All Products
Search
Document Center

Web Application Firewall:RAM authorization

Last Updated:Nov 15, 2024
Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. You can use RAM to prevent RAM users from sharing the AccessKey pairs of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. RAM uses policies to define permissions.
This topic describes the elements, such as Action, Resource, and Condition, which are defined by WAFV3. You can use the elements to create policies in RAM. The code (RamCode) in RAM that is used to indicate WAFV3 is [{"popCode":"waf-openapi","ramCodes":["yundun-waf"]}]. You can grant permissions on WAFV3 at the RESOURCE.

General structure of a policy

Policies can be stored as JSON files. The following code provides an example on the general structure of a policy:
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}
The following list describes the fields in the policy:
  • Effect: specifies the authorization effect. Valid values: Allow, Deny.
  • Action: specifies one or more API operations that are allowed or denied. For more information, see the Action section of this topic.
  • Resource: specifies one or more resources to which the policy applies. You can use an Alibaba Cloud Resource Name (ARN) to specify a resource. For more information, see the Resource section of this topic.
  • Condition: specifies one or more conditions that are required for the policy to take effect. This is an optional field. For more information, see the Condition section of this topic.
    • Condition_operator: specifies the conditional operators. Different types of conditions support different conditional operators. For more information, see Policy elements.
    • Condition_key: specifies the condition keys.
    • Condition_value: specifies the condition values.

