RAM authorization - Web Application Firewall - Alibaba Cloud ドキュメントセンター

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. You can use RAM to prevent RAM users from sharing the AccessKey pairs of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. RAM uses policies to define permissions.

This topic describes the elements, such as Action, Resource, and Condition, which are defined by WAFV3. You can use the elements to create policies in RAM. The code (RamCode) in RAM that is used to indicate WAFV3 is yundun-waf. You can grant permissions on WAFV3 at the RESOURCE.

General structure of a policy

Policies can be stored as JSON files. The following code provides an example on the general structure of a policy:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

The following list describes the fields in the policy:

Effect: specifies the authorization effect. Valid values: Allow, Deny.
Action: specifies one or more API operations that are allowed or denied. For more information, see the Action section of this topic.
Resource: specifies one or more resources to which the policy applies. You can use an Alibaba Cloud Resource Name (ARN) to specify a resource. For more information, see the Resource section of this topic.
Condition: specifies one or more conditions that are required for the policy to take effect. This is an optional field. For more information, see the Condition section of this topic.
- Condition_operator: specifies the conditional operators. Different types of conditions support different conditional operators. For more information, see Policy elements.
- Condition_key: specifies the condition keys.
- Condition_value: specifies the condition values.

Action

WAFV3 defines the values that you can use in the Action element of a policy statement. The following table describes the values.

