A RAM user can use the log query and analysis function of WAF only after the Alibaba Cloud account grants the required permissions to the RAM user.
Background information
The following table describes the types of operations and accounts that are required
to enable and use the log query and analysis function.
You can grant permissions to RAM users based on your business requirements.
| Operation type | Required account |
|---|---|
| Activate Log Service. You only need to perform this operation once. | Alibaba Cloud accounts |
| Authorize WAF to write log data to the dedicated Logstore in Log Service in real time. You only need to perform this operation once. |
|
| Use the log query and analysis function. |
|
| Scenario | Permission | Procedure |
|---|---|---|
| Grant all operation permissions of Log Service to RAM users. | AliyunLogFullAccess |
For more information about how to grant permissions, see Grant permissions to a RAM user. |
| Grant log viewing permissions to RAM users after you use your Alibaba Cloud account to enable the log query and analysis function of WAF and complete the cloud resource access authorization. | AliyunLogReadOnlyAccess |
For more information about how to grant permissions, see Grant permissions to a RAM user. |
| Grant only the permissions to enable and use the log query and analysis function of WAF to RAM users. The RAM users are not granted other management permissions on Log Service. | Permissions that are defined in a custom permission policy | For more information about how to customize a permission policy, see the following operation procedure. |
Procedure
- Select Script for Configuration Mode and enter the following policy content.Note Replace
${Project}and${Logstore}in the following policy content with the names of the dedicated project and Logstore in Log Service for WAF.{ "Version": "1", "Statement": [ { "Action": "log:GetProject", "Resource": "acs:log:*:*:project/${Project}", "Effect": "Allow" }, { "Action": "log:CreateProject", "Resource": "acs:log:*:*:project/*", "Effect": "Allow" }, { "Action": "log:ListLogStores", "Resource": "acs:log:*:*:project/${Project}/logstore/*", "Effect": "Allow" }, { "Action": "log:CreateLogStore", "Resource": "acs:log:*:*:project/${Project}/logstore/*", "Effect": "Allow" }, { "Action": "log:GetIndex", "Resource": "acs:log:*:*:project/${Project}/logstore/${Logstore}", "Effect": "Allow" }, { "Action": "log:CreateIndex", "Resource": "acs:log:*:*:project/${Project}/logstore/${Logstore}", "Effect": "Allow" }, { "Action": "log:UpdateIndex", "Resource": "acs:log:*:*:project/${Project}/logstore/${Logstore}", "Effect": "Allow" }, { "Action": "log:CreateDashboard", "Resource": "acs:log:*:*:project/${Project}/dashboard/*", "Effect": "Allow" }, { "Action": "log:UpdateDashboard", "Resource": "acs:log:*:*:project/${Project}/dashboard/*", "Effect": "Allow" }, { "Action": "log:CreateSavedSearch", "Resource": "acs:log:*:*:project/${Project}/savedsearch/*", "Effect": "Allow" }, { "Action": "log:UpdateSavedSearch", "Resource": "acs:log:*:*:project/${Project}/savedsearch/*", "Effect": "Allow" } ] }