A RAM user can query and analyze logs in Web Application Firewall (WAF) only after it is granted the required permissions by using an Alibaba Cloud account.

Background information

The following table describes the types of operations and the accounts that are required to perform the operations.
Operation Required account
Activate Log Service. You need only to perform this operation once. Alibaba Cloud accounts
Authorize WAF to write log data to the dedicated Logstore in Log Service in real time. You need only to perform this operation once.
  • Alibaba Cloud accounts
  • RAM users that have the AliyunLogFullAccess permission
  • RAM users that have specific permissions
Query and analyze logs.
  • Alibaba Cloud accounts
  • RAM users that have the AliyunLogFullAccess permission
  • RAM users that have specific permissions
You can grant permissions to RAM users based on your business requirements.
Scenario Permission Procedure
Grant all the operation permissions on Log Service to RAM users. AliyunLogFullAccess For more information about how to grant permissions, see Grant permissions to a RAM user.
Grant the permissions to view logs to RAM users after you use your Alibaba Cloud account to enable Log Service for WAF and authorize WAF to access the required cloud resources. AliyunLogReadOnlyAccess For more information about how to grant permissions, see Grant permissions to a RAM user.
Grant only the permissions to enable and use Log Service for WAF to RAM users. The RAM users are not granted other management permissions on Log Service. Permissions that are defined in a custom policy For more information about how to create a custom policy, see the following procedure.

Procedure

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, click Policies under Permissions.
  3. On the Policies page, click Create Policy.
  4. On the page that appears, specify the Policy Name and Note parameters.
  5. Select Script for Configuration Mode and enter the following policy content.
    Notice Replace ${Project} and ${Logstore} in the following policy content with the names of the Log Service project and Logstore that are dedicated to WAF.
    {
      "Version": "1",
      "Statement": [
          {
          "Action": "log:GetProject",
          "Resource": "acs:log:*:*:project/${Project}",
          "Effect": "Allow"
        },
        {
          "Action": "log:CreateProject",
          "Resource": "acs:log:*:*:project/*",
          "Effect": "Allow"
        },
        {
          "Action": "log:ListLogStores",
          "Resource": "acs:log:*:*:project/${Project}/logstore/*",
          "Effect": "Allow"
        },
        {
          "Action": "log:CreateLogStore",
          "Resource": "acs:log:*:*:project/${Project}/logstore/*",
          "Effect": "Allow"
        },
        {
          "Action": "log:GetIndex",
          "Resource": "acs:log:*:*:project/${Project}/logstore/${Logstore}",
          "Effect": "Allow"
        },
        {
          "Action": "log:CreateIndex",
          "Resource": "acs:log:*:*:project/${Project}/logstore/${Logstore}",
          "Effect": "Allow"
        },
        {
          "Action": "log:UpdateIndex",
          "Resource": "acs:log:*:*:project/${Project}/logstore/${Logstore}",
          "Effect": "Allow"
        },
        {
          "Action": "log:CreateDashboard",
          "Resource": "acs:log:*:*:project/${Project}/dashboard/*",
          "Effect": "Allow"
        },
        {
          "Action": "log:UpdateDashboard",
          "Resource": "acs:log:*:*:project/${Project}/dashboard/*",
          "Effect": "Allow"
        },
        {
          "Action": "log:CreateSavedSearch",
          "Resource": "acs:log:*:*:project/${Project}/savedsearch/*",
          "Effect": "Allow"
        },
        {
          "Action": "log:UpdateSavedSearch",
          "Resource": "acs:log:*:*:project/${Project}/savedsearch/*",
          "Effect": "Allow"
        }
      ]
    }
    Create Custom Policy
  6. Click OK.
  7. In the left-side navigation pane, choose Identities > Users. On the page that appears, find the RAM user that you want to authorize and click Add Permissions in the Actions column.
  8. In the Add Permissions panel, select the custom policy that you create, and click OK.
    After the RAM user is authorized, the RAM user can enable and use Log Service for WAF. However, the RAM user cannot use other features of Log Service.