Operation: the value that you can use in the Action element to specify the operation on a resource.
API operation: the API operation that you can call to perform the operation.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition key: the condition keys that are defined by the Alibaba Cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Generic Condition Keyword.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Actions	API operation	Access level	Resource type	Condition key	Associated operation
yundun-waf:DescribeSlsLogStore	DescribeSlsLogStore	get	All Resources *	None	None
yundun-waf:DescribeFlowTopUrl	DescribeFlowTopUrl	get	All Resources *	None	None
yundun-waf:CreateCloudResource	CreateCloudResource	create	All Resources *	None	None
yundun-waf:DescribeRuleHitsTopTuleType	DescribeRuleHitsTopTuleType	get	All Resources *	None	None
yundun-waf:ModifyApisecLogDelivery	ModifyApisecLogDelivery	update	All Resources *	None	None
yundun-waf:ModifyPauseProtectionStatus	ModifyPauseProtectionStatus	update	All Resources *	None	None
yundun-waf:DescribeDDoSStatus	DescribeDDoSStatus	get	All Resources *	None	None
yundun-waf:DescribeDefenseResourceGroupNames	DescribeDefenseResourceGroupNames	list	All Resources *	None	None
yundun-waf:ModifyDefenseResourceGroup	ModifyDefenseResourceGroup	Write	All Resources *	None	None
yundun-waf:CreateDefenseRule	CreateDefenseRule	create	All Resources *	None	None
yundun-waf:ModifyApisecLogDeliveryStatus	ModifyApisecLogDeliveryStatus	update	All Resources *	None	None
yundun-waf:ListTagValues	ListTagValues	get	All Resources *	None	None
yundun-waf:ModifyCloudResource	ModifyCloudResource	update	All Resources *	None	None
yundun-waf:CreateDefenseResourceGroup	CreateDefenseResourceGroup	Write	All Resources *	None	None
yundun-waf:ModifyHybridCloudSdkPullinStatus	ModifyHybridCloudSdkPullinStatus	update	All Resources *	None	None
yundun-waf:DescribeRuleHitsTopResource	DescribeRuleHitsTopResource	get	All Resources *	None	None
yundun-waf:DescribeCloudResourceAccessedPorts	DescribeCloudResourceAccessedPorts	get	All Resources *	None	None
yundun-waf:DescribeDefenseTemplate	DescribeDefenseTemplate	get	All Resources *	None	None
yundun-waf:DescribeApisecSlsProjects	DescribeApisecSlsProjects	get	All Resources *	None	None
yundun-waf:DescribeCnameCount	DescribeCnameCount	get	All Resources *	None	None
yundun-waf:DescribeApisecLogDeliveries	DescribeApisecLogDeliveries	get	All Resources *	None	None
yundun-waf:CreatePostpaidInstance	CreatePostpaidInstance	Write	All Resources *	None	None
yundun-waf:DescribeCerts	DescribeCerts	get	All Resources *	None	None
yundun-waf:DescribeRuleGroups	DescribeRuleGroups	get	All Resources *	None	None
yundun-waf:DescribeHybridCloudServerRegions	DescribeHybridCloudServerRegions	get	All Resources *	None	None
yundun-waf:CreateDomain	CreateDomain	create	All Resources *	None	None
yundun-waf:DeleteMajorProtectionBlackIp	DeleteMajorProtectionBlackIp	Write	All Resources *	None	None
yundun-waf:DescribeDomainDNSRecord	DescribeDomainDNSRecord	get	All Resources *	None	None
yundun-waf:DescribeHybridCloudClusterRule	DescribeHybridCloudClusterRule	get	All Resources *	None	None
yundun-waf:CreateHybridCloudGroup	CreateHybridCloudGroup	create	All Resources *	None	None
yundun-waf:ModifyMajorProtectionBlackIp	ModifyMajorProtectionBlackIp	Write	All Resources *	None	None
yundun-waf:ListTagKeys	ListTagKeys	list	All Resources *	None	None
yundun-waf:CreateMajorProtectionBlackIp	CreateMajorProtectionBlackIp	Write	All Resources *	None	None
yundun-waf:ModifyDefenseTemplate	ModifyDefenseTemplate	Write	All Resources *	None	None
yundun-waf:ReleaseInstance	ReleaseInstance	delete	All Resources *	None	None
yundun-waf:ModifyHybridCloudClusterRule	ModifyHybridCloudClusterRule	update	All Resources *	None	None
yundun-waf:DescribeSlsLogStoreStatus	DescribeSlsLogStoreStatus	get	All Resources *	None	None
yundun-waf:ListTagResources	ListTagResources	get	All Resources *	None	None
yundun-waf:ModifyDefenseResourceXff	ModifyDefenseResourceXff		All Resources *	None	None
yundun-waf:ModifyDefenseRule	ModifyDefenseRule	Write	All Resources *	None	None
yundun-waf:DeleteDomain	DeleteDomain	delete	All Resources *	None	None
yundun-waf:DescribeTemplateResourceCount	DescribeTemplateResourceCount	list	All Resources *	None	None
yundun-waf:ModifyDomain	ModifyDomain	update	All Resources *	None	None
yundun-waf:DescribeResourcePort	DescribeResourcePort	get	All Resources *	None	None
yundun-waf:DescribeUserSlsLogRegions	DescribeUserSlsLogRegions	get	All Resources *	None	None
yundun-waf:DescribeAccountDelegatedStatus	DescribeAccountDelegatedStatus	get	All Resources *	None	None
yundun-waf:DescribeHybridCloudResources	DescribeHybridCloudResources	get	All Resources *	None	None
yundun-waf:DescribeFlowTopResource	DescribeFlowTopResource	get	All Resources *	None	None
yundun-waf:ModifyDefaultHttps	ModifyDefaultHttps	update	All Resources *	None	None
yundun-waf:DescribeHybridCloudUser	DescribeHybridCloudUser	get	All Resources *	None	None
yundun-waf:DescribeResourceInstanceCerts	DescribeResourceInstanceCerts	get	All Resources *	None	None
yundun-waf:ModifyHybridCloudClusterBypassStatus	ModifyHybridCloudClusterBypassStatus	update	All Resources *	None	None
yundun-waf:TagResources	TagResources	create	All Resources *	None	None
yundun-waf:ModifyMemberAccount	ModifyMemberAccount	update	All Resources *	None	None
yundun-waf:CopyDefenseTemplate	CopyDefenseTemplate	create	All Resources *	None	None
yundun-waf:DescribeDefenseResourceTemplates	DescribeDefenseResourceTemplates	list	All Resources *	None	None
