The first time you log on to the Network Detection and Response (NDR) console, you must grant NDR access to your cloud resources before the service can start monitoring traffic. NDR uses the AliyunServiceRoleForCloudFW service-linked role, which Cloud Firewall creates automatically on your behalf.
Prerequisites
Before you begin, make sure you have:
An Alibaba Cloud account, or a Resource Access Management (RAM) user with the
ram:CreateServiceLinkedRolepermission scoped tocloudfw.aliyuncs.com
A RAM user granted FullAccess permissions for NDR already has permission to create the service-linked role. No additional configuration is needed.
If your RAM user cannot create the role automatically, see Why can't a RAM user create the service-linked role?
How it works
NDR needs access to several Alibaba Cloud services to collect traffic data, detect threats, and store results. Rather than requiring you to configure these permissions manually, Cloud Firewall creates the AliyunServiceRoleForCloudFW service-linked role automatically when you complete the authorization step.
The role is attached to the AliyunServiceRolePolicyForCloudFW policy. The following table summarizes the services covered and the purpose of each permission group:
| Service | Purpose |
|---|---|
| Elastic Compute Service (ECS) | Query instances, manage security groups, and manage network interfaces |
| Virtual Private Cloud (VPC) | Read topology, route tables, NAT gateways, VPN connections, and EIP addresses |
| Server Load Balancer (SLB) | Read load balancer configurations and listener attributes |
| Application Load Balancer (ALB) | Read load balancer configurations, listeners, and access control lists |
| Network Load Balancer (NLB) | Read load balancer configurations and listener attributes |
| Simple Log Service (SLS) | Read and write projects, Logstores, indexes, dashboards, and saved searches |
| Bastion Host | Query instance configurations |
| Cloud Enterprise Network (CEN) | Read and manage CEN instances, transit routers, and route tables |
| Network Analysis (netana) | Query and request network quotas |
| Security Center | Query vulnerability data |
| ApsaraDB RDS | Query database instances |
| RAM | Create a service-linked role for CEN; delete the service-linked role for Cloud Firewall |
| Resource Manager | List accounts |
For the full policy definition, see Permissions of the AliyunServiceRoleForCloudFW service-linked role.
For background on service-linked roles, see Service-linked roles.
Grant NDR access to cloud resources
Log on to the NDR console.
Click Authorize Now.
Cloud Firewall automatically creates the AliyunServiceRoleForCloudFW service-linked role. To verify, go to the Roles page in the RAM console and confirm the role appears.
Permissions of the AliyunServiceRoleForCloudFW service-linked role
The AliyunServiceRolePolicyForCloudFW policy attached to AliyunServiceRoleForCloudFW grants the following permissions:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeTags",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:DescribeRegions",
"ecs:DescribeVpcs",
"ecs:RevokeSecurityGroupEgress",
"ecs:ModifySecurityGroupAttribute",
"ecs:DeleteSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:DescribeSecurityGroupAttribute",
"ecs:CreateSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSecurityGroupReferences",
"ecs:ModifySecurityGroupPolicy",
"ecs:ModifySecurityGroupRule",
"ecs:ModifySecurityGroupEgressRule",
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DeleteNetworkInterfacePermission",
"ecs:AttachNetworkInterface",
"ecs:DetachNetworkInterface",
"ecs:DescribePrefixLists",
"ecs:ListTagResources"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeNatGateways",
"vpc:DescribeSnatTableEntries",
"vpc:DescribeForwardTableEntries",
"vpc:DescribeBandwidthPackages",
"vpc:GetNatGatewayAttribute",
"vpc:ModifyNatGatewayAttribute",
"vpc:DescribeEipAddresses",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeVSwitches",
"vpc:CreateRouteEntry",
"vpc:DeleteRouteEntry",
"vpc:CreateVpc",
"vpc:DeleteVpc",
"vpc:CreateVSwitch",
"vpc:DeleteVSwitch",
"vpc:DescribeZones",
"vpc:CreateVirtualBorderRouter",
"vpc:ConnectRouterInterface",
"vpc:ModifyRouterInterfaceAttribute",
"vpc:DeleteRouterInterface",
"vpc:CreateRouterInterface",
"vpc:DeleteVirtualBorderRouter",
"vpc:DeactivateRouterInterface",
"vpc:DescribeVirtualBorderRouters",
"vpc:DescribePhysicalConnections",
"vpc:ModifyVirtualBorderRouterAttribute",
"vpc:DescribeVpcAttribute",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeHaVips",
"vpc:DescribeVpnConnections",
"vpc:DescribeVpnRouteEntries",
"vpc:DescribeVpnPbrRouteEntries",
"vpc:DescribeVpnGateways",
"vpc:DescribeSslVpnServers",
"vpc:AssociateEipAddress",
"vpc:UnassociateEipAddress",
"vpc:CreateRouteTable",
"vpc:DeleteRouteTable",
"vpc:AssociateRouteTable",
"vpc:UnassociateRouteTable",
"vpc:CreateSnatEntry",
"vpc:DeleteSnatEntry",
"vpc:DescribeSnatTableEntries",
"vpc:DescribeRouteEntryList",
