This topic describes how to grant the operation permissions on RDS Audit Center to a RAM user.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.

Background information

You can grant the operation permissions to a RAM user in one of the following modes:
  • Simple mode: You can grant all permissions on Log Service to the RAM user. You do not need to configure parameters.
  • Custom mode: You can create custom policies and attach the policies to the RAM user. This mode requires complex configurations and provides fine-grained access control.

Simple mode

Log on to the RAM console by using your Alibaba Cloud account. Then, attach the AliyunLogFullAccess and AliyunRAMFullAccess policies to the RAM user. This way, the RAM user has all permissions on Log Service. For more information, see Grant permissions to a RAM user.

Custom mode

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. Create a policy.
    1. In the left-side navigation pane, choose Permissions > Policies.
    2. On the Policies page, click Create Policy.
    3. On the Create Custom Policy page, configure the parameters and click OK. The following table describes the parameters.
      Parameter Description
      Policy Name Enter a name for the policy.
      Configuration Mode Select Script.
      Policy Document Replace the content in the editor with one of the following scripts.

      You can grant the read-only permissions or read and write permissions on RDS Audit Center to the RAM user.

      • Read-only permissions: Use the following script to authorize the RAM user only to view each page of RDS Audit Center.
        {
            "Version": "1",
            "Statement": [
                {
                    "Action": [
                        "rds:DescribeSqlLogInstances",
                        "rds:DisableSqlLogDistribution"
                    ],
                    "Resource": "*",
                    "Effect": "Allow"
                },
                {
                    "Effect": "Allow",
                    "Action": [
                        "log:CreateLogStore",
                        "log:CreateIndex",
                        "log:UpdateIndex",
                        "log:ListLogStores",
                        "log:GetLogStore",
                        "log:GetLogStoreLogs",
                        "log:CreateDashboard",
                        "log:CreateChart",
                        "log:UpdateDashboard"
                    ],
                    "Resource": [
                        "acs:log:*:*:project/sls-alert-*/logstore/*",
                        "acs:log:*:*:project/sls-alert-*/dashboard/*"
                    ]
                },
                {
                    "Effect": "Allow",
                    "Action": [
                        "log:CreateProject"
                    ],
                    "Resource": [
                        "acs:log:*:*:project/sls-alert-*"
                    ]
                },
                {
                    "Effect": "Allow",
                    "Action": [
                        "log:GetLogStore",
                        "log:ListLogStores",
                        "log:GetIndex",
                        "log:GetLogStoreHistogram",
                        "log:GetLogStoreLogs",
                        "log:GetDashboard",
                        "log:ListDashboard",
                        "log:ListSavedSearch",
                        "log:GetProjectLogs"
                    ],
                    "Resource": [
                        "acs:log:*:*:project/*/logstore/*",
                        "acs:log:*:*:project/*/dashboard/*",
                        "acs:log:*:*:project/*/savedsearch/*"
                    ]
                },
                {
                    "Action": [
                        "ram:GetRole"
                    ],
                    "Resource": "acs:ram:*:*:role/aliyunlogarchiverole",
                    "Effect": "Allow"
                }
            ]
        }
      • Read and write permissions: Use the following script to authorize the RAM user to perform all operations supported by RDS Audit Center.
        {
            "Version": "1",
            "Statement": [
                {
                    "Action": [
                        "rds:DescribeSqlLogInstances",
                        "rds:DisableSqlLogDistribution",
                        "rds:DisableSqlLogDistribution",
                        "rds:EnableSqlLogDistribution",
                        "rds:ModifySQLCollectorPolicy"
                    ],
                    "Resource": "*",
                    "Effect": "Allow"
                },
                {
                    "Effect": "Allow",
                    "Action": [
                        "log:CreateLogStore",
                        "log:CreateIndex",
                        "log:UpdateIndex",
                        "log:ListLogStores",
                        "log:GetLogStore",
                        "log:GetLogStoreLogs",
                        "log:CreateDashboard",
                        "log:CreateChart",
                        "log:UpdateDashboard"
                    ],
                    "Resource": [
                        "acs:log:*:*:project/sls-alert-*/logstore/*",
                        "acs:log:*:*:project/sls-alert-*/dashboard/*"
                    ]
                },
                {
                    "Effect": "Allow",
                    "Action": [
                        "log:CreateProject"
                    ],
                    "Resource": [
                        "acs:log:*:*:project/sls-alert-*"
                    ]
                },
                {
                    "Effect": "Allow",
                    "Action": [
                        "log:GetLogStore",
                        "log:ListLogStores",
                        "log:GetIndex",
                        "log:GetLogStoreHistogram",
                        "log:GetLogStoreLogs",
                        "log:GetDashboard",
                        "log:ListDashboard",
                        "log:ListSavedSearch",
                        "log:CreateLogStore",
                        "log:CreateIndex",
                        "log:UpdateIndex",
                        "log:ListLogStores",
                        "log:GetLogStore",
                        "log:GetLogStoreLogs",
                        "log:CreateDashboard",
                        "log:CreateChart",
                        "log:UpdateDashboard",
                        "log:UpdateLogStore",
                        "log:GetProjectLogs"
                    ],
                    "Resource": [
                        "acs:log:*:*:project/*/logstore/*",
                        "acs:log:*:*:project/*/dashboard/*",
                        "acs:log:*:*:project/*/savedsearch/*"
                    ]
                },
                {
                    "Action": [
                        "log:SetGeneralDataAccessConfig"
                    ],
                    "Resource": [
                        "acs:log:*:*:resource/sls.general_data_access.rds.global_conf.single_account_channel/record"
                    ],
                    "Effect": "Allow"
                },
                {
                    "Action": "ram:CreateServiceLinkedRole",
                    "Resource": "*",
                    "Effect": "Allow",
                    "Condition": {
                        "StringEquals": {
                            "ram:ServiceName": "audit.log.aliyuncs.com"
                        }
                    }
                },
                {
                    "Action": [
                        "ram:*"
                    ],
                    "Resource": [
                        "acs:ram:*:*:role/aliyunlogarchiverole",
                        "acs:ram:*:*:policy/AliyunLogArchiveRolePolicy"
                    ],
                    "Effect": "Allow"
                }
            ]
        }
  3. Attach the policy to the RAM user.
    1. In the left-side navigation pane, choose Identities > Users.
    2. On the Users page, find the RAM user and click Add Permissions in the Actions column.
    3. In the Select Policy section of the Add Permissions panel, click Custom Policy and click the policy created in Step 2.
    4. Click OK.