Action

WAFV3 defines the values that you can use in the Action element of a policy statement. The following table describes the values.
  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • API operation: the API operation that you can call to perform the operation.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition key: the condition keys that are defined by the Alibaba Cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Generic Condition Keyword.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
ActionsAPI operationAccess levelResource typeCondition keyAssociated operation
yundun-waf:ModifyDefenseTemplateModifyDefenseTemplateWrite
All Resources
*
NoneNone
yundun-waf:ModifyMajorProtectionBlackIpModifyMajorProtectionBlackIpWrite
All Resources
*
NoneNone
yundun-waf:DescribeResponseCodeTrendGraphDescribeResponseCodeTrendGraphget
All Resources
*
NoneNone
yundun-waf:DescribeUserEventTypeDescribeUserEventTypeget
All Resources
*
NoneNone
yundun-waf:DescribeVisitTopIpDescribeVisitTopIpget
All Resources
*
NoneNone
yundun-waf:ModifyDomainPunishStatusModifyDomainPunishStatusWrite
All Resources
*
NoneNone
yundun-waf:DescribeDDoSStatusDescribeDDoSStatusget
All Resources
*
NoneNone
yundun-waf:CreateMemberAccountsCreateMemberAccountscreate
All Resources
*
NoneNone
yundun-waf:ModifyDefenseResourceGroupModifyDefenseResourceGroupWrite
All Resources
*
NoneNone
yundun-waf:DeleteApisecAbnormalsDeleteApisecAbnormalsdelete
All Resources
*
NoneNone
yundun-waf:DescribeApisecStatisticsDescribeApisecStatisticsget
All Resources
*
NoneNone
yundun-waf:DescribeCertDetailDescribeCertDetailget
All Resources
*
NoneNone
yundun-waf:DescribeApisecEventDomainStatisticDescribeApisecEventDomainStatisticget
All Resources
*
NoneNone
yundun-waf:DescribeRuleHitsTopTuleTypeDescribeRuleHitsTopTuleTypeget
All Resources
*
NoneNone
yundun-waf:DescribeFreeUserAssetCountDescribeFreeUserAssetCountget
All Resources
*
NoneNone
yundun-waf:DescribeApisecAbnormalsDescribeApisecAbnormalsget
All Resources
*
NoneNone
yundun-waf:CopyDefenseTemplateCopyDefenseTemplatecreate
All Resources
*
NoneNone
yundun-waf:ModifyResourceLogStatusModifyResourceLogStatusupdate
All Resources
*
NoneNone
yundun-waf:DescribeCloudResourcesDescribeCloudResourceslist
All Resources
*
NoneNone
yundun-waf:DescribeFreeUserEventsDescribeFreeUserEventsget
All Resources
*
NoneNone
yundun-waf:DeleteDefenseResourceGroupDeleteDefenseResourceGroupdelete
All Resources
*
NoneNone
yundun-waf:ModifyDefenseRuleCacheModifyDefenseRuleCacheupdate
All Resources
*
NoneNone
yundun-waf:DescribeApisecAssetTrendDescribeApisecAssetTrendget
All Resources
*
NoneNone
yundun-waf:DescribeRuleHitsTopRuleIdDescribeRuleHitsTopRuleIdget
All Resources
*
NoneNone
yundun-waf:CreateDomainCreateDomaincreate
All Resources
*
NoneNone
yundun-waf:DescribeDomainDNSRecordDescribeDomainDNSRecordget
All Resources
*
NoneNone
yundun-waf:DescribeApisecRulesDescribeApisecRulesget
All Resources
*
NoneNone
yundun-waf:DescribeApisecApiResourcesDescribeApisecApiResourcesget
All Resources
*
NoneNone
yundun-waf:DescribeInstanceDescribeInstanceget
All Resources
*
NoneNone
yundun-waf:DescribeCloudResourceAccessPortDetailsDescribeCloudResourceAccessPortDetailsget
All Resources
*
NoneNone
yundun-waf:DescribeApisecProtectionResourcesDescribeApisecProtectionResourceslist
All Resources
*
NoneNone
yundun-waf:CreateCloudResourceCreateCloudResourcecreate
All Resources
*
NoneNone
yundun-waf:CreateDefenseResourceGroupCreateDefenseResourceGroupWrite
All Resources
*
NoneNone
yundun-waf:ModifyMemberAccountModifyMemberAccountupdate
All Resources
*
NoneNone
yundun-waf:ModifyTemplateResourcesModifyTemplateResources
All Resources
*
NoneNone
yundun-waf:DescribeResourceInstanceCertsDescribeResourceInstanceCertsget
All Resources
*
NoneNone
yundun-waf:DescribeFreeUserEventTypesDescribeFreeUserEventTypesget
All Resources
*
NoneNone
yundun-waf:DescribeSensitiveOutboundDistributionDescribeSensitiveOutboundDistributionget
All Resources
*
NoneNone
yundun-waf:DescribeFreeUserEventCountDescribeFreeUserEventCountget
All Resources
*
NoneNone
yundun-waf:DescribeFlowChartDescribeFlowChartget
All Resources
*
NoneNone
yundun-waf:DescribePauseProtectionStatusDescribePauseProtectionStatusget
All Resources
*
NoneNone
yundun-waf:DescribeTemplateResourceCountDescribeTemplateResourceCountlist
All Resources
*
NoneNone
yundun-waf:ModifyDefenseTemplateStatusModifyDefenseTemplateStatusWrite
All Resources
*
NoneNone
yundun-waf:DescribeDefenseRuleDescribeDefenseRuleget
All Resources
*
NoneNone
yundun-waf:DescribeUserApiRequestDescribeUserApiRequestget
All Resources
*
NoneNone
yundun-waf:DescribeDefenseResourcesDescribeDefenseResourceslist
All Resources
*
NoneNone
yundun-waf:DescribeDefenseTemplateDescribeDefenseTemplateget
All Resources
*
NoneNone
yundun-waf:ModifyHybridCloudGroupShrinkServerModifyHybridCloudGroupShrinkServerupdate
All Resources
*
NoneNone
