All Products
Search
Document Center

Simple Log Service:Use custom policies to grant permissions to a RAM user

Last Updated:Mar 11, 2024

This topic describes how to use custom policies to grant permissions to a RAM user.

Important
  • Logstores that are specified in a policy include Logstores and Metricstores. If you want to manage Metricstores, the following policies also apply.

  • To ensure data security, we recommend that you follow the principle of least privilege (PoLP) when you grant permissions to a RAM user. In most cases, you must grant a RAM user the read-only permissions on the project list before the RAM user can view the projects in the project list. For more information, see Attach system policies to a RAM user and Create custom policies.

Grant permissions to a RAM user in the RAM console

  • The permissions to view projects

    For example, you want to use your Alibaba Cloud account to grant the following permissions to a RAM user:

    • The permissions to view the project list of the Alibaba Cloud account

    Use the following policy:

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:ListProject"
          ],
          "Resource": [
            "acs:log:*:*:project/*"
          ],
          "Effect": "Allow"
        }
      ]
    }

  • The read-only permissions on projects

    For example, you want to use your Alibaba Cloud account to grant the following permissions to a RAM user:

    • The permissions to view the project list of the Alibaba Cloud account

    • The read-only permissions on the projects that are specified by the Alibaba Cloud account

    Note

    If you grant a RAM user the read-only permissions on a project, the RAM user cannot view the logs in the project. You must also grant the read-only permissions on specific Logstores in the project.

    Use the following policy:

    {
       "Version": "1",
       "Statement": [
         {
           "Action": ["log:ListProject"],
           "Resource": ["acs:log:*:*:project/*"],
           "Effect": "Allow"
          },
         {
           "Action": [
             "log:Get*",
             "log:List*"
           ],
           "Resource": "acs:log:*:*:project/<Project name>/*",
           "Effect": "Allow"
         }
       ]
     }
  • The read-only permissions on a specified Logstore and the permissions to create and manage saved searches

    For example, you want to use your Alibaba Cloud account to grant the following permissions to a RAM user:

    • The permissions to view the project list of the Alibaba Cloud account

    • The read-only permissions on a specified Logstore and the permissions to create and manage saved searches

    Use the following policy:

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:ListProject"
          ],
          "Resource": "acs:log:*:*:project/*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:List*"
          ],
          "Resource": "acs:log:*:*:project/<Project name>/logstore/*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:Get*",
            "log:List*"
          ],
          "Resource": [
            "acs:log:*:*:project/<Project name>/logstore/<Logstore name>"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:List*"
          ],
          "Resource": [
            "acs:log:*:*:project/<Project name>/dashboard",
            "acs:log:*:*:project/<Project name>/dashboard/*"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:Get*",
            "log:List*",
            "log:Create*"
          ],
          "Resource": [
            "acs:log:*:*:project/<Project name>/savedsearch",
            "acs:log:*:*:project/<Project name>/savedsearch/*"
          ],
          "Effect": "Allow"
        }
      ]
    }
  • The read-only permissions on a specified Logstore and the permissions to view all saved searches and dashboards in a project

    For example, you want to use your Alibaba Cloud account to grant the following permissions to a RAM user:

    • The permissions to view the project list of the Alibaba Cloud account

    • The read-only permissions on a specified Logstore and the permissions to view all saved searches and dashboards in the project to which the Logstore belongs

    Use the following policy:

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:ListProject"
          ],
          "Resource": "acs:log:*:*:project/*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:List*"
          ],
          "Resource": "acs:log:*:*:project/<Project name>/logstore/*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:Get*",
            "log:List*"
          ],
          "Resource": [
            "acs:log:*:*:project/<Project name>/logstore/<Logstore name>"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:Get*",
            "log:List*"
          ],
          "Resource": [
            "acs:log:*:*:project/<Project name>/dashboard",
            "acs:log:*:*:project/<Project name>/dashboard/*"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:Get*",
            "log:List*"
          ],
          "Resource": [
            "acs:log:*:*:project/<Project name>/savedsearch",
            "acs:log:*:*:project/<Project name>/savedsearch/*"
          ],
          "Effect": "Allow"
        }
      ]
    }

Use API operations to grant permissions to a RAM user

  • The permissions to write data to a specified project

    To grant a RAM user only the permissions to write data to a specified project, use the following policy:

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:Post*"
          ],
          "Resource": "acs:log:*:*:project/<Project name>/*",
          "Effect": "Allow"
        }
      ]
    }
  • The permissions to write data to a specified Logstore

    To grant a RAM user only the permissions to write data to a specified Logstore, use the following policy.

