This topic describes the details of the AliyunServiceRoleForConfigRemediation service-linked role that is used for automatic remediation and the scenarios in which the role can be applied. This topic also describes how to create and delete the service-linked role.

Scenarios

Before you use the automatic remediation feature of Cloud Config to remediate non-compliant resources, you must grant Cloud Config the permissions to access non-compliant resources. Cloud Config can assume the AliyunServiceRoleForConfigRemediation service-linked role to access the non-compliant resources of other Alibaba Cloud services.
Note For more information about service-linked roles, see Service-linked roles.

Role description

The following list describes the details of the AliyunServiceRoleForConfigRemediation service-linked role:
  • Role name: AliyunServiceRoleForConfigRemediation.
  • Policy attached to the role: AliyunServiceRolePolicyForConfigRemediation.
  • Policy description: This policy grants Cloud Config the permissions to access the non-compliant resources of other Alibaba Cloud services.
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "actiontrail:CreateTrail",
                    "actiontrail:StartLogging",
                    "cbn:TagResources",
                    "cdn:SetDomainServerCertificate",
                    "cdn:TagResources",
                    "cen:TagResources",
                    "composer:CreateFlow",
                    "composer:GroupInvokeFlow",
                    "composer:InvokeFlow",
                    "cs:GetClusterInfo",
                    "cs:ListClusters",
                    "cs:TagResources",
                    "cs:UpdateClusterTags",
                    "dcdn:TagResources",
                    "dcdn:ListTagResources",
                    "dcdn:TagDcdnResources",
                    "dcdn:DescribeDcdnTagResources",
                    "ddoscoo:CreateTagResources",
                    "ddoscoo:TagResources",
                    "dds:TagResources",
                    "ecs:DescribeInstances",
                    "ecs:ModifyInstanceAttribute",
                    "ecs:ModifyInstanceNetworkSpec",
                    "ecs:TagResources",
                    "ecs:DescribeSecurityGroupAttribute",
                    "ecs:RevokeSecurityGroup",
                    "ecs:StopInstance",
                    "gpdb:TagResources",
                    "gpdb:UntagResources",
                    "gpdb:ListTagResources",
                    "hbase:TagResources",
                    "kms:TagResource",
                    "kms:UpdateRotationPolicy",
                    "kms:DescribeKey",
                    "kms:SetDeletionProtection",
                    "kvstore:ModifyAuditLogConfig",
                    "kvstore:TagResources",
                    "kvstore:ReleaseInstancePublicConnection",
                    "kvstore:DescribeSecurityIps",
                    "kvstore:ModifySecurityIps",
                    "kvstore:ModifyInstanceConfig",
                    "kvstore:DescribeDBInstanceNetInfo",
                    "nas:AddTags",
                    "nas:TagResources",
                    "oos:StartExecution",
                    "oos:TagResources",
                    "oss:GetBucketTagging",
                    "oss:PutBucketTagging",
                    "oss:PutBucketACL",
                    "oss:PutBucketEncryption",
                    "oss:PutBucketLogging",
                    "oss:PutBucketReferer",
                    "oss:PutBucketVersioning",
                    "polardb:TagResources",
                    "ram:SetPasswordPolicy",
                    "ram:UpdateLoginProfile",
                    "rds:MigrateSecurityIPMode",
                    "rds:ModifyActionEventPolicy",
                    "rds:ModifySQLCollectorPolicy",
                    "rds:ModifySQLCollectorRetention",
                    "rds:TagResources",
                    "rds:ModifySecurityIps",
                    "rds:DescribeDBInstanceIPArrayList",
                    "rds:DescribeDBInstanceNetInfo",
                    "rds:ReleaseInstancePublicConnection",
                    "sas:DescribeCloudCenterInstances",
                    "sas:OperateAgentClientInstall",
                    "sas:DescribeAgentInstallStatus",
                    "slb:DescribeLoadBalancerAttribute",
                    "slb:SetLoadBalancerDeleteProtection",
                    "slb:SetLoadBalancerModificationProtection",
                    "slb:TagResources",
                    "tag:ListTagResources",
                    "tag:TagResources",
                    "tag:UntagResources",
                    "vpc:TagResources",
                    "vpc:DescribeNatGateways",
                    "vpc:DescribeForwardTableEntries",
                    "vpc:DeleteForwardEntry",
                    "yundun-sas:DescribeCloudCenterInstances",
                    "yundun-sas:OperateAgentClientInstall",
                    "yundun-sas:DescribeAgentInstallStatus",
                    "yundun-waf:ModifyLogServiceStatus",
                    "yundun-waf:ModifyProtectionModuleStatus",
                    "apigateway:DescribeApi",
                    "apigateway:AbolishApi",
                    "apigateway:DescribeApiGroups",
                    "apigateway:ModifyApiGroupNetworkPolicy",
                    "apigateway:ModifyInstanceAttribute",
                    "apigateway:ModifyApi",
                    "apigateway:TagResources"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "ram:PassRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "acs:Service": [
                            "composer.aliyuncs.com",
                            "oos.aliyuncs.com"
                        ]
                    }
                }
            },
            {
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "remediation.config.aliyuncs.com"
                    }
                }
            },
            {
                "Action": "ram:CreateServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "r-kvstore.aliyuncs.com"
                    }
                }
            }
        ]
    }

Create the AliyunServiceRoleForConfigRemediation service-linked role

You can configure a remediation template for a rule in the Cloud Config console. If Cloud Config detects non-compliant resources based on the rule, Cloud Config automatically creates the AliyunServiceRoleForConfigRemediation service-linked role for automatic remediation in the Resource Access Management (RAM) console.

Delete the AliyunServiceRoleForConfigRemediation service-linked role

  1. Delete remediation settings.
    • Delete the remediation settings of a rule. For more information, see Delete remediation settings.
    • Delete all rules for which remediation settings are configured. For more information, see Delete a rule.
  2. Delete the AliyunServiceRoleForConfigRemediation service-linked role.

    For more information, see Delete a RAM role.

    The AliyunServiceRoleForConfigRemediation service-linked role cannot be automatically deleted. You must log on to the RAM console and manually delete the role. For more information, see Delete a RAM role.

What to do next