yundun-waf:DescribeMajorProtectionBlackIpsDescribeMajorProtectionBlackIpsget
All Resources
*
NoneNone
yundun-waf:DescribeApisecSensitiveDomainStatisticDescribeApisecSensitiveDomainStatisticget
All Resources
*
NoneNone
yundun-waf:ListTagResourcesListTagResourcesget
All Resources
*
NoneNone
yundun-waf:DescribeResourceSupportRegionsDescribeResourceSupportRegionsget
All Resources
*
NoneNone
yundun-waf:DescribeUserWafLogStatusDescribeUserWafLogStatusget
All Resources
*
NoneNone
yundun-waf:DescribeUserEventTrendDescribeUserEventTrendget
All Resources
*
NoneNone
yundun-waf:DescribeMemberAccountsDescribeMemberAccountslist
All Resources
*
NoneNone
yundun-waf:DescribeRuleHitsTopResourceDescribeRuleHitsTopResourceget
All Resources
*
NoneNone
yundun-waf:ModifyDefenseRuleModifyDefenseRuleupdate
All Resources
*
NoneNone
yundun-waf:DescribeHybridCloudResourcesDescribeHybridCloudResourcesget
All Resources
*
NoneNone
yundun-waf:ModifyDomainModifyDomainupdate
All Resources
*
NoneNone
yundun-waf:ModifyHybridCloudSdkPullinStatusModifyHybridCloudSdkPullinStatusupdate
All Resources
*
NoneNone
yundun-waf:DescribeHybridCloudServerRegionsDescribeHybridCloudServerRegionsget
All Resources
*
NoneNone
yundun-waf:DescribeRuleHitsTopClientIpDescribeRuleHitsTopClientIpget
All Resources
*
NoneNone
yundun-waf:ModifyApisecApiResourceModifyApisecApiResourceupdate
All Resources
*
NoneNone
yundun-waf:ListTagValuesListTagValuesget
All Resources
*
NoneNone
yundun-waf:DescribeSlsLogStoreStatusDescribeSlsLogStoreStatusget
All Resources
*
NoneNone
yundun-waf:DescribeApisecLogDeliveriesDescribeApisecLogDeliveriesget
All Resources
*
NoneNone
yundun-waf:DeleteApisecEventsDeleteApisecEventsdelete
All Resources
*
NoneNone
yundun-waf:DescribeDomainsDescribeDomainsget
All Resources
*
NoneNone
yundun-waf:ClearMajorProtectionBlackIpClearMajorProtectionBlackIpdelete
All Resources
*
NoneNone
yundun-waf:DescribeSensitiveRequestLogDescribeSensitiveRequestLogget
All Resources
*
NoneNone
yundun-waf:ModifyHybridCloudClusterRuleModifyHybridCloudClusterRuleupdate
All Resources
*
NoneNone
yundun-waf:CreateMajorProtectionBlackIpCreateMajorProtectionBlackIpWrite
All Resources
*
NoneNone
yundun-waf:DescribeSlsLogStoreDescribeSlsLogStoreget
All Resources
*
NoneNone
yundun-waf:DescribeSensitiveRequestsDescribeSensitiveRequestslist
All Resources
*
NoneNone
yundun-waf:SyncProductInstanceSyncProductInstanceWrite
All Resources
*
NoneNone
yundun-waf:DescribeApisecProtectionGroupsDescribeApisecProtectionGroupslist
All Resources
*
NoneNone
yundun-waf:UntagResourcesUntagResourcesdelete
All Resources
*
NoneNone
yundun-waf:DescribeDefenseResourceGroupDescribeDefenseResourceGroupget
All Resources
*
NoneNone
yundun-waf:ModifyApisecModuleStatusModifyApisecModuleStatusupdate
All Resources
*
NoneNone
yundun-waf:DescribeApisecAbnormalDomainStatisticDescribeApisecAbnormalDomainStatisticget
All Resources
*
NoneNone
yundun-waf:CreateSM2CertCreateSM2Certcreate
All Resources
*
NoneNone
yundun-waf:DescribeCnameCountDescribeCnameCountget
All Resources
*
NoneNone
yundun-waf:DescribeSensitiveOutboundTrendDescribeSensitiveOutboundTrendget
All Resources
*
NoneNone
yundun-waf:DescribeUserAbnormalTypeDescribeUserAbnormalTypeget
All Resources
*
NoneNone
yundun-waf:CreateDefenseTemplateCreateDefenseTemplateWrite
All Resources
*
NoneNone
yundun-waf:DescribeResourceLogStatusDescribeResourceLogStatusget
All Resources
*
NoneNone
yundun-waf:DescribeSensitiveDetectionResultDescribeSensitiveDetectionResultget
All Resources
*
NoneNone
yundun-waf:DescribeDefaultHttpsDescribeDefaultHttpsget
All Resources
*
NoneNone
yundun-waf:DescribeWafSourceIpSegmentDescribeWafSourceIpSegmentget
All Resources
*
NoneNone
yundun-waf:CreateHybridCloudGroupCreateHybridCloudGroupcreate
All Resources
*
NoneNone
yundun-waf:ModifyHybridCloudGroupExpansionServerModifyHybridCloudGroupExpansionServerupdate
All Resources
*
NoneNone
yundun-waf:DescribeRuleGroupsDescribeRuleGroupsget
All Resources
*
NoneNone
yundun-waf:TagResourcesTagResourcescreate
All Resources
*
NoneNone
yundun-waf:DescribeApisecSlsLogStoresDescribeApisecSlsLogStoresget
All Resources
*
NoneNone
yundun-waf:DescribeProductInstancesDescribeProductInstancesget
All Resources
*
NoneNone
yundun-waf:DescribeHybridCloudGroupsDescribeHybridCloudGroupslist
All Resources
*
NoneNone
yundun-waf:DescribeFlowTopResourceDescribeFlowTopResourceget
All Resources
*
NoneNone
yundun-waf:DescribeDefenseResourceGroupsDescribeDefenseResourceGroupslist
All Resources
*
NoneNone
yundun-waf:DeleteMemberAccountDeleteMemberAccountdelete
All Resources
*
NoneNone
yundun-waf:CreatePostpaidInstanceCreatePostpaidInstanceWrite
All Resources
*
NoneNone
yundun-waf:DescribeTemplateResourcesDescribeTemplateResourceslist
All Resources
*
NoneNone
yundun-waf:DeleteDefenseRuleDeleteDefenseRule
All Resources
*
NoneNone
yundun-waf:DescribeCertsDescribeCertsget
All Resources
*
NoneNone
