This topic describes the details of the AliyunServiceRoleForConfigRemediation service-linked role that is used for automatic remediation and the scenarios in which the role can be applied. This topic also describes how to create and delete the service-linked role.

Scenarios

Before you use the automatic remediation feature of Cloud Config to remediate non-compliant resources, you must grant Cloud Config the permissions to access non-compliant resources. Cloud Config can assume the AliyunServiceRoleForConfigRemediation service-linked role to access the non-compliant resources of other Alibaba Cloud services.
Note For more information about service-linked roles, see Service-linked roles.

Role description

The following list describes the details of the AliyunServiceRoleForConfigRemediation service-linked role:
  • Role name: AliyunServiceRoleForConfigRemediation.
  • Policy attached to the role: AliyunServiceRolePolicyForConfigRemediation.
  • Policy description: This policy grants Cloud Config the permissions to access the non-compliant resources of other Alibaba Cloud services.
    Note For more information about the policy, see AliyunServiceRolePolicyForConfigRemediation.

Create the AliyunServiceRoleForConfigRemediation service-linked role

You can configure a remediation template for a rule in the Cloud Config console. If Cloud Config detects non-compliant resources based on the rule, Cloud Config automatically creates the AliyunServiceRoleForConfigRemediation service-linked role for automatic remediation in the Resource Access Management (RAM) console.

Delete the AliyunServiceRoleForConfigRemediation service-linked role

  1. Delete remediation settings.
    • Delete the remediation settings of a rule. For more information, see Delete remediation settings.
    • Delete all rules for which remediation settings are configured. For more information, see Delete a rule.
  2. Delete the AliyunServiceRoleForConfigRemediation service-linked role.

    For more information, see Delete a RAM role.

    The AliyunServiceRoleForConfigRemediation service-linked role cannot be automatically deleted. You must log on to the RAM console and manually delete the role. For more information, see Delete a RAM role.

What to do next