AliyunServiceRolePolicyForSasCloudSiem 是专用于服务关联角色的授权策略,会在创建服务关联角色 AliyunServiceRoleForSasCloudSiem 时自动授权,以允许服务关联角色代您访问其他云服务。本策略由对应的阿里云服务按需更新,请勿将本策略授权给服务关联角色之外的 RAM 身份使用。
策略详情
类型:系统策略
创建时间:2022-06-20 06:34:43
更新时间:2024-10-31 09:02:24
当前版本:v41
策略内容
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"resourcemanager:RegisterDelegatedAdministrator"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"log:OpenSlsService",
"log:GetSlsService",
"log:CreateProject",
"log:GetProject",
"log:ListProject",
"log:ListLogStores",
"log:GetLogStore",
"log:DeleteLogStore",
"log:GetLogStoreLogs",
"log:PostLogStoreLogs",
"log:BatchPostLogStoreLogs",
"log:CreateIndex",
"log:UpdateIndex",
"log:CreateDashboard",
"log:UpdateDashboard",
"log:CreateLogStore",
"log:CreateSavedSearch",
"log:UpdateSavedSearch",
"log:DeleteSavedSearch",
"log:PutLogs",
"log:CreateJob",
"log:UpdateJob",
"log:ListShards",
"log:GetCursorOrData",
"log:GetConsumerGroupCheckPoint",
"log:UpdateConsumerGroup",
"log:ConsumerGroupHeartBeat",
"log:ConsumerGroupUpdateCheckPoint",
"log:ListConsumerGroup",
"log:CreateConsumerGroup",
"log:GetLogging",
"log:CreateLogging",
"log:UpdateLogging",
"log:DeleteLogging",
"log:PostProjectQuery",
"log:GetProjectQuery",
"log:PutProjectQuery",
"log:DeleteProjectQuery",
"log:GetMachineGroup",
"log:ListMachineGroup",
"log:UpdateLogStore",
"log:GetIndex",
"log:GetIndex",
"log:ListSavedSearch",
"log:GetLogStoreHistogram",
"log:GetSavedSearch",
"log:GetDashboard",
"log:ListDashboard",
"log:UpdateLogStoreMeteringMode",
"log:GetLogStoreMeteringMode"
],
"Resource": "acs:log:*:*:project/*"
},
{
"Effect": "Allow",
"Action": "log:CreateTicket",
"Resource": "acs:log:*:*:ticket/*"
},
{
"Effect": "Allow",
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"cloudsiem.sas.aliyuncs.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"yundun-sas:DescribeLogShipperStatus",
"yundun-sas:DescribeSuspEvents",
"yundun-sas:DescribeAlarmEventDetail",
"yundun-sas:DescribeSophonCommands",
"yundun-sas:TriggerSophonPlaybook",
"yundun-sas:DescribeExecutePlaybooks",
"yundun-sas:ListDatasetMasterKeyData",
"yundun-sas:DescribeAssetDetailByUuid",
"yundun-sas:SoarCallback",
"yundun-sas:PostDisposeStrategyFromSoar",
"yundun-sas:PostDatasetReference",
"yundun-sas:DeleteDatasetReference",
"yundun-sas:GetDataCheckResult",
"yundun-sas:GetSecurityLakeInstance",
"yundun-sas:ListSecurityLakeDatabases",
"yundun-sas:ListSecurityLakeTableFields",
"yundun-sas:CreateSecurityLakeRole",
"yundun-sas:GetSecurityLakeQueryResult",
"yundun-sas:DeleteSecurityLakeQuery",
"yundun-sas:CreateSecurityLakeQuery",
"yundun-sas:GetSecurityLakeInstance",
"yundun-sas:CreateSecurityLakeInstance",
"yundun-sas:GetDlfStatus",
"yundun-sas:ListSecurityLakeInstances",
"yundun-sas:ModifySecurityLakeInstanceLifecycle",
"yundun-sas:DeleteSecurityLakeInstance",
"yundun-sas:ModifySecurityLakeInstanceCapacity",
"yundun-sas:DeleteSecurityLakeDataIngest",
"yundun-sas:GetSecurityLakeDataIngest",
"yundun-sas:CreateSecurityLakeDataIngest",
"yundun-sas:ListSecurityLakeDataIngest",
"yundun-sas:DescribeAlertsWithEvent",
"yundun-sas:DescribeVersionConfig",
"yundun-sas:DescribeSuspiciousOverallConfig",