yundun-waf:DescribeApisecMatchedHostsDescribeApisecMatchedHostsget
All Resources
*
NoneNone
yundun-waf:ModifyPauseProtectionStatusModifyPauseProtectionStatusupdate
All Resources
*
NoneNone
yundun-waf:ModifyHybridCloudClusterBypassStatusModifyHybridCloudClusterBypassStatusupdate
All Resources
*
NoneNone
yundun-waf:CreateApiExportCreateApiExportcreate
All Resources
*
NoneNone
yundun-waf:DescribeHybridCloudClustersDescribeHybridCloudClustersget
All Resources
*
NoneNone
yundun-waf:ModifyCloudResourceModifyCloudResourceupdate
All Resources
*
NoneNone
yundun-waf:ModifyApisecEventsModifyApisecEventsupdate
All Resources
*
NoneNone
yundun-waf:DescribeUserAssetDescribeUserAssetget
All Resources
*
NoneNone
yundun-waf:DescribeApisecSlsProjectsDescribeApisecSlsProjectsget
All Resources
*
NoneNone
yundun-waf:DescribeUserSlsLogRegionsDescribeUserSlsLogRegionsget
All Resources
*
NoneNone
yundun-waf:DescribeDefenseResourceNamesDescribeDefenseResourceNameslist
All Resources
*
NoneNone
yundun-waf:DescribeSensitiveOutboundStatisticDescribeSensitiveOutboundStatisticget
All Resources
*
NoneNone
yundun-waf:DescribeVisitUasDescribeVisitUasget
All Resources
*
NoneNone
yundun-waf:ModifyDefenseResourceXffModifyDefenseResourceXff
All Resources
*
NoneNone
yundun-waf:DescribeUserAbnormalTrendDescribeUserAbnormalTrendget
All Resources
*
NoneNone
yundun-waf:ChangeResourceGroupChangeResourceGroupupdate
All Resources
*
NoneNone
yundun-waf:DeleteMajorProtectionBlackIpDeleteMajorProtectionBlackIpWrite
All Resources
*
NoneNone
yundun-waf:DescribeDefenseResourceDescribeDefenseResourceget
All Resources
*
NoneNone
yundun-waf:CreateDefenseRuleCreateDefenseRulecreate
All Resources
*
NoneNone
yundun-waf:ModifyApisecLogDeliveryModifyApisecLogDeliveryupdate
All Resources
*
NoneNone
yundun-waf:DescribePeakTrendDescribePeakTrendget
All Resources
*
NoneNone
yundun-waf:DeleteDomainDeleteDomaindelete
All Resources
*
NoneNone
yundun-waf:DescribeRuleHitsTopUrlDescribeRuleHitsTopUrlget
All Resources
*
NoneNone
yundun-waf:ModifyHybridCloudServerModifyHybridCloudServerupdate
All Resources
*
NoneNone
yundun-waf:DescribeApiExportsDescribeApiExportsget
All Resources
*
NoneNone
yundun-waf:DescribeHybridCloudUnassignedMachinesDescribeHybridCloudUnassignedMachinesget
All Resources
*
NoneNone
yundun-waf:ModifyDefenseRuleStatusModifyDefenseRuleStatus
All Resources
*
NoneNone
yundun-waf:ReleaseInstanceReleaseInstancedelete
All Resources
*
NoneNone
yundun-waf:DescribeSlsAuthStatusDescribeSlsAuthStatusget
All Resources
*
NoneNone
yundun-waf:DeleteDefenseTemplateDeleteDefenseTemplateWrite
All Resources
*
NoneNone
yundun-waf:DescribeDefenseResourceTemplatesDescribeDefenseResourceTemplateslist
All Resources
*
NoneNone
yundun-waf:DescribeDefenseRulesDescribeDefenseRuleslist
All Resources
*
NoneNone
yundun-waf:DescribeDefenseTemplatesDescribeDefenseTemplateslist
All Resources
*
NoneNone
yundun-waf:DescribePunishedDomainsDescribePunishedDomainsget
All Resources
*
NoneNone
yundun-waf:DescribeDefenseTemplateValidGroupsDescribeDefenseTemplateValidGroupslist
All Resources
*
NoneNone
yundun-waf:DescribeApisecEventsDescribeApisecEventsget
All Resources
*
NoneNone
yundun-waf:ModifyDefaultHttpsModifyDefaultHttpsupdate
All Resources
*
NoneNone
yundun-waf:DescribeResourceRegionIdDescribeResourceRegionIdlist
All Resources
*
NoneNone
yundun-waf:DescribeDefenseResourceGroupNamesDescribeDefenseResourceGroupNameslist
All Resources
*
NoneNone
yundun-waf:DescribeRuleHitsTopUaDescribeRuleHitsTopUaget
All Resources
*
NoneNone
yundun-waf:DescribeSensitiveApiStatisticDescribeSensitiveApiStatisticget
All Resources
*
NoneNone
yundun-waf:ModifyApisecStatusModifyApisecStatusupdate
All Resources
*
NoneNone
yundun-waf:DescribeResourcePortDescribeResourcePortget
All Resources
*
NoneNone
yundun-waf:ModifyApisecAbnormalsModifyApisecAbnormalsupdate
All Resources
*
NoneNone
yundun-waf:DescribeFlowTopUrlDescribeFlowTopUrlget
All Resources
*
NoneNone
yundun-waf:DescribeHybridCloudUserDescribeHybridCloudUserget
All Resources
*
NoneNone
yundun-waf:DescribeHybridCloudClusterRuleDescribeHybridCloudClusterRuleget
All Resources
*
NoneNone
yundun-waf:DescribeCloudResourceAccessedPortsDescribeCloudResourceAccessedPortsget
All Resources
*
NoneNone
yundun-waf:DescribeDomainDetailDescribeDomainDetailget
All Resources
*
NoneNone
yundun-waf:DescribeApisecUserOperationsDescribeApisecUserOperationsget
All Resources
*
NoneNone
yundun-waf:DescribeApisecSuggestionsDescribeApisecSuggestionsget
All Resources
*
NoneNone
yundun-waf:DescribeAccountDelegatedStatusDescribeAccountDelegatedStatusget
All Resources
*
NoneNone
yundun-waf:DeleteCloudResourceDeleteCloudResourcedelete
All Resources
*
NoneNone
yundun-waf:DescribeSensitiveStatisticDescribeSensitiveStatisticget
All Resources
*
NoneNone
yundun-waf:ModifyApisecLogDeliveryStatusModifyApisecLogDeliveryStatusupdate
All Resources
*
NoneNone
yundun-waf:ListTagKeysListTagKeyslist
All Resources
*
NoneNone

