全部产品
Search
文档中心

云防火墙:授权云防火墙访问云资源

更新时间:Sep 06, 2023

首次登录云防火墙(Cloud Firewall)控制台时,您必须完成允许云防火墙访问相关云资源的授权,才能正常使用云防火墙提供的服务。本文介绍了通过云防火墙服务关联角色AliyunServiceRoleForCloudFW,进行云资源访问授权的相关内容,以及如何删除AliyunServiceRoleForCloudFW

前提条件

您使用的是阿里云账号或拥有创建和删除服务关联角色权限的RAM用户账号。如何为RAM用户授予操作服务关联角色的权限,请参见相关问题

背景信息

为了向您提供对云上网络流量的访问控制、监控分析等功能,云防火墙需要访问您的云服务器 ECS专有网络 VPC负载均衡日志服务运维安全中心(堡垒机)云企业网云安全中心云数据库 RDS等云服务资源,您可通过系统自动创建的云防火墙服务关联角色AliyunServiceRoleForCloudFW进行访问授权。服务关联角色无需您手动创建或做任何修改。相关内容,请参见服务关联角色

操作步骤

  1. 登录云防火墙控制台

  2. 云防火墙服务关联角色对话框,单击确定

    说明

    如果您已经创建过AliyunServiceRoleForCloudFW,则不会出现该对话框,您可以直接在控制台使用云防火墙

    云防火墙服务关联角色

    完成后,阿里云将自动为您创建云防火墙服务关联角色AliyunServiceRoleForCloudFW

    您可以在RAM控制台角色页面,查看阿里云为云防火墙自动创建的服务关联角色。只有创建服务关联角色AliyunServiceRoleForCloudFW后,您的云防火墙实例才能访问云服务器 ECS专有网络 VPC负载均衡日志服务运维安全中心(堡垒机)云企业网云安全中心云数据库 RDS等关联云服务的资源。

AliyunServiceRoleForCloudFW权限说明

AliyunServiceRoleForCloudFW默认拥有AliyunServiceRolePolicyForCloudFW系统权限策略的授权。AliyunServiceRolePolicyForCloudFW中定义的权限如下所示。

