If you want to enable the Log Service, asset discovery, and transparent proxy mode features for Web Application Firewall (WAF), you must authorize WAF to access cloud resources when you log on to the WAF console for the first time. This topic describes how to authorize WAF to access cloud resources.

Introduction to service-linked roles

The following section describes the AliyunServiceRoleForWAF service-linked role:

  • Role name: AliyunServiceRoleForWAF
  • Policy name: AliyunServiceRolePolicyForWAF
    Note This is a system policy. You cannot modify the name or content of this policy.
  • Policy:
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "ecs:DescribeInstances",
                    "ecs:DescribeNetworkInterfaces",
                    "ecs:CreateNetworkInterface",
                    "ecs:DeleteNetworkInterface",
                    "ecs:AttachNetworkInterface",
                    "ecs:DetachNetworkInterface",
                    "ecs:DescribeNetworkInterfacePermissions",
                    "ecs:CreateNetworkInterfacePermission",
                    "ecs:DeleteNetworkInterfacePermission",
                    "ecs:DescribeSecurityGroups",
                    "ecs:DescribeSecurityGroupAttribute",
                    "ecs:CreateSecurityGroup",
                    "ecs:DeleteSecurityGroup",
                    "ecs:AuthorizeSecurityGroup",
                    "ecs:RevokeSecurityGroup",
                    "ecs:DescribeDisks"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "slb:DescribeServerCertificates",
                    "slb:DescribeDomainExtensions",
                    "slb:DescribeLoadBalancers",
                    "slb:DescribeListenerAccessControlAttribute",
                    "slb:DescribeLoadBalancerAttribute",
                    "slb:DescribeLoadBalancerHTTPListenerAttribute",
                    "slb:DescribeLoadBalancerHTTPSListenerAttribute",
                    "slb:DescribeLoadBalancerTCPListenerAttribute",
                    "slb:DescribeLoadBalancerUDPListenerAttribute",
                    "slb:DescribeTLSCipherPolicies",
                    "slb:ListTLSCipherPolicies",
                    "slb:DescribeLoadBalancers"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "alb:ListLoadBalancers",
                    "alb:GetLoadBalancerAttribute",
                    "alb:ListListeners",
                    "alb:GetListenerAttribute",
                    "alb:ListListenerCertificates",
                    "alb:DescribeRegions",
                    "alb:ListSystemSecurityPolicies",
                    "alb:ListSecurityPolicies"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "vpc:DescribeEipAddresses"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "cdn:DescribeUserDomains",
                    "cdn:DescribeCdnDomainDetail",
                    "cdn:DescribeDomainsBySource",
                    "cdn:DescribeUserVipsByDomain"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "yundun-cert:DescribeUserCertificateList"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "log:PostLogStoreLogs",
                    "log:GetProject",
                    "log:ListProject",
                    "log:GetLogStore",
                    "log:ListLogStores",
                    "log:CreateLogStore",
                    "log:CreateProject",
                    "log:GetIndex",
                    "log:CreateIndex",
                    "log:UpdateIndex",
                    "log:CreateDashboard",
                    "log:ClearLogStoreStorage",
                    "log:UpdateLogStore",
                    "log:UpdateDashboard",
                    "log:DeleteProject",
                    "log:CreateSavedSearch",
                    "log:UpdateSavedSearch",
                    "log:DeleteLogStore"
                ],
                "Resource": "acs:log:*:*:project/waf*",
                "Effect": "Allow"
            },
            {
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "waf.aliyuncs.com"
                    }
                }
            }
        ]
    }

    For more information about the policy syntax, see Policy elements.

Prerequisites

  • A WAF instance is purchased.
  • An Alibaba Cloud account or a RAM user that has permissions to create and delete service-linked roles is used.

Create the AliyunServiceRoleForWAF role

By enabling Log Service

You can create the AliyunServiceRoleForWAF role by enabling Log Service only when your website has been added to WAF and Log Service has been enabled for WAF. For more information about how to add a website to WAF, see Add a website to WAF. For more information about how to enable Log Service for WAF, see Get started with the Log Service for WAF feature.

  1. Log on to the WAF console. In the top navigation bar, select the resource group and the region to which your WAF instance belongs. The region can be Chinese Mainland or Outside Chinese Mainland.
  2. In the left-side navigation pane, choose Security Operations > Log Service.
  3. Click Authorize Now. In the Tips message, click OK.

By enabling Asset Discovery

You can create the AliyunServiceRoleForWAF role by enabling the asset discovery feature only when your WAF instance resides in the Chinese mainland. If your WAF instance resides outside the Chinese mainland, you must create the AliyunServiceRoleForWAF role by enabling Log Service or the transparent proxy mode.

  1. Log on to the WAF console. In the top navigation bar, select the resource group and the region to which your WAF instance belongs. The region can be Chinese Mainland or Outside Chinese Mainland.
  2. In the left-side navigation pane, choose Asset Center > Asset Discovery.
  3. Click Authorized activation. In the Tips message, click OK.

By enabling Transparent Proxy Mode

  1. Log on to the WAF console. In the top navigation bar, select the resource group and the region to which your WAF instance belongs. The region can be Chinese Mainland or Outside Chinese Mainland.
  2. In the left-side navigation pane, choose Asset Center > Website Access.
  3. On the Domain Names tab, click Website Access.
  4. Set Access Mode to Transparent Proxy Mode. Then, click Authorized activation. In the Tips message, click OK.

Then, Alibaba Cloud automatically creates the AliyunServiceRoleForWAF service-linked role. To view the service-linked role, log on to the Resource Access Management (RAM) console and choose Identities > Roles in the left-side navigation pane.

Delete the AliyunServiceRoleForWAF role

If you no longer need to use WAF, you can delete the AliyunServiceRoleForWAF service-linked role. For more information, see Delete a RAM role.
Important You can delete the service-linked role only after the instance expires and is automatically released.
  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. Find the AliyunServiceRoleForWAF service-linked role that you want to delete and click Delete in the Actions column.
  4. In the message that appears, click OK.
    RAM checks whether the service-linked role is assumed by a WAF instance:
    • If the role is not assumed, the WAF service-linked role is deleted.
    • If the role is assumed, the role cannot be deleted. However, you can view the WAF instances that assume the service-linked role. You must release your WAF instance before you can delete the service-linked role.

FAQ

Why is the AliyunServiceRoleForWAF service-linked role not automatically created for my RAM user?

A RAM user must be granted the required permissions before the RAM user can automatically create or delete a service-linked role. To obtain the permissions, you must attach the following policy to your RAM user. For more information, see Grant permissions to a RAM role.
{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:ID of your Alibaba Cloud account:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "waf.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}