This topic describes the AliyunServiceRoleForARMSSecurity service-link role and the method to delete the role.

Background information

ARMS provides the AliyunServiceRoleForARMSSecurity service-link role to obtain access permissions from other cloud services. For more information, see Service-linked roles.

AliyunServiceRoleForARMSSecurity scenarios

When the application security feature needs to access the resources of Alibaba Cloud Security, you can use the AliyunServiceRoleForARMSSecurity service linked role to obtain access permissions.

AliyunServiceRoleForARMSSecurity permissions

AliyunServiceRoleForARMSSecurity has permissions to access the following cloud services:

{
      "Action": [
        "yundun-waf:ModifyProtectionConfig",
        "yundun-waf:ModifyApplicationsRaspState",
        "yundun-waf:DescribeRiskDependencyStatisticsInfo",
        "yundun-waf:DescribeRiskDependencies",
        "yundun-waf:DescribeRiskCount",
        "yundun-waf:DescribeProtectionStatisticsInfo",
        "yundun-waf:DescribeProtectionConfig",
        "yundun-waf:DescribeMiddlewareInstances",
        "yundun-waf:DescribeDependencyInstances",
        "yundun-waf:DescribeDependencies",
        "yundun-waf:DescribeAttackStatisticsInfo",
        "yundun-waf:DescribeAttacks",
        "yundun-waf:DescribeAttackCount",
        "yundun-waf:DescribeAttackApplicationCount",
        "yundun-waf:DescribeApplications"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
      

Delete AliyunServiceRoleForARMSSecurity

If you want to delete the AliyunServiceRoleForARMSSecurity service-linked role for reasons such as due to security, you must determine the consequence: After you delete AliyunServiceRoleForARMSSecurity, you cannot view the application security related pages. If you want to use the application security feature, you must grant the permissions again.

To delete AliyunServiceRoleForARMSSecurity, perform the following steps:

Note If an application that belongs to the current account is connected to the application security feature, disconnect and restart the application before you delete the role. Otherwise, the delete operation fails. For more information about how to disconnect an application, see Cancel access to the target application.
  1. Log on to the RAM console. In the left-side navigation pane, choose Identities > Roles.
  2. In the search bar of the Roles page, enter AliyunServiceRoleForARMSSecurity to search for the role.
  3. In the Actions column of the AliyunServiceRoleForARMSSecurity role, click Delete.
  4. In the message that appears, click OK.

FAQ

Why is the AliyunServiceRoleForARMSSecurity service-linked role not automatically created for RAM users?

The AliyunServiceRoleForARMSSecurity service-linked role can be automatically created or deleted only after you grant RAM users specified permissions. If the AliyunServiceRoleForARMSSecurity service-linked role can be automatically created for RAM users, you must add a custom policy or the AliyunARMSFullAccess system policy for RAM users.

A custom policy or the AliyunARMSFullAccess system policy can be used in the following scenarios:

  • A custom policy can be used to add only the permissions to use the application security feature in read-only mode for RAM users.
  • The AliyunARMSFullAccess system policy can be used to add all permissions (including the permission to use the application security feature) to manage ARMS for RAM users.

(Optional) Step 1: Create a custom policy

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Custom Policy page, set the Policy Name and Note parameters.
  5. Set the Configuration Mode parameter to Script.
  6. Enter the following script in the Policy Document section and then click OK.
    {
      "Statement": [{
        "Action": [
          "ram:CreateServiceLinkedRole"
        ],
        "Resource": "acs:ram:*:ID of your Alibaba Cloud account:role/*",
        "Effect": "Allow",
        "Condition": {
          "StringEquals": {
            "ram:ServiceName": [
              "security.arms.aliyuncs.com"
            ]
          }
        }
      }, {
        "Action": "arms:CreateSecurityAuth",
        "Effect": "Allow",
        "Resource": "*"
      }],
      "Version": "1"
    }
    Note Replace ID of your Alibaba Cloud account in the policy statement with the ID of your Alibaba Cloud account.

Step 2: Attach the custom policy to a RAM user

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, grant permissions to the RAM user.
    1. Set Authorized Scope to Alibaba Cloud Account.
    2. Specify the principal.
      The principal is the RAM user to which you want to grant permissions. By default, the current RAM user is specified. You can also specify another RAM user.
    3. In the Select Policy section, click System Policy, enter the AliyunARMSFullAccess system policy in the field, and then click the policy.
  5. Click OK.
  6. Click Complete.