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:DescribeInstances",
                "ecs:DescribeTags",
                "ecs:JoinSecurityGroup",
                "ecs:LeaveSecurityGroup",
                "ecs:AuthorizeSecurityGroupEgress",
                "ecs:DescribeRegions",
                "ecs:DescribeVpcs",
                "ecs:RevokeSecurityGroupEgress",
                "ecs:ModifySecurityGroupAttribute",
                "ecs:DeleteSecurityGroup",
                "ecs:RevokeSecurityGroup",
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:CreateSecurityGroup",
                "ecs:AuthorizeSecurityGroup",
                "ecs:DescribeSecurityGroups",
                "ecs:DescribeSecurityGroupReferences",
                "ecs:ModifySecurityGroupPolicy",
                "ecs:ModifySecurityGroupRule",
                "ecs:ModifySecurityGroupEgressRule",
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:DeleteNetworkInterfacePermission",
                "ecs:AttachNetworkInterface",
                "ecs:DetachNetworkInterface",
                "ecs:DescribePrefixLists",
                "ecs:ListTagResources"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:DescribeVpcs",
                "vpc:DescribeNatGateways",
                "vpc:DescribeSnatTableEntries",
                "vpc:DescribeForwardTableEntries",
                "vpc:DescribeBandwidthPackages",
                "vpc:GetNatGatewayAttribute",
                "vpc:ModifyNatGatewayAttribute",
                "vpc:DescribeEipAddresses",
                "vpc:DescribeRouterInterfaces",
                "vpc:DescribeRouteTableList",
                "vpc:DescribeRouteTables",
                "vpc:DescribeVSwitches",
                "vpc:CreateRouteEntry",
                "vpc:DeleteRouteEntry",
                "vpc:CreateVpc",
                "vpc:DeleteVpc",
                "vpc:CreateVSwitch",
                "vpc:DeleteVSwitch",
                "vpc:DescribeZones",
                "vpc:CreateVirtualBorderRouter",
                "vpc:ConnectRouterInterface",
                "vpc:ModifyRouterInterfaceAttribute",
                "vpc:DeleteRouterInterface",
                "vpc:CreateRouterInterface",
                "vpc:DeleteVirtualBorderRouter",
                "vpc:DeactivateRouterInterface",
                "vpc:DescribeVirtualBorderRouters",
                "vpc:DescribePhysicalConnections",
                "vpc:ModifyVirtualBorderRouterAttribute",
                "vpc:DescribeVpcAttribute",
                "vpc:DescribeVSwitchAttributes",
                "vpc:DescribeHaVips",
                "vpc:DescribeVpnConnections",
                "vpc:DescribeVpnRouteEntries",
                "vpc:DescribeVpnPbrRouteEntries",
                "vpc:DescribeVpnGateways",
                "vpc:DescribeSslVpnServers",
                "vpc:AssociateEipAddress",
                "vpc:UnassociateEipAddress",
                "vpc:CreateRouteTable",
                "vpc:DeleteRouteTable",
                "vpc:AssociateRouteTable",
                "vpc:UnassociateRouteTable",
                "vpc:CreateSnatEntry",
                "vpc:DeleteSnatEntry",
                "vpc:DescribeSnatTableEntries",
                "vpc:DescribeRouteEntryList",
                "vpc:DescribeIpv6Addresses",
                "vpc:ListVpcPeerConnections",
                "vpc:CreateRouteEntries",
                "vpc:DeleteRouteEntries"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "slb:DescribeRegions",
                "slb:DescribeLoadBalancers",
                "slb:DescribeLoadBalancerAttribute",
                "slb:DescribeLoadBalancerUDPListenerAttribute",
                "slb:DescribeLoadBalancerTCPListenerAttribute",
                "slb:DescribeLoadBalancerHTTPListenerAttribute",
                "slb:DescribeLoadBalancerHTTPSListenerAttribute",
                "slb:DescribeHealthStatus",
                "slb:DescribeAccessControlListAttribute"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "alb:DescribeRegions",
                "alb:ListLoadBalancers",
                "alb:GetLoadBalancerAttribute",
                "alb:ListListeners",
                "alb:GetListenerAttribute",
                "alb:GetListenerHealthStatus",
                "alb:ListAcls",
                "alb:ListAclEntries"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "nlb:DescribeRegions",
                "nlb:ListLoadBalancers",
                "nlb:GetLoadBalancerAttribute",
                "nlb:ListListeners",
                "nlb:GetListenerAttribute",
                "nlb:GetListenerHealthStatus"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:PostLogStoreLogs",
                "log:GetProject",
                "log:ListProject",
                "log:GetLogStore",
                "log:ListLogStores",