    Logstores that are specified in a policy can also be Metricstores. If you want to manage Metricstores, the following policy also applies:

    {
      "Version":"1",
      "Statement":[
        {
          "Effect":"Allow",
          "Action":[
            "log:PostLogStoreLogs"
          ],
          "Resource":[
            "acs:log:*:*:project/<Project name>/logstore/<Logstore name>"
          ]
        }
      ]
    }
  • The permissions to consume data from a specified project

    To grant a RAM user only the permissions to consume data from a specified project, use the following policy:

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:ListShards",
            "log:GetCursorOrData",
            "log:GetConsumerGroupCheckPoint",
            "log:UpdateConsumerGroup",
            "log:ConsumerGroupHeartBeat",
            "log:ConsumerGroupUpdateCheckPoint",
            "log:ListConsumerGroup",
            "log:CreateConsumerGroup"
          ],
          "Resource": "acs:log:*:*:project/<Project name>/*",
          "Effect": "Allow"
        }
      ]
    }
  • The permissions to consume data from a specified Logstore

    To grant a RAM user only the permissions to consume data from a specified Logstore, use the following policy:

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:ListShards",
            "log:GetCursorOrData",
            "log:GetConsumerGroupCheckPoint",
            "log:UpdateConsumerGroup",
            "log:ConsumerGroupHeartBeat",
            "log:ConsumerGroupUpdateCheckPoint",
            "log:ListConsumerGroup",
            "log:CreateConsumerGroup"
          ],
          "Resource": [
            "acs:log:*:*:project/<Project name>/logstore/<Logstore name>",
            "acs:log:*:*:project/<Project name>/logstore/<Logstore name>/*"
          ],
          "Effect": "Allow"
        }
      ]
    }
  • The permissions to forcefully enable encryption configuration for a specified Logstore

    After you grant the permissions to a RAM user, the RAM user must enable encryption configuration when the RAM user creates or modifies a Logstore. RAM users who are not granted the permissions do not need to enable encryption configuration when the RAM users creates or modifies a Logstore.

    Note

    You can specify the exact project name and Logstore name. You can also use an asterisk (*) to perform fuzzy match.

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "log:CreateLogStore",
            "log:UpdateLogStore"
          ],
          "Resource": [
            "acs:log:*:*:project/<Project name>/logstore/<Logstore name>",
            "acs:log:*:*:project/<Project name>/logstore/*"
          ],
          "Condition": {
            "Bool": {
              "log:Encrypted": "true"
            }
          }
        }
      ]
    }

Use log applications

  • The permissions to use specific log applications

    To use the following log applications with a RAM user, you must grant the RAM user the required permissions.

    • Common Database Audit

    • Mobile O&M Monitoring

    • Flow Log Center

    • Log Analysis for AWS CloudTrail

    • SREWorks

    • General Host Audit

    • Intelligent Anomaly Analysis

    Use one of the following policies based on your business requirements:

    • Read-only permissions

      {
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "log:GetResource",
                      "log:ListResources",
                      "log:GetResourceRecord",
                      "log:ListResourceRecords"
                  ],
                  "Resource": [
                      "acs:log:*:*:resource/*"
                  ]
              }
          ]
      }
    • Management permissions

      {
          "Statement": [
                {
            "Effect": "Allow",
            "Action": [
              "log:*"
            ],
            "Resource": [
              "acs:log:*:*:resource/*"
            ]
          }
          ]
      }

References

For more information, see the following topics: