All Products
Search
Document Center

Simple Log Service:Overview

Last Updated:Oct 26, 2023

This topic introduces the basic concepts and operations of Resource Access Management (RAM). You can use these operations to manage user identities, control resource access, authorize RAM users to access Log service, authorize Log Service to read logs, and authorize a RAM role to manage Log Service resources.

Basic concepts

RAM allows you to manage user identities and control resource access. You can create RAM users for employees, systems, and applications and authorize the RAM users to access resources of your Alibaba Cloud account. If multiple users in your enterprise need to access the same resources, you can use RAM to grant the minimum permissions to these users. This eliminates the need to share the AccessKey pair of your Alibaba Cloud account with these users and reduces security risks.

RAM allows you to implement fine-grained access control on Log Service resources. You can achieve this by creating RAM users and RAM roles and granting permissions on Log Service resources to the users and roles.

Operations

  • Manage user identities

    You can use RAM to manage user identities. You can use RAM to manage user identities under your Alibaba Cloud account such as RAM users, RAM roles, and user groups. You can also authorize these RAM users, RAM roles, and user groups to access and manage Log Service resources of your Alibaba Cloud account.

    Log Service allows you to collect logs from cloud services such as API Gateway and Server Load Balancer (SLB). You can create a RAM role and authorize the role to access the services on the Cloud Resource Access Authorization page.

    RoleDefault permissionDescription
    AliyunLogArchiveRoleAliyunLogArchiveRolePolicyLog Service can assume this role to access SLB logs. The default policy is used to export SLB logs. To authorize Log Service to assume this role, click Cloud Resource Access Authorization.
    AliyunLogDefaultRoleAliyunLogRolePolicyLog Service can assume this role to access your resources of other Alibaba Cloud services. To authorize Log Service to assume this role, click Cloud Resource Access Authorization.
    AliyunLogETLRoleAliyunLogETLRolePolicyLog Service can assume this role to extract, transform, and load data of other Alibaba Cloud services. To authorize Log Service to assume this role, click Cloud Resource Access Authorization.
    AliyunMNSLoggingRoleAliyunMNSLoggingRolePolicyLog Service can assume this role to access Message Service (MNS) logs. The default policy is used to export MNS logs and write logs to OSS. To authorize Log Service to assume this role, click Cloud Resource Access Authorization.
  • Control resource access

    You can grant permissions to RAM users, RAM roles, and user groups that belong to your Alibaba Cloud account.

    You can use system policies or customize finer-grained policies. For more information, see Overview.

    The following table describes the system policies that are supported by Log Service.
    PolicyTypeDescription
    AliyunLogFullAccessSystem policyThe policy grants full access to Log Service resources.
    AliyunLogReadOnlyAccessSystem policyThe policy grants read-only access to Log Service resources.
  • Authorize a RAM user to access Log Service

    Your business may require you to provide O&M personnel management permissions on Log Service resources, or other personnel may require access permissions on Log Service resources. In this case, you need to grant the required permissions to the personnel. The personnel can then access Log Service resources as RAM users. For data security reasons, we recommend that you follow the principle of least privilege (PoLP) when you grant permissions to RAM users.

    For more information, see Create a RAM user and authorize the RAM user to access Simple Log Service.

  • Authorize Log Service to read logs

    Log Service can read log data and generate alerts based on the data. To allow Log Service to read log data, you must grant the required permissions to Log Service.

    For more information, see Assign a RAM role to an Alibaba Cloud service.

  • Authorize a RAM role to manage Log Service resources

    A RAM role is a virtual identity that does not have any credentials, such as a password or an AccessKey pair. You can assign a RAM role to a trusted entity, such as an Alibaba Cloud account, RAM user, or Alibaba Cloud service. After the trusted entity receives an STS token for the RAM role, the trusted entity can use the STS token to access the resources that the RAM role is authorized to use.