                "log:CreateLogStore",
                "log:CreateProject",
                "log:GetIndex",
                "log:CreateIndex",
                "log:UpdateIndex",
                "log:CreateDashboard",
                "log:ClearLogStoreStorage",
                "log:UpdateLogStore",
                "log:UpdateDashboard",
                "log:CreateSavedSearch",
                "log:UpdateSavedSearch",
                "log:DeleteLogStore",
                "log:DeleteSavedSearch",
                "log:GetSavedSearch",
                "log:ListSavedSearch",
                "log:DeleteDashboard",
                "log:GetDashboard",
                "log:ListDashboard"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "yundun-bastionhost:DescribeInstance",
                "yundun-bastionhost:DescribeRegions",
                "yundun-bastionhost:DescribeInstances",
                "yundun-bastionhost:DescribeInstanceBastionhost",
                "yundun-bastionhost:DescribeInstanceAttribute"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cen:DescribeCens",
                "cen:DescribeCenAttachedChildInstances",
                "cen:DescribeCenAttachedChildInstanceAttribute",
                "cen:AttachCenChildInstance",
                "cen:DetachCenChildInstance",
                "cen:PublishRouteEntries",
                "cen:WithdrawPublishedRouteEntries",
                "cen:DescribePublishedRouteEntries",
                "cen:DescribeCenRegionDomainRouteEntries",
                "cen:ModifyCenAttribute",
                "cen:CreateCenRouteMap",
                "cen:DeleteCenRouteMap",
                "cen:ModifyCenRouteMap",
                "cen:DescribeCenRouteMaps",
                "cen:DescribeCenChildInstanceRouteEntries",
                "cen:CreateCenChildInstanceRouteEntryToCen",
                "cen:DeleteCenChildInstanceRouteEntryToCen",
                "cen:ListTransitRouters",
                "cen:CreateTransitRouter",
                "cen:DeleteTransitRouter",
                "cen:ListTransitRouterAttachments",
                "cen:CreateTransitRouterVpcAttachment",
                "cen:DeleteTransitRouterVpcAttachment",
                "cen:UpdateTransitRouterVpcAttachmentAttribute",
                "cen:UpdateTransitRouterPeerAttachmentAttribute",
                "cen:CreateTransitRouterVbrAttachment",
                "cen:DeleteTransitRouterVbrAttachment",
                "cen:ListTransitRouterPeerAttachments",
                "cen:ListTransitRouterVpcAttachments",
                "cen:ListTransitRouterVbrAttachments",
                "cen:ListTransitRouterAvailableResource",
                "cen:CreateTransitRouterRouteTable",
                "cen:UpdateTransitRouterRouteTable",
                "cen:DeleteTransitRouterRouteTable",
                "cen:ListTransitRouterRouteTables",
                "cen:CreateTransitRouterRouteEntry",
                "cen:DeleteTransitRouterRouteEntry",
                "cen:ListTransitRouterRouteEntries",
                "cen:ListTransitRouterRouteTableAssociations",
                "cen:AssociateTransitRouterAttachmentWithRouteTable",
                "cen:DissociateTransitRouterAttachmentFromRouteTable",
                "cen:ListTransitRouterRouteTablePropagations",
                "cen:EnableTransitRouterRouteTablePropagation",
                "cen:DisableTransitRouterRouteTablePropagation",
                "cen:ModifyCenUserQuota",
                "cen:ReplaceTransitRouterRouteTableAssociation",
                "cen:CheckTransitRouterService",
                "cen:ListTransitRouterPrefixListAssociation"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "netana:DescribeNetworkQuotas",
                "netana:DescribeNetworkQuotaRequestResult",
                "netana:CreateNetworkQuotaRequest"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "yundun-sas:DescribeVulList",
                "yundun-sas:DescribeVulDetails"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "rds:DescribeDBInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "cen.aliyuncs.com"
                }
            }
        },
        {
            "Action": [
                "resourcemanager:ListAccounts"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "cloudfw.aliyuncs.com"
                }
            }
        }
    ]
}

关于权限策略语法的详细说明,请参见权限策略基本元素

删除服务关联角色

如果不再需要使用云防火墙,您可以删除云防火墙服务关联角色AliyunServiceRoleForCloudFW。只有当云防火墙实例已经过期并自动释放后,您才可以删除服务关联角色。具体操作,请参见删除RAM角色

相关问题

为什么我的RAM用户无法自动创建云防火墙服务关联角色AliyunServiceRoleForCloudFW

您需要拥有指定的权限,才能自动创建或删除AliyunServiceRoleForCloudFW。因此,在RAM用户无法自动创建AliyunServiceRoleForCloudFW时,您需为RAM用户添加以下权限策略。详细操作步骤指导,请参见为RAM用户授权

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:主账号ID:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "cloudfw.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}