A RAM user can query and analyze logs in Web Application Firewall (WAF) only after it is granted the required permissions by using an Alibaba Cloud account.

Background information

The following table describes the types of operations and the accounts that are required to perform the operations.
OperationRequired account
Activate Log Service. You need only to perform this operation once.Alibaba Cloud accounts
Authorize WAF to write log data to the dedicated Logstore in Log Service in real time. You need only to perform this operation once.
  • Alibaba Cloud accounts
  • RAM users that have the AliyunLogFullAccess permission
  • RAM users that have specific permissions
Query and analyze logs.
  • Alibaba Cloud accounts
  • RAM users that have the AliyunLogFullAccess permission
  • RAM users that have specific permissions
You can grant permissions to RAM users based on your business requirements.
ScenarioPermissionProcedure
Grant all the operation permissions on Log Service to RAM users. AliyunLogFullAccessFor more information, see Grant permissions to the RAM user.
Grant the permissions to view logs to RAM users after you use your Alibaba Cloud account to enable Log Service for WAF and authorize WAF to access the required cloud resources. AliyunLogReadOnlyAccessFor more information, see Grant permissions to the RAM user.
Grant only the permissions to enable and use Log Service for WAF to RAM users. The RAM users are not granted other management permissions on Log Service. Permissions that are defined in a custom policy For more information about how to create a custom policy, see the following procedure.

Procedure

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Policy page, click the JSON tab.
  5. Enter the following policy content and click Next: Edit Basic Information.
    Important Replace ${Project} and ${Logstore} in the following policy content with the names of the Log Service project and Logstore that are dedicated to WAF.
    {
      "Version": "1",
      "Statement": [
          {
          "Action": "log:GetProject",
          "Resource": "acs:log:*:*:project/${Project}",
          "Effect": "Allow"
        },
        {
          "Action": "log:CreateProject",
          "Resource": "acs:log:*:*:project/*",
          "Effect": "Allow"
        },
        {
          "Action": "log:ListLogStores",
          "Resource": "acs:log:*:*:project/${Project}/logstore/*",
          "Effect": "Allow"
        },
        {
          "Action": "log:CreateLogStore",
          "Resource": "acs:log:*:*:project/${Project}/logstore/*",
          "Effect": "Allow"
        },
        {
          "Action": "log:GetIndex",
          "Resource": "acs:log:*:*:project/${Project}/logstore/${Logstore}",
          "Effect": "Allow"
        },
        {
          "Action": "log:CreateIndex",
          "Resource": "acs:log:*:*:project/${Project}/logstore/${Logstore}",
          "Effect": "Allow"
        },
        {
          "Action": "log:UpdateIndex",
          "Resource": "acs:log:*:*:project/${Project}/logstore/${Logstore}",
          "Effect": "Allow"
        },
        {
          "Action": "log:CreateDashboard",
          "Resource": "acs:log:*:*:project/${Project}/dashboard/*",
          "Effect": "Allow"
        },
        {
          "Action": "log:UpdateDashboard",
          "Resource": "acs:log:*:*:project/${Project}/dashboard/*",
          "Effect": "Allow"
        },
        {
          "Action": "log:CreateSavedSearch",
          "Resource": "acs:log:*:*:project/${Project}/savedsearch/*",
          "Effect": "Allow"
        },
        {
          "Action": "log:UpdateSavedSearch",
          "Resource": "acs:log:*:*:project/${Project}/savedsearch/*",
          "Effect": "Allow"
        }
      ]
    }
  6. Specify the Name and Description fields.
  7. Click OK.
  8. In the left-side navigation pane, choose Identities > Users. On the page that appears, find the RAM user that you want to authorize and click Add Permissions in the Actions column.
  9. In the Add Permissions panel, select the custom policy that you create, and click OK.
    After the RAM user is authorized, the RAM user can enable and use Log Service for WAF. However, the RAM user cannot use other features of Log Service.