All Products
Search
Document Center

Application Real-Time Monitoring Service:Service-linked role for Application Security

最終更新日:Dec 24, 2024

This topic describes the AliyunServiceRoleForARMSSecurity service-linked role and the method to delete the role.

Background information

Application Real-Time Monitoring Service (ARMS) provides the AliyunServiceRoleForARMSSecurity service-linked role to obtain the permissions to access other cloud services. For more information about service-linked roles, see Service-linked roles.

Scenarios

When Application Security needs to access the resources of Web Application Firewall (WAF), you can use the AliyunServiceRoleForARMSSecurity service-linked role to obtain access permissions.

Permissions

The AliyunServiceRoleForARMSSecurity service-linked role grants the following permissions to access WAF:

WAF

{
      "Action": [
        "yundun-waf:ModifyProtectionConfig",
        "yundun-waf:ModifyApplicationsRaspState",
        "yundun-waf:DescribeRiskDependencyStatisticsInfo",
        "yundun-waf:DescribeRiskDependencies",
        "yundun-waf:DescribeRiskCount",
        "yundun-waf:DescribeProtectionStatisticsInfo",
        "yundun-waf:DescribeProtectionConfig",
        "yundun-waf:DescribeMiddlewareInstances",
        "yundun-waf:DescribeDependencyInstances",
        "yundun-waf:DescribeDependencies",
        "yundun-waf:DescribeAttackStatisticsInfo",
        "yundun-waf:DescribeAttacks",
        "yundun-waf:DescribeAttackCount",
        "yundun-waf:DescribeAttackApplicationCount",
        "yundun-waf:DescribeApplications"
        "yundun-waf:GetRaspCommercialStatus"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }

Delete AliyunServiceRoleForARMSSecurity

If you want to delete the AliyunServiceRoleForARMSSecurity service-linked role, you must take note of the consequences. After you delete AliyunServiceRoleForARMSSecurity, you cannot view the console pages that are related to Application Security. If you want to use Application Security, you must grant the permissions again.

To delete AliyunServiceRoleForARMSSecurity, perform the following steps:

Note

If an application that belongs to the current account is connected to Application Security, disconnect and restart the application before you delete the role. Otherwise, the deletion fails. For more information about how to disconnect an application, see Connect an application to Application Security.

  1. Log on to the RAM console as a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, enter AliyunServiceRoleForARMSSecurity in the search box to search for the role.

  4. On the Roles page, find the RAM user that you want to delete and click Delete Role in the Actions column.

  5. In the Delete Role dialog box, enter the name of the RAM role and click Delete Role.

    If a policy is attached to the RAM role, the policy is detached when you delete the RAM role.

    For a RAM role that fails to be deleted, you can click Role Deletion in the upper-right corner of the RAM role list to view the details.

FAQ

Q: Why is the AliyunServiceRoleForARMSSecurity service-linked role not automatically created for my RAM user?

A: The AliyunServiceRoleForARMSSecurity service-linked role can be automatically created or deleted for a RAM user only after you grant the required permissions to the RAM user. If the AliyunServiceRoleForARMSSecurity service-linked role is not automatically created for a RAM user, you must attach a custom policy or the AliyunARMSFullAccess system policy to the RAM user.

A custom policy or the AliyunARMSFullAccess system policy can be used in the following scenarios:

  • A custom policy can be used to grant RAM users only the permissions to use Application Security in read-only mode.

  • The AliyunARMSFullAccess system policy can be used to grant RAM users all the permissions required to manage ARMS, including the permissions to use Application Security.

(Optional) Step 1: Create a custom policy

  1. Log on to the RAM console as a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Permissions > Policies.

  3. On the Policies page, click Create Policy.

    image

  4. On the Create Policy page, click the JSON tab. Enter the following script in the policy document.

    {
      "Statement": [{
        "Action": [
          "ram:CreateServiceLinkedRole"
        ],
        "Resource": "acs:ram:*:Alibaba Cloud account ID:role/*",
        "Effect": "Allow",
        "Condition": {
          "StringEquals": {
            "ram:ServiceName": [
              "security.arms.aliyuncs.com"
            ]
          }
        }
      }, {
        "Action": "arms:CreateSecurityAuth",
        "Effect": "Allow",
        "Resource": "*"
      }],
      "Version": "1"
    }
    Note

    Replace the ID of your Alibaba Cloud account with the actual account ID.

  5. Click Optional advanced optimize in the upper part. In the Optional advanced optimize message, click Perform to optimize the policy.

    The system performs the following operations during the advanced optimization:

    • Split resources or conditions that are incompatible with actions.

    • Narrow down resources.

    • Deduplicate or merge policy statements.

  6. On the Create Policy page, click OK.

  7. In the Create Policy dialog box, configure the Name and Description parameters and click OK.

Step 2: Attach the custom policy to a RAM user

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, find the required RAM user, and click Add Permissions in the Actions column.

    image

    You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.

  4. In the Grant Permission panel, grant one or more permissions to the RAM user.

    1. Set Resource Scope.

    2. Set Principal.

      The principal is the RAM user to which you want to grant permissions. The system automatically selects the current RAM user group as the principal.

    3. Set Policy.

      A policy contains a set of permissions. Policies can be classified into system policies and custom policies. You can select multiple policies at a time.

      • System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.

        Note

        The system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.

      • Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.

    4. Click Grant permissions.

  5. Click Close.