Resource

WAFV3 defines the values that you can use in the Resource. You can attach the policy to a RAM user or a RAM role so that the RAM user or the RAM role can perform a specific operation on a specific resource. The ARN is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:
  • {#}indicates a variable. {#} must be replaced with an actual value. For example, {#ramcode} must be replaced with the actual code of an Alibaba Cloud service in RAM.
  • An asterisk (*) is used as a wildcard. Examples:
    • {#resourceType} is set to *, all resources are specified.
    • {#regionId} is set to *, all regions are specified.
    • {#accountId} is set to *, all Alibaba Cloud accounts are specified.
Resource typeARN
Domainacs:yundun-waf:{#regionId}:{#accountId}:domain/{#Domain}
Instanceacs:yundun-waf::{#accountId}:instance/{#InstanceId}
DefenseResourceacs:yundun-waf:{#regionId}:{#accountId}:instance/{InstanceId}/defenseresource/{#Resource}
Instanceacs:yundun-waf:{#regionId}:{#accountId}:instance/{#InstanceId}
HybridCloudGroupacs:yundun-waf:{#regionId}:{#accountId}:hybridcloudgroup/*
Instanceacs:yundun-waf:{#regionId}:{#accountId}:Instance/*
HybridCloudClusteracs:yundun-waf:{#regionId}:{#accountId}:hybridcloudcluster/{#HybridCloudClusterId}

Condition

WAFV3 does not define service-specific condition keys. For more information about common condition keys that are defined by Alibaba Cloud, see Generic Condition Keyword.

What to do next

You can create a custom policy and attach the policy to a RAM user, RAM user group, or RAM role. For more information, see the following topics: