This topic describes the scenarios and details of the AliyunServiceRoleForConfigRemediation service-linked role that is used for automatic remediation. This topic also describes how to create and delete the service-linked role.

Scenarios

Before you use the automatic remediation feature of Cloud Config to remediate non-compliant resources, you must grant the permissions to access non-compliant resources to Cloud Config. Cloud Config can assume the AliyunServiceRoleForConfigRemediation service-linked role to access the non-compliant resources of other Alibaba Cloud services.
Note For more information about service-linked roles, see Service-linked roles.

Role description

The following list describes the details of the AliyunServiceRoleForConfigRemediation service-linked role:
  • Role name: AliyunServiceRoleForConfigRemediation.
  • Policy attached to the role: AliyunServiceRolePolicyForConfigRemediation.
  • Policy description: This policy grants Cloud Config the permissions to access the resources of other Alibaba Cloud services.
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "actiontrail:CreateTrail",
            "actiontrail:StartLogging",
            "cbn:TagResources",
            "cdn:SetDomainServerCertificate",
            "cdn:TagResources",
            "cen:TagResources",
            "composer:CreateFlow",
            "composer:GroupInvokeFlow",
            "composer:InvokeFlow",
            "cs:GetClusterInfo",
            "cs:ListClusters",
            "cs:TagResources",
            "cs:UpdateClusterTags",
            "ddoscoo:CreateTagResources",
            "ddoscoo:TagResources",
            "dds:TagResources",
            "ecs:DescribeInstances",
            "ecs:ModifyInstanceAttribute",
            "ecs:ModifyInstanceNetworkSpec",
            "ecs:TagResources",
            "hbase:TagResources",
            "kms:TagResource",
            "kms:UpdateRotationPolicy",
            "kms:DescribeKey",
            "kms:SetDeletionProtection",
            "kvstore:ModifyAuditLogConfig",
            "kvstore:TagResources",
            "kvstore:ReleaseInstancePublicConnection",
            "kvstore:DescribeSecurityIps",
            "kvstore:ModifySecurityIps",
            "kvstore:ModifyInstanceConfig",
            "kvstore:DescribeDBInstanceNetInfo",
            "nas:AddTags",
            "nas:TagResources",
            "oos:StartExecution",
            "oos:TagResources",
            "oss:GetBucketTagging",
            "oss:PutBucketTagging",
            "oss:PutBucketACL",
            "oss:PutBucketEncryption",
            "oss:PutBucketLogging",
            "oss:PutBucketReferer",
            "oss:PutBucketVersioning",
            "polardb:TagResources",
            "ram:SetPasswordPolicy",
            "ram:UpdateLoginProfile",
            "rds:MigrateSecurityIPMode",
            "rds:ModifyActionEventPolicy",
            "rds:ModifySQLCollectorPolicy",
            "rds:ModifySQLCollectorRetention",
            "rds:TagResources",
            "rds:ModifySecurityIps",
            "rds:DescribeDBInstanceIPArrayList",
            "rds:DescribeDBInstanceNetInfo",
            "rds:ReleaseInstancePublicConnection",
            "slb:DescribeLoadBalancerAttribute",
            "slb:SetLoadBalancerDeleteProtection",
            "slb:SetLoadBalancerModificationProtection",
            "slb:TagResources",
            "tag:ListTagResources",
            "tag:TagResources",
            "tag:UntagResources",
            "vpc:TagResources",
            "vpc:DescribeNatGateways",
            "vpc:DescribeForwardTableEntries",
            "vpc:DeleteForwardEntry",
            "yundun-ddoscoo:TagResources",
            "yundun-ddoscoo:CreateTagResources",
            "yundun-high:TagResources",
            "yundun-high:CreateTagResources",
            "yundun-waf:ModifyLogServiceStatus",
            "yundun-waf:ModifyProtectionModuleStatus",
            "apigateway:DescribeApi",
            "apigateway:AbolishApi",
            "apigateway:DescribeApiGroups",
            "apigateway:ModifyApiGroupNetworkPolicy",
            "apigateway:ModifyInstanceAttribute",
            "apigateway:ModifyApi",
            "apigateway:TagResources"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": "ram:PassRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "acs:Service": [
                "composer.aliyuncs.com",
                "oos.aliyuncs.com"
              ]
            }
          }
        },
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "remediation.config.aliyuncs.com"
            }
          }
        }
      ]
    }

Create the AliyunServiceRoleForConfigRemediation service-linked role

You can configure a remediation template for a rule in the Cloud Config console. If Cloud Config detects non-compliant resources based on the rule, Cloud Config automatically creates the AliyunServiceRoleForConfigRemediation service-linked role for automatic remediation in the Resource Access Management (RAM) console.

Delete the AliyunServiceRoleForConfigRemediation service-linked role

  1. Delete remediation settings.
    • Delete the remediation settings of a rule. For more information, see Delete remediation settings.
    • Delete all rules for which remediation settings are configured. For more information, see Delete a rule.
  2. Delete the AliyunServiceRoleForConfigRemediation service-linked role.

    For more information, see Delete a RAM role.

    The AliyunServiceRoleForConfigRemediation service-linked role cannot be automatically deleted. You must log on to the RAM console and manually delete it. For more information, see Delete a RAM role.

References