yundun-waf:DescribeApisecSlsLogStores	DescribeApisecSlsLogStores	get	All Resources *	None	None
yundun-waf:DescribeDefenseTemplateValidGroups	DescribeDefenseTemplateValidGroups	list	All Resources *	None	None
yundun-waf:DescribeResourceLogStatus	DescribeResourceLogStatus	get	All Resources *	None	None
yundun-waf:ModifyDomainPunishStatus	ModifyDomainPunishStatus	Write	All Resources *	None	None
yundun-waf:DeleteMemberAccount	DeleteMemberAccount	delete	All Resources *	None	None
yundun-waf:DeleteDefenseResourceGroup	DeleteDefenseResourceGroup	delete	All Resources *	None	None
yundun-waf:SyncProductInstance	SyncProductInstance	Write	All Resources *	None	None
yundun-waf:ModifyDefenseRuleStatus	ModifyDefenseRuleStatus		All Resources *	None	None
yundun-waf:DeleteDefenseTemplate	DeleteDefenseTemplate	Write	All Resources *	None	None
yundun-waf:ModifyTemplateResources	ModifyTemplateResources		All Resources *	None	None
yundun-waf:DescribeMajorProtectionBlackIps	DescribeMajorProtectionBlackIps	get	All Resources *	None	None
yundun-waf:DescribeSlsAuthStatus	DescribeSlsAuthStatus	get	All Resources *	None	None
yundun-waf:DescribeHybridCloudUnassignedMachines	DescribeHybridCloudUnassignedMachines	get	All Resources *	None	None
yundun-waf:DescribeRuleHitsTopClientIp	DescribeRuleHitsTopClientIp	get	All Resources *	None	None
yundun-waf:DescribeDefaultHttps	DescribeDefaultHttps	get	All Resources *	None	None
yundun-waf:DescribeWafSourceIpSegment	DescribeWafSourceIpSegment	get	All Resources *	None	None
yundun-waf:DescribeDefenseResources	DescribeDefenseResources	list	All Resources *	None	None
yundun-waf:DescribePauseProtectionStatus	DescribePauseProtectionStatus	get	All Resources *	None	None
yundun-waf:DescribeCloudResourceAccessPortDetails	DescribeCloudResourceAccessPortDetails	get	All Resources *	None	None
yundun-waf:DescribeDomains	DescribeDomains	get	All Resources *	None	None
yundun-waf:DescribeVisitUas	DescribeVisitUas	get	All Resources *	None	None
yundun-waf:DescribeRuleHitsTopUa	DescribeRuleHitsTopUa	get	All Resources *	None	None
yundun-waf:DescribeVisitTopIp	DescribeVisitTopIp	get	All Resources *	None	None
yundun-waf:ChangeResourceGroup	ChangeResourceGroup	update	All Resources *	None	None
yundun-waf:DescribeHybridCloudClusters	DescribeHybridCloudClusters	get	All Resources *	None	None
yundun-waf:DeleteCloudResource	DeleteCloudResource	delete	All Resources *	None	None
yundun-waf:UntagResources	UntagResources	delete	All Resources *	None	None
yundun-waf:DescribeDefenseResourceGroup	DescribeDefenseResourceGroup	get	All Resources *	None	None
yundun-waf:DescribeFlowChart	DescribeFlowChart	get	All Resources *	None	None
yundun-waf:ModifyHybridCloudGroupExpansionServer	ModifyHybridCloudGroupExpansionServer	update	All Resources *	None	None
yundun-waf:DescribeCloudResources	DescribeCloudResources	list	All Resources *	None	None
yundun-waf:DescribeMemberAccounts	DescribeMemberAccounts	list	All Resources *	None	None
yundun-waf:DescribeDefenseRule	DescribeDefenseRule	get	All Resources *	None	None
yundun-waf:DescribeDefenseTemplates	DescribeDefenseTemplates	list	All Resources *	None	None
yundun-waf:ClearMajorProtectionBlackIp	ClearMajorProtectionBlackIp	delete	All Resources *	None	None
yundun-waf:DescribeHybridCloudGroups	DescribeHybridCloudGroups	list	All Resources *	None	None
yundun-waf:DescribeTemplateResources	DescribeTemplateResources	list	All Resources *	None	None
yundun-waf:ModifyHybridCloudGroupShrinkServer	ModifyHybridCloudGroupShrinkServer	update	All Resources *	None	None
yundun-waf:DescribeDefenseResourceGroups	DescribeDefenseResourceGroups	list	All Resources *	None	None
yundun-waf:CreateDefenseTemplate	CreateDefenseTemplate	Write	All Resources *	None	None
yundun-waf:DescribeDefenseResourceNames	DescribeDefenseResourceNames	list	All Resources *	None	None
yundun-waf:DescribeDefenseRules	DescribeDefenseRules	list	All Resources *	None	None
yundun-waf:DescribePunishedDomains	DescribePunishedDomains	get	All Resources *	None	None
yundun-waf:DeleteDefenseRule	DeleteDefenseRule		All Resources *	None	None
yundun-waf:DescribeResponseCodeTrendGraph	DescribeResponseCodeTrendGraph	get	All Resources *	None	None
yundun-waf:DescribeResourceRegionId	DescribeResourceRegionId	list	All Resources *	None	None
yundun-waf:DescribeDomainDetail	DescribeDomainDetail	get	All Resources *	None	None
yundun-waf:ModifyDefenseTemplateStatus	ModifyDefenseTemplateStatus	Write	All Resources *	None	None
yundun-waf:ModifyHybridCloudServer	ModifyHybridCloudServer	update	All Resources *	None	None
yundun-waf:DescribeRuleHitsTopUrl	DescribeRuleHitsTopUrl	get	All Resources *	None	None
yundun-waf:ModifyResourceLogStatus	ModifyResourceLogStatus	update	All Resources *	None	None
yundun-waf:ModifyDefenseRuleCache	ModifyDefenseRuleCache	update	All Resources *	None	None
yundun-waf:DescribeUserWafLogStatus	DescribeUserWafLogStatus	get	All Resources *	None	None
yundun-waf:CreateSM2Cert	CreateSM2Cert	create	All Resources *	None	None
yundun-waf:DescribeRuleHitsTopRuleId	DescribeRuleHitsTopRuleId	get	All Resources *	None	None
yundun-waf:DescribeResourceSupportRegions	DescribeResourceSupportRegions	get	All Resources *	None	None
yundun-waf:DescribePeakTrend	DescribePeakTrend	get	All Resources *	None	None
yundun-waf:DescribeCertDetail	DescribeCertDetail	get	All Resources *	None	None
yundun-waf:DescribeProductInstances	DescribeProductInstances	get	All Resources *	None	None
yundun-waf:CreateMemberAccounts	CreateMemberAccounts	create	All Resources *	None	None
yundun-waf:DescribeInstance	DescribeInstance	get	All Resources *	None	None
yundun-waf:DescribeDefenseResource	DescribeDefenseResource	get	All Resources *	None	None