"yundun-sas:ListClientUserDefineRules",
"yundun-sas:AddClientUserDefineRule",
"yundun-sas:OperateCommonTargetConfig",
"yundun-sas:OperateCommonOverallConfig",
"yundun-sas:ModifyClientUserDefineRule",
"yundun-sas:UpdateCommonSwitchConfig",
"yundun-sas:DeleteClientUserDefineRule",
"yundun-sas:Get*",
"yundun-sas:Describe*",
"yundun-sas:Query*",
"yundun-sas:List*",
"yundun-sas:DescribeAlerts"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"log:GetProductDataCollection",
"log:OpenProductDataCollection",
"log:CloseProductDataCollection"
],
"Resource": [
"acs:log:*:*:project/*/logstore/*",
"acs:alb:*:*:loadbalancer/*",
"acs:slb:*:*:loadbalancer/*"
]
},
{
"Effect": "Allow",
"Action": "log:UpsertCollectionPolicy",
"Resource": [
"acs:log:*:*:resource/*/record",
"acs:log:*:*:project/*/logstore/*"
]
},
{
"Effect": "Allow",
"Action": [
"log:DescribeCollectionPolicy",
"log:DeleteCollectionPolicy",
"log:ListCollectionPolicies"
],
"Resource": "acs:log:*:*:resource/*/record"
},
{
"Effect": "Allow",
"Action": [
"yundun-waf:DescribeInstanceInfo",
"yundun-waf:DescribeDomainList",
"yundun-waf:DescribeRegions",
"yundun-waf:DescribePayInfo",
"yundun-waf:DescribeWafSourceIpSegment",
"yundun-waf:DescribeDomainNames",
"yundun-waf:DescribeDomainConfig",
"yundun-waf:DescribeWebAttackLogs",
"yundun-waf:DescribeDomainList",
"yundun-waf:DescribeDomain",
"yundun-waf:DescribeProtectionModuleRules",
"yundun-waf:CreateProtectionModuleRule",
"yundun-waf:ModifyProtectionModuleMode",
"yundun-waf:ModifyProtectionModuleRule",
"yundun-waf:DescribeDomainBasicConfigs",
"yundun-waf:DescribeDomains",
"yundun-waf:DescribeInstance"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "yundun-waf:DescribeWafSourceIpv6Segment",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"yundun-waf:DescribeDefenseRule",
"yundun-waf:DescribeDefenseRules",
"yundun-waf:DescribeTemplateResources",
"yundun-waf:ModifyTemplateResources",
"yundun-waf:CreateDefenseRule",
"yundun-waf:ModifyDefenseRule",
"yundun-waf:CreateDefenseTemplate",
"yundun-waf:DescribeInstance",
"yundun-waf:DescribeDefenseResources",
"yundun-waf:DeleteProtectionModuleRule",
"yundun-waf:DeleteDefenseTemplate",
"yundun-waf:Describe*",
"yundun-waf:DeleteDefenseRule"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"yundun-cloudfirewall:DescribeRiskEventGroup",
"yundun-cloudfirewall:DescribeRiskEventPayload",
"yundun-cloudfirewall:DescribeControlPolicy",
"yundun-cloudfirewall:ModifyControlPolicy",
"yundun-cloudfirewall:AddAddressBook",
"yundun-cloudfirewall:AddControlPolicy",
"yundun-cloudfirewall:DescribeAddressBook",
"yundun-cloudfirewall:ModifyAddressBook",
"yundun-cloudfirewall:DeleteControlPolicy",
"yundun-cloudfirewall:DeleteAddressBook",
"yundun-cloudfirewall:ModifyControlPolicyPosition"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"audit.log.aliyuncs.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"yundun-ddoscoo:DescribeDDosAllEventList",
"yundun-ddoscoo:DescribeDDosEventSrcIp",
"yundun-ddoscoo:DescribeDDosEventAttackType"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"log:DescribeService",
"log:EnableService"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"dcdn:DescribeDcdnWafRules",
