A RAM user can query and analyze logs in Web Application Firewall (WAF) only after
it is granted the required permissions by using an Alibaba Cloud account.
Background information
The following table describes the types of operations and the accounts that are required
to perform the operations.
| Operation |
Required account |
| Activate Log Service. You need only to perform this operation once. |
Alibaba Cloud accounts |
| Authorize WAF to write log data to the dedicated Logstore in Log Service in real time.
You need only to perform this operation once.
|
- Alibaba Cloud accounts
- RAM users that have the
AliyunLogFullAccess permission
- RAM users that have specific permissions
|
| Query and analyze logs. |
- Alibaba Cloud accounts
- RAM users that have the
AliyunLogFullAccess permission
- RAM users that have specific permissions
|
You can grant permissions to RAM users based on your business requirements.
| Scenario |
Permission |
Procedure |
| Grant all the operation permissions on Log Service to RAM users. |
AliyunLogFullAccess |
For more information about how to grant permissions, see Grant permissions to a RAM user.
|
| Grant the permissions to view logs to RAM users after you use your Alibaba Cloud account
to enable Log Service for WAF and authorize WAF to access the required cloud resources.
|
AliyunLogReadOnlyAccess |
For more information about how to grant permissions, see Grant permissions to a RAM user.
|
| Grant only the permissions to enable and use Log Service for WAF to RAM users. The
RAM users are not granted other management permissions on Log Service.
|
Permissions that are defined in a custom policy |
For more information about how to create a custom policy, see the following procedure.
|
Procedure
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, click Policies under Permissions.
- On the Policies page, click Create Policy.
- On the page that appears, specify the Policy Name and Note parameters.
- Select Script for Configuration Mode and enter the following policy content.
Notice Replace ${Project} and ${Logstore} in the following policy content with the names of the Log Service project and Logstore
that are dedicated to WAF.
{
"Version": "1",
"Statement": [
{
"Action": "log:GetProject",
"Resource": "acs:log:*:*:project/${Project}",
"Effect": "Allow"
},
{
"Action": "log:CreateProject",
"Resource": "acs:log:*:*:project/*",
"Effect": "Allow"
},
{
"Action": "log:ListLogStores",
"Resource": "acs:log:*:*:project/${Project}/logstore/*",
"Effect": "Allow"
},
{
"Action": "log:CreateLogStore",
"Resource": "acs:log:*:*:project/${Project}/logstore/*",
"Effect": "Allow"
},
{
"Action": "log:GetIndex",
"Resource": "acs:log:*:*:project/${Project}/logstore/${Logstore}",
"Effect": "Allow"
},
{
"Action": "log:CreateIndex",
"Resource": "acs:log:*:*:project/${Project}/logstore/${Logstore}",
"Effect": "Allow"
},
{
"Action": "log:UpdateIndex",
"Resource": "acs:log:*:*:project/${Project}/logstore/${Logstore}",
"Effect": "Allow"
},
{
"Action": "log:CreateDashboard",
"Resource": "acs:log:*:*:project/${Project}/dashboard/*",
"Effect": "Allow"
},
{
"Action": "log:UpdateDashboard",
"Resource": "acs:log:*:*:project/${Project}/dashboard/*",
"Effect": "Allow"
},
{
"Action": "log:CreateSavedSearch",
"Resource": "acs:log:*:*:project/${Project}/savedsearch/*",
"Effect": "Allow"
},
{
"Action": "log:UpdateSavedSearch",
"Resource": "acs:log:*:*:project/${Project}/savedsearch/*",
"Effect": "Allow"
}
]
}
- Click OK.
- In the left-side navigation pane, choose . On the page that appears, find the RAM user that you want to authorize and click
Add Permissions in the Actions column.
- In the Add Permissions panel, select the custom policy that you create, and click
OK.
After the RAM user is authorized, the RAM user can enable and use Log Service for
WAF. However, the RAM user cannot use other features of Log Service.