Resource

WAFV3 defines the values that you can use in the Resource. You can attach the policy to a RAM user or a RAM role so that the RAM user or the RAM role can perform a specific operation on a specific resource. The ARN is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:

{#}indicates a variable. {#} must be replaced with an actual value. For example, {#ramcode} must be replaced with the actual code of an Alibaba Cloud service in RAM.
An asterisk (*) is used as a wildcard. Examples:
- {#resourceType} is set to *, all resources are specified.
- {#regionId} is set to *, all regions are specified.
- {#accountId} is set to *, all Alibaba Cloud accounts are specified.

Resource type	ARN
Instance	acs:yundun-waf:{#regionId}:{#accountId}:Instance/*
HybridCloudGroup	acs:yundun-waf:{#regionId}:{#accountId}:hybridcloudgroup/*
DefenseResource	acs:yundun-waf:{#regionId}:{#accountId}:instance/{InstanceId}/defenseresource/{#Resource}
Instance	acs:yundun-waf::{#accountId}:instance/{#InstanceId}
Instance	acs:yundun-waf:{#regionId}:{#accountId}:instance/{#InstanceId}
HybridCloudCluster	acs:yundun-waf:{#regionId}:{#accountId}:hybridcloudcluster/{#HybridCloudClusterId}
Domain	acs:yundun-waf:{#regionId}:{#accountId}:domain/{#Domain}

Condition

WAFV3 does not define service-specific condition keys. For more information about common condition keys that are defined by Alibaba Cloud, see Generic Condition Keyword.

What to do next

You can create a custom policy and attach the policy to a RAM user, RAM user group, or RAM role. For more information, see the following topics: