If this is your first time to enable the Log Service for WAF and asset discovery features, you must authorize Web Application Firewall (WAF) to access cloud resources. This topic describes how to authorize WAF to access cloud resources.

Prerequisites

  • A WAF instance is purchased. For more operations, see Purchase a WAF instance.
  • An Alibaba Cloud account or a Resource Access Management (RAM) user that has permissions to create and delete service-linked roles is used.

Background information

When you use the Log Service for WAF and asset discovery features, WAF needs to access cloud resources, such as ECS instances, ALB and CLB instances of SLB, Alibaba Cloud DNS, Alibaba Cloud CDN, SSL Certificates Service, and Log Service. In this case, Alibaba Cloud automatically creates the AliyunServiceRoleForWAF service-linked role. You do not need to manually create or modify the service-linked role. For more information, see Service-linked roles.

For more information about WAF features, see Asset discovery and Log Service for WAF.

Procedure

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group and region to which the WAF instance belongs. The region can be Mainland China or International.
  3. Authorize WAF to access cloud resources.
    If this is your first time to enable or use the Log Service for WAF and asset discovery features, Alibaba Cloud prompts you to authorize WAF to access other cloud resources.

    You can use one of the following methods to perform the authorization. You need to perform the authorization only once.

    • Method 1: Perform the authorization on the Log Service page

      Limits: You can use this method only after you add your website to WAF and enable Log Service for WAF. For more information about how to add a website to WAF, see Add a website. For more information about how to enable Log Service for WAF, see Enable Log Service for WAF.

      Perform the following steps:
      1. In the left-side navigation pane, choose Log Management > Log Service.
      2. Click Authorize Now.
    • Method 2: Perform the authorization on the Asset Discovery page

      Limits: You can use the asset discovery feature only if your WAF instance is deployed in mainland China. If your WAF instance is deployed outside mainland China, you must perform the authorization on the Log Service page.

      Perform the following steps:
      1. In the left-side navigation pane, choose Asset Center > Asset Discovery.
      2. Click Authorized activation.
  4. In the Tips message, click OK. Tips (SLR)
    After you click OK, Alibaba Cloud creates the AliyunServiceRoleForWAF service-linked role.
    To view the service-linked role, log on to the RAM console and choose Identities > Roles in the left-side navigation pane. After Alibaba Cloud creates the service-linked role AliyunServiceRoleForWAF, your WAF instance can access the associated cloud resources, such as ECS instances, ALB and CLB instances of SLB, Alibaba Cloud DNS, Alibaba Cloud CDN, SSL Certificates Service, and Log Service. AliyunServiceRoleForWaf

Introduction to the WAF service-linked role

The following list describes the AliyunServiceRoleForWAF service-linked role:

  • Role name: AliyunServiceRoleForWAF
  • Policy name: AliyunServiceRolePolicyForWAF
    Note This is a system policy. You cannot modify the name or content of this policy.
  • Example:
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "ecs:DescribeInstances",
                    "ecs:DescribeNetworkInterfaces",
                    "ecs:CreateNetworkInterface",
                    "ecs:DeleteNetworkInterface",
                    "ecs:AttachNetworkInterface",
                    "ecs:DetachNetworkInterface",
                    "ecs:DescribeNetworkInterfacePermissions",
                    "ecs:CreateNetworkInterfacePermission",
                    "ecs:DeleteNetworkInterfacePermission",
                    "ecs:DescribeSecurityGroups",
                    "ecs:DescribeSecurityGroupAttribute",
                    "ecs:CreateSecurityGroup",
                    "ecs:DeleteSecurityGroup",
                    "ecs:AuthorizeSecurityGroup",
                    "ecs:RevokeSecurityGroup",
                    "ecs:DescribeDisks"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "slb:DescribeServerCertificates",
                    "slb:DescribeDomainExtensions",
                    "slb:DescribeLoadBalancers",
                    "slb:DescribeListenerAccessControlAttribute",
                    "slb:DescribeLoadBalancerAttribute",
                    "slb:DescribeLoadBalancerHTTPListenerAttribute",
                    "slb:DescribeLoadBalancerHTTPSListenerAttribute",
                    "slb:DescribeLoadBalancerTCPListenerAttribute",
                    "slb:DescribeLoadBalancerUDPListenerAttribute"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "cdn:DescribeUserDomains",
                    "cdn:DescribeCdnDomainDetail",
                    "cdn:DescribeDomainsBySource",
                    "cdn:DescribeUserVipsByDomain"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "yundun-cert:DescribeUserCertificateList"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "log:PostLogStoreLogs",
                    "log:GetProject",
                    "log:ListProject",
                    "log:GetLogStore",
                    "log:ListLogStores",
                    "log:CreateLogStore",
                    "log:CreateProject",
                    "log:GetIndex",
                    "log:CreateIndex",
                    "log:UpdateIndex",
                    "log:CreateDashboard",
                    "log:ClearLogStoreStorage",
                    "log:UpdateLogStore",
                    "log:UpdateDashboard",
                    "log:DeleteProject",
                    "log:CreateSavedSearch",
                    "log:UpdateSavedSearch",
                    "log:DeleteLogStore"
                ],
                "Resource": "acs:log:*:*:project/waf*",
                "Effect": "Allow"
            },
            {
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "waf.aliyuncs.com"
                    }
                }
            }
        ]
    }

    For more information about the policy syntax, see Policy elements.

Delete the service-linked role

If you no longer need to use WAF, you can delete the AliyunServiceRoleForWAF service-linked role. Before you delete the service-linked role, you must release your WAF instance. After you release your WAF instance, perform the following steps:

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. Find the AliyunServiceRoleForCloudFW service-linked role that you want to delete and click Delete in the Actions column.
  4. Click OK.
    RAM checks whether the WAF service-linked role is assumed by a WAF instance:
    • If the role is not assumed, the WAF service-linked role is deleted.
    • If the role is assumed, the role cannot be deleted. However, you can view the WAF instances that assume the service-linked role. You must release your WAF instance before you can delete the service-linked role.

FAQ

Why is the AliyunServiceRoleForWAF service-linked role not automatically created for my RAM user?

The AliyunServiceRoleForWAF service-linked role can be automatically created or deleted only if your RAM user has the required permissions. To obtain the permissions, you must attach the following policy to your RAM user. For more information, see Grant permissions to a RAM role.
{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:ID of your Alibaba Cloud account:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "waf.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}