All Products
Search
Document Center

Simple Log Service:Authorization rules

Last Updated:Mar 01, 2024

Simple Log Service allows you to use authentication rules to perform RAM user authorization, RAM role authorization, tag-based authentication, and cross-service access authorization. This topic describes the policy elements that are defined by Simple Log Service, such as Action and Resource. You can configure policies to perform fine-grained access control.

Policy

A policy defines a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. For more information about the policy elements, structure, and syntax, see Policy elements and Policy structure and syntax.

RAM supports the following two types of policy:

  • System policy: System policies are created and upgraded by Alibaba Cloud. You can use system policies but cannot modify them.

  • Custom policy: You can create, modify, delete, and upgrade custom policies to meet your business requirements.

You can attach one or more policies to RAM users, RAM user groups, and RAM roles. For more information, see Grant permissions to a RAM user, Grant permissions to a RAM user group, and Grant permissions to a RAM role.

Policy elements

For information about the concepts and syntax of policies, see Policy elements.

Element

Description

Effect

Specifies whether a statement result is an explicit allow or an explicit deny. Valid values: Allow and Deny.

Action

Describes one or more API operations that are allowed or denied.

Resource

Specifies one or more objects that the statement covers.

Condition

Specifies the conditions that are required for a policy to take effect.

Principal

Specifies the principal that is allowed or denied access to a resource. This element is available only for resource-based policies, such as a trust policy that specifies a trusted entity to assume a RAM role.

Procedure

  1. Create an account administrator.

    An Alibaba Cloud account has full management permissions on the resources within the account. You cannot impose limits such as limits on source IP addresses and time periods of access by using an Alibaba Cloud account. If an Alibaba Cloud account is shared by multiple users, you cannot identify a specific user in audit logs. If an Alibaba Cloud account is disclosed, security risks may arise. We recommend that you do not use an Alibaba Cloud account to perform daily O&M operations.

    You can create a Resource Access Management (RAM) user in RAM and attach the AdministratorAccess policy to the RAM user. Then, you can use the RAM user as an account administrator to manage all cloud resources that belong to the Alibaba Cloud account. You can use the account administrator to create multiple RAM users for access control.

  2. Create a custom policy.

    RAM provides system policies and custom policies. System policies are created and updated by Alibaba Cloud. You can use system policies, but you cannot modify them. If system policies cannot meet your requirements, you can configure a custom policy to perform fine-grained access control.

  3. Create a RAM user or RAM role and grant permissions to the RAM role:

    • Create a RAM user.

      You can create RAM users and grant permissions to the RAM users to access different resources.

      If multiple users in your enterprise need to simultaneously access resources, you can use RAM to assign the least permissions to the users. This prevents the users from sharing the username and password or AccessKey pair of an Alibaba Cloud account and reduces security risks.

    • Create a RAM user group and grant permissions to the group.

      RAM user groups are physical identities. You can create RAM user groups to classify RAM users and grant permissions to the RAM users that have the same responsibilities. This simplifies the management of RAM users and their permissions.

    • Create a RAM role and attach the required policies to the role.

      A RAM role is a virtual identity to which policies can be attached. A RAM role does not have permanent identity credentials, such as a logon password or an AccessKey pair. A RAM role can be used only after the role is assumed by a trusted entity. After a RAM role is assumed by a trusted entity, the trusted entity can obtain a Security Token Service (STS) token. Then, the trusted entity can use the STS token to access Alibaba Cloud resources as the RAM role. For information about how to use a RAM role, see Assume a RAM role.

Action

The Action element is in the log:${API name} format. ${API name} specifies the name of a Simple Log Service API operation. For information about the API operations provided by Simple Log Service, see API overview.

When you create a policy, separate multiple action names with commas (,). You can use asterisks (*) as wildcards. Example: log:Create*. Create* specifies the API operation name that starts with Create, such as CreateProduct, CreateThingModel, and CreateProductTopic.

Important

The GetCursor, PullData and GetCursorTime operations share the same action log:GetCursorOrData.

Resource

The resources in Simple Log Service are organized into a hierarchy. Projects are root resources. Logstores, Logtail configurations, and machine groups are parallel sub-resources of projects. Log shipping jobs and consumer groups are sub-resources of Logstores.

Resource type

ARN

Project

acs:log:${regionName}:${uid}:project/${projectName}

acs:log:${regionName}:${uid}:project/*

Project:Logstore

acs:log:${regionName}:${uid}:project/${projectName}/logstore/${logstoreName}

acs:log:${regionName}:${uid}:project/${projectName}/logstore/*

Project:Logstore:Shipper

acs:log:${regionName}:${uid}:project/${projectName}/logstore/${logstoreName}/shipper/${shipperName}

acs:log:${regionName}:${uid}:project/${projectName}/logstore/${logstoreName}/shipper/*

Project:Config

acs:log:${regionName}:${uid}:project/${projectName}/logtailconfig/${logtailConfigName}

acs:log:${regionName}:${uid}:project/${projectName}/logtailconfig/*

Project:MachineGroup

acs:log:${regionName}:${uid}:project/${projectName}/machinegroup/${machineGroupName}

acs:log:${regionName}:${uid}:project/${projectName}/machinegroup/*

Project:ConsumerGroup

acs:log:${regionName}:${uid}:project/${projectName}/logstore/${logstoreName}/consumergroup/${consumerGroupName}

acs:log:${regionName}:${uid}:project/${projectName}/logstore/${logstoreName}/consumergroup/*

Project:SavedSearch

acs:log:${regionName}:${uid}:project/${projectName}/savedsearch/${savedSearchName}

acs:log:${regionName}:${uid}:project/${projectName}/savedsearch/*

Project:Dashboard

acs:log:${regionName}:${uid}:project/${projectName}/dashboard/${dashboardName}

acs:log:${regionName}:${uid}:project/${projectName}/dashboard/*

Project:Alarm

acs:log:${regionName}:${uid}:project/${projectName}/alert/${alarmName}

acs:log:${regionName}:${uid}:project/${projectName}/alert/*

All types of resources

acs:log:${regionName}:${uid}:*

acs:log:*:${uid}:*

Parameters

Parameter

Description

${regionName}

The name of a region.

${uid}

The ID of an Alibaba Cloud account.

${projectName}

The name of a project.

${logstoreName}

The name of a Logstore.

${logtailconfig}

The name of a Logtail configuration.

${machineGroupName}

The name of a machine group.

${shipperName}

The name of a log shipping job.

${consumerGroupName}

The name of a consumer group.

${savedSearchName}

The name of a saved search.

${dashboardName}

The name of a dashboard.

${alarmName}

The name of an alert rule.