Before you use the RDS Audit Center application or the Log Audit Service application to obtain the resources of other cloud services, you must grant the required permissions to the related application by using the AliyunServiceRoleForSLSAudit service-linked role. This topic describes the scenarios and policy of the AliyunServiceRoleForSLSAudit service-linked role.

Scenarios

The AliyunServiceRoleForSLSAudit service-linked role allows the RDS Audit Center application and the Log Audit Service application to collect logs from cloud services.

For example, when you collect the logs from specific cloud services in the RDS Audit Center application or the Log Audit Service application, Log Service calls the API operations of the cloud services to obtain the information of the cloud services. To collect the required information, Log Service must assume the AliyunServiceRoleForSLSAudit service-linked role to obtain the required permissions to read and modify the resources of the cloud services. For more information, see Service-linked roles.

Description

  • Role name: AliyunServiceRoleForSLSAudit.
  • Policy attached to the role: AliyunServiceRolePolicyForSLSAudit.
  • Policy document:
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "resourcemanager:ListAccounts",
                    "resourcemanager:GetAccount",
                    "resourcemanager:GetResourceDirectory",
                    "resourcemanager:GetFolder",
                    "resourcemanager:ListFoldersForParent",
                    "resourcemanager:ListAccountsForParent",
                    "rds:DescribeRegions",
                    "rds:DescribeSqlLogInstances",
                    "rds:DescribeDBInstanceAttribute",
                    "rds:ListTagResources",
                    "rds:DisableSqlLogDistribution",
                    "rds:EnableSqlLogDistribution",
                    "rds:ModifySQLCollectorPolicy",
                    "polardb:DescribeSqlLogClusters",
                    "polardb:ModifyDBClusterAuditLogCollector",
                    "polardb:DescribeDBClusterAttribute",
                    "kvstore:DescribeRegions",
                    "kvstore:DescribeInstances",
                    "kvstore:DescribeRedisLogConfig",
                    "kvstore:ModifyAuditLogConfig",
                    "kvstore:DescribeInstanceAttribute",
                    "drds:DescribeDrdsInstances",
                    "drds:DescribeDrdsDBs",
                    "drds:EnableSqlAuditExtraWrite",
                    "drds:DisableSqlAuditExtraWrite",
                    "drds:DescribeDrdsRegions",
                    "drds:DescribeDrdsSqlAuditStatus",
                    "slb:DescribeRegions",
                    "slb:DescribeLoadBalancers",
                    "slb:DescribeLoadBalancerAttribute",
                    "cs:GetClustersByUid",
                    "cs:GetClusters",
                    "kms:DescribeKeyStores",
                    "oss:GetBucketInfo",
                    "oss:ListBuckets",
                    "oss:GetBucketTagging",
                    "oss:GetBucketWorm",
                    "ecs:DescribeDisks",
                    "ecs:DescribeSnapshots",
                    "ecs:DescribeRegions"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "log:CreateProject",
                    "log:GetProject",
                    "log:ListProject",
                    "log:ListLogStores",
                    "log:GetLogStore",
                    "log:GetLogStoreLogs",
                    "log:PostLogStoreLogs",
                    "log:CreateIndex",
                    "log:UpdateIndex",
                    "log:CreateDashboard",
                    "log:UpdateDashboard",
                    "log:CreateLogStore",
                    "log:CreateSavedSearch",
                    "log:UpdateSavedSearch",
                    "log:CreateJob",
                    "log:UpdateJob"
                ],
                "Resource": [
                    "acs:log:*:*:project/*"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "log:GetApp",
                    "log:UpdateApp"
                ],
                "Resource": [
                    "acs:log:*:*:app/audit"
                ],
                "Effect": "Allow"
            },
            {
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "audit.log.aliyuncs.com"
                    }
                }
            }
        ]
    }