This topic provides an overview of Resource Access Management (RAM).

RAM allows you to manage user identities and control access to resources. You can create RAM users for employees, systems, and applications and grant access to resources of your Alibaba Cloud account. If multiple users in your enterprise need to access the same resources, you can use RAM to grant the users the minimum permissions. In this way, you do not need to share the AccessKey pair of your Alibaba Cloud account with these users. This reduces the security risks to your enterprise information.

To implement fine-grained access control on Log Service resources, you can create RAM users and RAM roles, and grant permissions on Log Service resources to the users and roles.

Identity management

You can use RAM to manage identities. For example, you can create RAM users and user groups under your Alibaba Cloud account. You can also create a RAM role for Log Service. In addition, you can create RAM roles for accounts and grant access to resources of your Alibaba Cloud account.

Log Service allows you to collect logs from cloud services such as API Gateway and Server Load Balancer (SLB). You can create a role for Log Service and authorize the role to access the services on the Cloud Resource Access Authorization page.

Role Default permission Description
AliyunLogArchiveRole AliyunLogArchiveRolePolicy By default, Log Service assumes this role to access SLB logs. The default permission policy attached to the role is used to export SLB logs. To authorize the role, visit the Cloud Resource Access Authorization page.
AliyunLogDefaultRole AliyunLogRolePolicy The default permission policy attached to the default role assumed by Log Service. This policy allows Log Service to write data to OSS. To authorize the role, visit the Cloud Resource Access Authorization page.
AliyunLogETLRole AliyunLogETLRolePolicy By default, Log Service assumes this role to extract, transform, and load data of your other Alibaba Cloud services. To authorize the role, visit the Cloud Resource Access Authorization page.
AliyunMNSLoggingRole AliyunMNSLoggingRolePolicy By default, Log Service assumes this role to access Message Service (MNS) logs. The default permission policy attached to the role is used to export MNS logs. To authorize the role, visit the Cloud Resource Access Authorization page.

Resource access control

You can grant permissions to RAM users, user groups, and roles of your Alibaba Cloud account.

You can use system policies or customize finer-grained permission policies. For more information, see Overview.

Log Service provides the following system permission policies.

Action Type Description
AliyunLogFullAccess System policy The policy grants full access to Log Service resources.
AliyunLogReadOnlyAccess System policy The policy grants read-only access to Log Service resources.

Authorize a RAM user to access Log Service

You can use some RAM users under your Alibaba Cloud account to access and manage Log Service. To do so, you must grant the relevant permissions to the RAM users. To ensure data security, we recommend that you grant the minimum permissions that are required for the RAM users.

For more information, see Authorize a RAM user to connect to Log Service.

Authorize a role assumed by Log Service to read logs

Log Service allows you to configure alerts for log data. To read log data, you must grant the relevant permissions to Log Service.

For more information, see Authorize a RAM role to read logs.

Authorize a role assumed by a trusted entity to manage Log Service

A RAM role is a virtual identity that does not have common credential information, such as a password or an AccessKey pair. You can assign RAM roles to trusted entities, such as an Alibaba Cloud account, RAM user, or Alibaba Cloud service. After the trusted entity receives an STS token for the RAM role, the trusted entity can use the STS token to access the resources that the RAM role is authorized to use.