"vpc:DescribeIpv6Addresses",
"vpc:ListVpcPeerConnections",
"vpc:CreateRouteEntries",
"vpc:DeleteRouteEntries"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"slb:DescribeRegions",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeLoadBalancerUDPListenerAttribute",
"slb:DescribeLoadBalancerTCPListenerAttribute",
"slb:DescribeLoadBalancerHTTPListenerAttribute",
"slb:DescribeLoadBalancerHTTPSListenerAttribute",
"slb:DescribeHealthStatus",
"slb:DescribeAccessControlListAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"alb:DescribeRegions",
"alb:ListLoadBalancers",
"alb:GetLoadBalancerAttribute",
"alb:ListListeners",
"alb:GetListenerAttribute",
"alb:GetListenerHealthStatus",
"alb:ListAcls",
"alb:ListAclEntries"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"nlb:DescribeRegions",
"nlb:ListLoadBalancers",
"nlb:GetLoadBalancerAttribute",
"nlb:ListListeners",
"nlb:GetListenerAttribute",
"nlb:GetListenerHealthStatus"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"log:PostLogStoreLogs",
"log:GetProject",
"log:ListProject",
"log:GetLogStore",
"log:ListLogStores",
"log:CreateLogStore",
"log:CreateProject",
"log:GetIndex",
"log:CreateIndex",
"log:UpdateIndex",
"log:CreateDashboard",
"log:ClearLogStoreStorage",
"log:UpdateLogStore",
"log:UpdateDashboard",
"log:CreateSavedSearch",
"log:UpdateSavedSearch",
"log:DeleteLogStore",
"log:DeleteSavedSearch",
"log:GetSavedSearch",
"log:ListSavedSearch",
"log:DeleteDashboard",
"log:GetDashboard",
"log:ListDashboard"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-bastionhost:DescribeInstance",
"yundun-bastionhost:DescribeRegions",
"yundun-bastionhost:DescribeInstances",
"yundun-bastionhost:DescribeInstanceBastionhost",
"yundun-bastionhost:DescribeInstanceAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cen:DescribeCens",
"cen:DescribeCenAttachedChildInstances",
"cen:DescribeCenAttachedChildInstanceAttribute",
"cen:AttachCenChildInstance",
"cen:DetachCenChildInstance",
"cen:PublishRouteEntries",
"cen:WithdrawPublishedRouteEntries",
"cen:DescribePublishedRouteEntries",
"cen:DescribeCenRegionDomainRouteEntries",
"cen:ModifyCenAttribute",
"cen:CreateCenRouteMap",
"cen:DeleteCenRouteMap",
"cen:ModifyCenRouteMap",
"cen:DescribeCenRouteMaps",
"cen:DescribeCenChildInstanceRouteEntries",
"cen:CreateCenChildInstanceRouteEntryToCen",
"cen:DeleteCenChildInstanceRouteEntryToCen",
"cen:ListTransitRouters",
"cen:CreateTransitRouter",
"cen:DeleteTransitRouter",
"cen:ListTransitRouterAttachments",
"cen:CreateTransitRouterVpcAttachment",
"cen:DeleteTransitRouterVpcAttachment",
"cen:UpdateTransitRouterVpcAttachmentAttribute",
"cen:UpdateTransitRouterPeerAttachmentAttribute",
"cen:CreateTransitRouterVbrAttachment",
"cen:DeleteTransitRouterVbrAttachment",
"cen:ListTransitRouterPeerAttachments",
"cen:ListTransitRouterVpcAttachments",
"cen:ListTransitRouterVbrAttachments",
"cen:ListTransitRouterAvailableResource",
"cen:CreateTransitRouterRouteTable",
"cen:UpdateTransitRouterRouteTable",
"cen:DeleteTransitRouterRouteTable",
"cen:ListTransitRouterRouteTables",
"cen:CreateTransitRouterRouteEntry",
"cen:DeleteTransitRouterRouteEntry",
"cen:ListTransitRouterRouteEntries",
"cen:ListTransitRouterRouteTableAssociations",
"cen:AssociateTransitRouterAttachmentWithRouteTable",
"cen:DissociateTransitRouterAttachmentFromRouteTable",
"cen:ListTransitRouterRouteTablePropagations",
"cen:EnableTransitRouterRouteTablePropagation",
"cen:DisableTransitRouterRouteTablePropagation",
"cen:ModifyCenUserQuota",
"cen:ReplaceTransitRouterRouteTableAssociation",
"cen:CheckTransitRouterService",
"cen:ListTransitRouterPrefixListAssociation"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"netana:DescribeNetworkQuotas",
"netana:DescribeNetworkQuotaRequestResult",
"netana:CreateNetworkQuotaRequest"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-sas:DescribeVulList",
"yundun-sas:DescribeVulDetails"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"rds:DescribeDBInstances"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "cen.aliyuncs.com"
}
}
},
{
"Action": [
"resourcemanager:ListAccounts"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "cloudfw.aliyuncs.com"
}
}
}
]
}For a reference on policy syntax, see Policy elements.
Delete the service-linked role
You can only delete AliyunServiceRoleForCloudFW after your Cloud Firewall instance expires and is automatically released.
To delete the role, follow the steps in Delete a RAM role.
FAQ
Why can't a RAM user create the service-linked role?
Creating or deleting AliyunServiceRoleForCloudFW requires the ram:CreateServiceLinkedRole permission scoped to cloudfw.aliyuncs.com. If the RAM user wasn't granted NDR FullAccess permissions, add the following policy to the user. For instructions, see Grant permissions to a RAM user.
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:Alibaba Cloud account ID:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"cloudfw.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}