Service, asset discovery, and transparent proxy mode features for Web Application Firewall (WAF), you must authorize WAF to access cloud resources when you log on to the WAF console for the first time. This topic describes how to authorize WAF to access cloud resources.
Introduction to service-linked roles
The following section describes the AliyunServiceRoleForWAF service-linked role:
- Role name: AliyunServiceRoleForWAF
- Policy name: AliyunServiceRolePolicyForWAFNote This is a system policy. You cannot modify the name or content of this policy.
- Policy:
{ "Version": "1", "Statement": [ { "Action": [ "ecs:DescribeInstances", "ecs:DescribeNetworkInterfaces", "ecs:CreateNetworkInterface", "ecs:DeleteNetworkInterface", "ecs:AttachNetworkInterface", "ecs:DetachNetworkInterface", "ecs:DescribeNetworkInterfacePermissions", "ecs:CreateNetworkInterfacePermission", "ecs:DeleteNetworkInterfacePermission", "ecs:DescribeSecurityGroups", "ecs:DescribeSecurityGroupAttribute", "ecs:CreateSecurityGroup", "ecs:DeleteSecurityGroup", "ecs:AuthorizeSecurityGroup", "ecs:RevokeSecurityGroup", "ecs:DescribeDisks" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "slb:DescribeServerCertificates", "slb:DescribeDomainExtensions", "slb:DescribeLoadBalancers", "slb:DescribeListenerAccessControlAttribute", "slb:DescribeLoadBalancerAttribute", "slb:DescribeLoadBalancerHTTPListenerAttribute", "slb:DescribeLoadBalancerHTTPSListenerAttribute", "slb:DescribeLoadBalancerTCPListenerAttribute", "slb:DescribeLoadBalancerUDPListenerAttribute", "slb:DescribeTLSCipherPolicies", "slb:ListTLSCipherPolicies", "slb:DescribeLoadBalancers" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "alb:ListLoadBalancers", "alb:GetLoadBalancerAttribute", "alb:ListListeners", "alb:GetListenerAttribute", "alb:ListListenerCertificates", "alb:DescribeRegions", "alb:ListSystemSecurityPolicies", "alb:ListSecurityPolicies" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "vpc:DescribeEipAddresses" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "cdn:DescribeUserDomains", "cdn:DescribeCdnDomainDetail", "cdn:DescribeDomainsBySource", "cdn:DescribeUserVipsByDomain" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "yundun-cert:DescribeUserCertificateList" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "log:PostLogStoreLogs", "log:GetProject", "log:ListProject", "log:GetLogStore", "log:ListLogStores", "log:CreateLogStore", "log:CreateProject", "log:GetIndex", "log:CreateIndex", "log:UpdateIndex", "log:CreateDashboard", "log:ClearLogStoreStorage", "log:UpdateLogStore", "log:UpdateDashboard", "log:DeleteProject", "log:CreateSavedSearch", "log:UpdateSavedSearch", "log:DeleteLogStore" ], "Resource": "acs:log:*:*:project/waf*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "waf.aliyuncs.com" } } } ] }For more information about the policy syntax, see Policy elements.
Prerequisites
- A WAF instance is purchased.
- An Alibaba Cloud account or a RAM user that has permissions to create and delete service-linked roles is used.
Create the AliyunServiceRoleForWAF role
By enabling Log Service
You can create the AliyunServiceRoleForWAF role by enabling Log Service only when your website has been added to WAF and Log Service has been enabled for WAF. For more information about how to add a website to WAF, see Add a website to WAF. For more information about how to enable Log Service for WAF, see Get started with the Log Service for WAF feature.
- Log on to the WAF console. In the top navigation bar, select the resource group and the region to which your WAF instance belongs. The region can be Chinese Mainland or Outside Chinese Mainland.
- In the left-side navigation pane, choose .
- Click Authorize Now. In the Tips message, click OK.
By enabling Asset Discovery
You can create the AliyunServiceRoleForWAF role by enabling the asset discovery feature only when your WAF instance resides in the Chinese mainland. If your WAF instance resides outside the Chinese mainland, you must create the AliyunServiceRoleForWAF role by enabling Log Service or the transparent proxy mode.
- Log on to the WAF console. In the top navigation bar, select the resource group and the region to which your WAF instance belongs. The region can be Chinese Mainland or Outside Chinese Mainland.
- In the left-side navigation pane, choose .
- Click Authorized activation. In the Tips message, click OK.
By enabling Transparent Proxy Mode
- Log on to the WAF console. In the top navigation bar, select the resource group and the region to which your WAF instance belongs. The region can be Chinese Mainland or Outside Chinese Mainland.
- In the left-side navigation pane, choose .
- On the Domain Names tab, click Website Access.
- Set Access Mode to Transparent Proxy Mode. Then, click Authorized activation. In the Tips message, click OK.
Then, Alibaba Cloud automatically creates the AliyunServiceRoleForWAF service-linked role. To view the service-linked role, log on to the Resource Access Management (RAM) console and choose in the left-side navigation pane.
Delete the AliyunServiceRoleForWAF role
- Log on to the RAM console.
- In the left-side navigation pane, choose .
- Find the AliyunServiceRoleForWAF service-linked role that you want to delete and click Delete in the Actions column.
- In the message that appears, click OK. RAM checks whether the service-linked role is assumed by a WAF instance:
- If the role is not assumed, the WAF service-linked role is deleted.
- If the role is assumed, the role cannot be deleted. However, you can view the WAF instances that assume the service-linked role. You must release your WAF instance before you can delete the service-linked role.
FAQ
Why is the AliyunServiceRoleForWAF service-linked role not automatically created for my RAM user?
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:ID of your Alibaba Cloud account:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"waf.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}