All Products
Search
Document Center

Cloud Firewall:Grant a RAM user log analysis permissions

Last Updated:Apr 08, 2026

By default, RAM users do not have permissions to query and analyze Cloud Firewall logs. To grant a RAM user access to this feature without providing broader administrative permissions for Simple Log Service (SLS), you can create a custom policy in the RAM console and attach it to the user. This approach allows the user to analyze logs while adhering to the principle of least privilege.

Prerequisites

  • The log analysis feature for Cloud Firewall is enabled. For more information, see Log analysis overview.

  • You have the names of the project and logstore for your Cloud Firewall logs.

    After you enable the log analysis feature, Cloud Firewall automatically creates a dedicated project and logstore. You can log on to the Simple Log Service (SLS) console to view their names.

  • You have created a RAM user. For more information, see Create a RAM user.

  • You have attached the AliyunYundunCloudFirewallReadOnlyAccess system policy to the RAM user. This policy grants read-only permissions for Cloud Firewall. For more information, see Grant permissions to a RAM user.

Note

This topic describes how to grant permissions to a RAM user to query and analyze Cloud Firewall logs. If you need to grant full management or read-only permissions for Simple Log Service (SLS), you can attach the AliyunLogFullAccess or AliyunLogReadOnlyAccess system policy directly to the RAM user.

Procedure

  1. Log on to the RAM console using your Alibaba Cloud account or as a RAM administrator.

  2. Create a custom policy on the JSON tab.

    1. In the left-side navigation pane, choose Permissions > Policies.

    2. On the Policies page, click Create Policy. Then, click the JSON tab.

    3. Enter the following policy content.

      Note

      In the policy, replace ${Project} with the name of the project dedicated to Cloud Firewall, and ${Logstore} with the name of the dedicated logstore.

      {
        "Version": "1",
        "Statement": [
          {
            "Action": "log:GetProject",
            "Resource": "acs:log:*:*:project/${Project}",
            "Effect": "Allow"
          },
          {
            "Action": "log:ListLogStores",
            "Resource": "acs:log:*:*:project/${Project}/logstore/*",
            "Effect": "Allow"
          },
          {
            "Action": "log:GetIndex",
            "Resource": "acs:log:*:*:project/${Project}/logstore/cloudfirewall-logstore",
            "Effect": "Allow"
          },
          {
            "Action": "log:ListDashboard",
            "Resource": "acs:log:*:*:project/${Project}/dashboard/*",
            "Effect": "Allow"
          },
          {
            "Action": "log:UpdateDashboard",
            "Resource": "acs:log:*:*:project/${Project}/dashboard/*",
            "Effect": "Allow"
          },
          {
            "Action": "log:CreateDashboard",
            "Resource": "acs:log:*:*:project/${Project}/dashboard/*",
            "Effect": "Allow"
          },
          {
            "Action": "log:UpdateDashboard",
            "Resource": "acs:log:*:*:project/${Project}/dashboard/*",
            "Effect": "Allow"
          },
          {
            "Action": "log:CreateSavedSearch",
            "Resource": "acs:log:*:*:project/${Project}/savedsearch/*",
            "Effect": "Allow"
          },
          {
            "Action": "log:ListSavedSearch",
            "Resource": "acs:log:*:*:project/${Project}/savedsearch/*",
            "Effect": "Allow"
          },
          {
            "Action": "log:UpdateSavedSearch",
            "Resource": "acs:log:*:*:project/${Project}/savedsearch/*",
            "Effect": "Allow"
          },
          {
            "Action": "log:GetLogStore",
            "Resource": "acs:log:*:*:project/${Project}/logstore/${Logstore}",
            "Effect": "Allow"
          },
          {
            "Action": "log:GetLogStoreLogs",
            "Resource": "acs:log:*:*:project/${Project}/logstore/${Logstore}",
            "Effect": "Allow"
          }
        ]
      }
    4. At the top of the page, click Optimize, and then click Perform to optimize the policy.

      The advanced optimization feature performs the following tasks:

      • Splits resources or conditions that are incompatible with actions.

      • Narrows the scope of resources.

      • Removes duplicate statements or merges statements.

    5. Click OK.

    6. In the Create Policy dialog box, enter a Policy Name and Description, and then click OK.

  3. Attach the custom policy to the RAM user. For more information, see Grant permissions to a RAM user.

    After you attach the policy, the RAM user can query and analyze Cloud Firewall logs but cannot perform other operations in Simple Log Service (SLS).

Related documentation

You can query and analyze the collected logs in real time to identify traffic anomalies and protect your assets. For more information about how to query logs, see Query and analyze logs.