A RAM user can use the log query and analysis function of WAF only after the Alibaba Cloud account grants the required permissions to the RAM user.

Background information

The following table describes the types of operations and accounts that are required to enable and use the log query and analysis function.
Operation type Required account
Activate Log Service. You only need to perform this operation once. Alibaba Cloud accounts
Authorize WAF to write log data to the dedicated Logstore in Log Service in real time. You only need to perform this operation once.
  • Alibaba Cloud accounts
  • RAM users that have the AliyunLogFullAccess permission
  • RAM users that have specific permissions
Use the log query and analysis function.
  • Alibaba Cloud accounts
  • RAM users that have the AliyunLogFullAccess permission
  • RAM users that have specific permissions
You can grant permissions to RAM users based on your business requirements.
Scenario Permission Procedure
Grant all operation permissions of Log Service to RAM users. AliyunLogFullAccess For more information about how to grant permissions, see Grant permissions to a RAM user.
Grant log viewing permissions to RAM users after you use your Alibaba Cloud account to enable the log query and analysis function of WAF and complete the cloud resource access authorization. AliyunLogReadOnlyAccess For more information about how to grant permissions, see Grant permissions to a RAM user.
Grant only the permissions to enable and use the log query and analysis function of WAF to RAM users. The RAM users are not granted other management permissions on Log Service. Permissions that are defined in a custom permission policy For more information about how to customize a permission policy, see the following operation procedure.

Procedure

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, click Policies under Permissions.
  3. On the page that appears, click Create Policy.
  4. On the Create Custom Policy page, specify the Policy Name and Note parameters.
  5. Select Script for Configuration Mode and enter the following policy content.
    Note Replace ${Project} and ${Logstore} in the following policy content with the names of the dedicated project and Logstore in Log Service for WAF.
    {
      "Version": "1",
      "Statement": [
          {
          "Action": "log:GetProject",
          "Resource": "acs:log:*:*:project/${Project}",
          "Effect": "Allow"
        },
        {
          "Action": "log:CreateProject",
          "Resource": "acs:log:*:*:project/*",
          "Effect": "Allow"
        },
        {
          "Action": "log:ListLogStores",
          "Resource": "acs:log:*:*:project/${Project}/logstore/*",
          "Effect": "Allow"
        },
        {
          "Action": "log:CreateLogStore",
          "Resource": "acs:log:*:*:project/${Project}/logstore/*",
          "Effect": "Allow"
        },
        {
          "Action": "log:GetIndex",
          "Resource": "acs:log:*:*:project/${Project}/logstore/${Logstore}",
          "Effect": "Allow"
        },
        {
          "Action": "log:CreateIndex",
          "Resource": "acs:log:*:*:project/${Project}/logstore/${Logstore}",
          "Effect": "Allow"
        },
        {
          "Action": "log:UpdateIndex",
          "Resource": "acs:log:*:*:project/${Project}/logstore/${Logstore}",
          "Effect": "Allow"
        },
        {
          "Action": "log:CreateDashboard",
          "Resource": "acs:log:*:*:project/${Project}/dashboard/*",
          "Effect": "Allow"
        },
        {
          "Action": "log:UpdateDashboard",
          "Resource": "acs:log:*:*:project/${Project}/dashboard/*",
          "Effect": "Allow"
        },
        {
          "Action": "log:CreateSavedSearch",
          "Resource": "acs:log:*:*:project/${Project}/savedsearch/*",
          "Effect": "Allow"
        },
        {
          "Action": "log:UpdateSavedSearch",
          "Resource": "acs:log:*:*:project/${Project}/savedsearch/*",
          "Effect": "Allow"
        }
      ]
    }
    Customize a permission policy
  6. Click OK.
  7. In the left-side navigation pane, choose Identities > Users. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
  8. In the Add Permissions pane that appears, select the custom permission policy that you created, and then click OK.
    The RAM user can enable and use the log query and analysis function of WAF. However, the RAM user cannot use other functions of Log Service.