"dcdn:ModifyDcdnWafRule",
"dcdn:BatchCreateDcdnWafRules",
"dcdn:CreateDcdnWafPolicy",
"dcdn:BatchCreateDcdnWafRules",
"dcdn:ModifyDcdnWafPolicyDomains",
"dcdn:DescribeDcdnWafDomains",
"dcdn:ModifyDcdnWafPolicyDomains",
"dcdn:BatchDeleteDcdnWafRules",
"dcdn:DescribeDcdnWafPolicy",
"dcdn:DeleteDcdnWafPolicy",
"dcdn:DescribeDcdnWafRule"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"alb:ListAcls",
"alb:CreateAcl",
"alb:AddEntriesToAcl",
"alb:ListListeners",
"alb:Listaclentries",
"alb:Associateaclswithlistener",
"alb:Describeregions",
"alb:Removeentriesfromacl"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"slb:Describeaccesscontrollists",
"slb:Createaccesscontrollist",
"slb:Addaccesscontrollistentry",
"slb:Describeloadbalancers",
"slb:Describeloadbalancerattribute",
"slb:Describeaccesscontrollistattribute",
"slb:Describeloadbalancertcplistenerattribute",
"slb:Describeloadbalancerudplistenerattribute",
"slb:Describeloadbalancerhttplistenerattribute",
"slb:Describeloadbalancerhttpslistenerattribute",
"slb:Setloadbalancertcplistenerattribute",
"slb:Setloadbalancerudplistenerattribute",
"slb:Setloadbalancerhttplistenerattribute",
"slb:Setloadbalancerhttpslistenerattribute",
"slb:Describeregions",
"slb:Removeaccesscontrollistentry"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cdn:Describeuserdomains",
"cdn:DescribeCdnDomainConfigs",
"cdn:BatchSetCdnDomainConfig"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "cdn:DescribeCdnWafDomain",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "mscsub:ListEncryptWebhooks",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecs:AuthorizeSecurityGroupEgress",
"ecs:CreateCommand",
"ecs:CreateSecurityGroup",
"ecs:CreateSnapshot",
"ecs:DescribeCommands",
"ecs:DescribeDisks",
"ecs:DescribeInstances",
"ecs:DescribeInstanceStatus",
"ecs:DescribeInvocationResults",
"ecs:DescribeRegions",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroupReferences",
"ecs:DescribeSecurityGroups",
"ecs:InstallCloudAssistant",
"ecs:InvokeCommand",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:RevokeSecurityGroup"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"middlewarelens.log.aliyuncs.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"alb:ListLoadBalancers",
"alb:GetListenerAttribute"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"slb:DescribeLoadBalancerListeners",
"slb:DescribeLoadBalancerAttribute"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"vpc:DescribeVpcAttribute",
"vpc:DescribeVpcs",
"vpc:DescribeFlowLogs"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "yundun-antiddosbag:DescribeInstanceList",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "yundun-ddoscoo:DescribeInstanceIds",
"Resource": "*"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "cloudsiem.sas.aliyuncs.com"
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"securitylens.log.aliyuncs.com",
"ai-lens.log.aliyuncs.com"
]
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "storagelens.log.aliyuncs.com"
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "security-lake.sas.aliyuncs.com"
}
}
}
]
}