This topic describes the AliyunServiceRoleForARMSSecurity service-linked role and the method to delete the role.
Background information
Application Real-Time Monitoring Service (ARMS) provides the AliyunServiceRoleForARMSSecurity service-linked role to obtain the permissions to access other cloud services. For more information about service-linked roles, see Service-linked roles.
Scenarios
When Application Security needs to access the resources of Web Application Firewall (WAF), you can use the AliyunServiceRoleForARMSSecurity service-linked role to obtain access permissions.
Permissions
The AliyunServiceRoleForARMSSecurity service-linked role grants the following permissions to access WAF:
Delete AliyunServiceRoleForARMSSecurity
If you want to delete the AliyunServiceRoleForARMSSecurity service-linked role, you must take note of the consequences. After you delete AliyunServiceRoleForARMSSecurity, you cannot view the console pages that are related to Application Security. If you want to use Application Security, you must grant the permissions again.
To delete AliyunServiceRoleForARMSSecurity, perform the following steps:
If an application that belongs to the current account is connected to Application Security, disconnect and restart the application before you delete the role. Otherwise, the deletion fails. For more information about how to disconnect an application, see Connect an application to Application Security.
Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, choose .
On the Roles page, enter AliyunServiceRoleForARMSSecurity in the search box to search for the role.
On the Roles page, find the RAM user that you want to delete and click Delete Role in the Actions column.
In the Delete Role dialog box, enter the name of the RAM role and click Delete Role.
If a policy is attached to the RAM role, the policy is detached when you delete the RAM role.
For a RAM role that fails to be deleted, you can click Role Deletion in the upper-right corner of the RAM role list to view the details.
FAQ
Q: Why is the AliyunServiceRoleForARMSSecurity service-linked role not automatically created for my RAM user?
A: The AliyunServiceRoleForARMSSecurity service-linked role can be automatically created or deleted for a RAM user only after you grant the required permissions to the RAM user. If the AliyunServiceRoleForARMSSecurity service-linked role is not automatically created for a RAM user, you must attach a custom policy or the AliyunARMSFullAccess system policy to the RAM user.
A custom policy or the AliyunARMSFullAccess system policy can be used in the following scenarios:
A custom policy can be used to grant RAM users only the permissions to use Application Security in read-only mode.
The AliyunARMSFullAccess system policy can be used to grant RAM users all the permissions required to manage ARMS, including the permissions to use Application Security.
(Optional) Step 1: Create a custom policy
Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab. Enter the following script in the policy document.
{ "Statement": [{ "Action": [ "ram:CreateServiceLinkedRole" ], "Resource": "acs:ram:*:Alibaba Cloud account ID:role/*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": [ "security.arms.aliyuncs.com" ] } } }, { "Action": "arms:CreateSecurityAuth", "Effect": "Allow", "Resource": "*" }], "Version": "1" }
NoteReplace the ID of your Alibaba Cloud account with the actual account ID.
Click Optional advanced optimize in the upper part. In the Optional advanced optimize message, click Perform to optimize the policy.
The system performs the following operations during the advanced optimization:
Split resources or conditions that are incompatible with actions.
Narrow down resources.
Deduplicate or merge policy statements.
On the Create Policy page, click OK.
In the Create Policy dialog box, configure the Name and Description parameters and click OK.
Step 2: Attach the custom policy to a RAM user
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose .
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Grant Permission panel, grant one or more permissions to the RAM user.
Set Resource Scope.
Account: The permission takes effect on the current Alibaba account.
ResourceGroup: The permission takes effect in a specific resource group. For information about how to grant permissions to a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
ImportantBefore setting Resource Scope to ResourceGroup, ensure that the involved cloud services and resources support resource groups. For more information, see Services that work with Resource Group.
Set Principal.
The principal is the RAM user to which you want to grant permissions. The system automatically selects the current RAM user group as the principal.
Set Policy.
A policy contains a set of permissions. Policies can be classified into system policies and custom policies. You can select multiple policies at a time.
System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.
NoteThe system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.
Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.
Click Grant permissions.
Click Close.