If you want to grant a Resource Access Management (RAM) user the permissions to enable and use the log analysis feature of Cloud Firewall, and the permissions to query and analyze logs of Cloud Firewall, you can create a custom policy and attach the policy to the RAM user in the RAM console. This topic describes how to grant a RAM user the permissions to enable the log analysis feature and query and analyze logs.

Background information

The following table describes the operations that are involved and the accounts that are required to perform the operations.
Operation Account
Activate Log Service. You need to only perform this operation once. Alibaba Cloud accounts
Authorize Cloud Firewall to write log data to the dedicated Logstore in Log Service in real time. You need to only perform this operation once.
  • Alibaba Cloud accounts
  • RAM users that have the AliyunLogFullAccess permission
  • RAM users that have the required permissions
Query and analyze logs.
  • Alibaba Cloud accounts
  • RAM users that have the AliyunLogFullAccess permission
  • RAM users that have the required permissions
You can grant permissions to the RAM user based on your business requirements. The following table describes the permissions.
Scenario Permission References
Grant the RAM user all operation permissions on Log Service. AliyunLogFullAccess For more information, see RAM user management.
Grant the RAM user the permissions to view logs after you use your Alibaba Cloud account to enable the log analysis feature and authorize Cloud Firewall to access the required cloud resources. AliyunLogReadOnlyAccess For more information, see RAM user management.
Grant the RAM user only the permissions to enable and use the log analysis feature. The RAM user is not granted other management permissions on Log Service. Permissions that are defined in a custom policy For more information, see Step 1 and Step 2 in this topic.

Step 1: Create a custom policy

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the JSON tab of the page that appears, enter the following policy content.
    Note Replace ${Project} and ${Logstore} in the following policy content with the names of the Log Service project and Logstore that are dedicated to Cloud Firewall.
    {
      "Version": "1",
      "Statement": [
          {
          "Action": "log:GetProject",
          "Resource": "acs:log:*:*:project/${Project}",
          "Effect": "Allow"
        },
        {
          "Action": "log:CreateProject",
          "Resource": "acs:log:*:*:project/*",
          "Effect": "Allow"
        },
        {
          "Action": "log:ListLogStores",
          "Resource": "acs:log:*:*:project/${Project}/logstore/*",
          "Effect": "Allow"
        },
        {
          "Action": "log:CreateLogStore",
          "Resource": "acs:log:*:*:project/${Project}/logstore/*",
          "Effect": "Allow"
        },
        {
          "Action": "log:GetIndex",
          "Resource": "acs:log:*:*:project/${Project}/logstore/${Logstore}",
          "Effect": "Allow"
        },
        {
          "Action": "log:CreateIndex",
          "Resource": "acs:log:*:*:project/${Project}/logstore/${Logstore}",
          "Effect": "Allow"
        },
        {
          "Action": "log:UpdateIndex",
          "Resource": "acs:log:*:*:project/${Project}/logstore/${Logstore}",
          "Effect": "Allow"
        },
        {
          "Action": "log:CreateDashboard",
          "Resource": "acs:log:*:*:project/${Project}/dashboard/*",
          "Effect": "Allow"
        },
        {
          "Action": "log:UpdateDashboard",
          "Resource": "acs:log:*:*:project/${Project}/dashboard/*",
          "Effect": "Allow"
        },
        {
          "Action": "log:CreateSavedSearch",
          "Resource": "acs:log:*:*:project/${Project}/savedsearch/*",
          "Effect": "Allow"
        },
        {
          "Action": "log:UpdateSavedSearch",
          "Resource": "acs:log:*:*:project/${Project}/savedsearch/*",
          "Effect": "Allow"
        }
      ]
    }
  5. Click Next: Edit Basic Information. In the Basic Information section, configure the Name and Note parameters for the policy.
  6. Click OK.

Step 2: Grant permissions to a RAM user

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Permissions > Grants.
  3. On the Grants page, click Grant Permission.
  4. In the Principal section of the page that appears, select the RAM user to which you want to grant permissions.
  5. In the Select Policy section, click the Custom Policy tab and click the custom policy that you created in Step 1.
    After you grant the permissions to the RAM user, the RAM user can query and analyze logs of Cloud Firewall.
  6. Click OK.