If this is the first time you enable the Log Service for WAF feature, you must authorize Web Application Firewall (WAF) to access cloud resources. This topic describes how to authorize WAF to access cloud resources.

Prerequisites

  • A WAF instance is purchased. For more information, see Purchase a WAF instance.
  • An Alibaba Cloud account or a Resource Access Management (RAM) user that has permissions to create or delete service-linked roles is used.

Background information

When you use the Log Service for WAF feature, WAF needs to access cloud resources, such as Log Service. In this case, Alibaba Cloud automatically creates the AliyunServiceRoleForWAF service-linked role. This role allows WAF to access the required cloud resources. You do not need to manually create or modify the service-linked role. For more information, see Service-linked roles.

Procedure

  1. Log on to the Web Application Firewall console.
  2. Authorize WAF to access cloud resources.
    If this is the first time that you enable the Log Service for WAF feature, Alibaba Cloud prompts you to authorize WAF to access other cloud resources. To complete the authorization, perform the following steps:
    1. In the left-side navigation pane, choose Log Management > Log Service.
    2. Click Authorize Now.
  3. In the Tips message, click OK. Tips (SLR)
    After you click OK, Alibaba Cloud automatically creates the AliyunServiceRoleForWAF service-linked role.

    You can view the service-linked role on the RAM Roles page of the RAM console. After Alibaba Cloud creates the service-linked role, your WAF instance can access the associated cloud resources, such as Log Service.

    AliyunServiceRoleForWaf

Introduction to the WAF service-linked role

The following list describes the AliyunServiceRoleForWAF service-linked role:

  • Role name: AliyunServiceRoleForWAF
  • Policy name: AliyunServiceRolePolicyForWAF
    Note This is a system policy. You cannot modify the name or content of this policy.
  • Example:
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "ecs:DescribeInstances",
                    "ecs:DescribeNetworkInterfaces",
                    "ecs:CreateNetworkInterface",
                    "ecs:DeleteNetworkInterface",
                    "ecs:AttachNetworkInterface",
                    "ecs:DetachNetworkInterface",
                    "ecs:DescribeNetworkInterfacePermissions",
                    "ecs:CreateNetworkInterfacePermission",
                    "ecs:DeleteNetworkInterfacePermission",
                    "ecs:DescribeSecurityGroups",
                    "ecs:DescribeSecurityGroupAttribute",
                    "ecs:CreateSecurityGroup",
                    "ecs:DeleteSecurityGroup",
                    "ecs:AuthorizeSecurityGroup",
                    "ecs:RevokeSecurityGroup",
                    "ecs:DescribeDisks"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "slb:DescribeServerCertificates",
                    "slb:DescribeDomainExtensions",
                    "slb:DescribeLoadBalancers",
                    "slb:DescribeListenerAccessControlAttribute",
                    "slb:DescribeLoadBalancerAttribute",
                    "slb:DescribeLoadBalancerHTTPListenerAttribute",
                    "slb:DescribeLoadBalancerHTTPSListenerAttribute",
                    "slb:DescribeLoadBalancerTCPListenerAttribute",
                    "slb:DescribeLoadBalancerUDPListenerAttribute"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "cdn:DescribeUserDomains",
                    "cdn:DescribeCdnDomainDetail",
                    "cdn:DescribeDomainsBySource",
                    "cdn:DescribeUserVipsByDomain"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "yundun-cert:DescribeUserCertificateList"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "log:PostLogStoreLogs",
                    "log:GetProject",
                    "log:ListProject",
                    "log:GetLogStore",
                    "log:ListLogStores",
                    "log:CreateLogStore",
                    "log:CreateProject",
                    "log:GetIndex",
                    "log:CreateIndex",
                    "log:UpdateIndex",
                    "log:CreateDashboard",
                    "log:ClearLogStoreStorage",
                    "log:UpdateLogStore",
                    "log:UpdateDashboard",
                    "log:DeleteProject",
                    "log:CreateSavedSearch",
                    "log:UpdateSavedSearch",
                    "log:DeleteLogStore"
                ],
                "Resource": "acs:log:*:*:project/waf*",
                "Effect": "Allow"
            },
            {
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "waf.aliyuncs.com"
                    }
                }
            }
        ]
    }

    For more information about the policy syntax, see Policy elements.

Delete the service-linked role

If you no longer require WAF, you can delete the AliyunServiceRoleForWAF service-linked role. Before you can delete the service-linked role, you must release your WAF instance. After you release your WAF instance, perform the following steps:

  1. Log on to the RAM console.
  2. In the left-side navigation pane, click RAM Roles.
  3. Search for AliyunServiceRoleForWAF and in the Actions column click Delete.
  4. Click OK.

FAQ

Why is the AliyunServiceRoleForWAF service-linked role not automatically created for my RAM user?

The AliyunServiceRoleForWAF service-linked role is automatically created or deleted only when your RAM user has the required permissions. To obtain the permissions, you must attach the following policy to your RAM user. For more information, see Grant permissions to a RAM role.
{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:AlibabaCloudAcountID:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "waf.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}