All Products
Search
Document Center

Cloud Firewall:Authorize Cloud Firewall to access other cloud resources

Last Updated:Oct 08, 2023

The first time you log on to the Cloud Firewall console, you must authorize Cloud Firewall to access other cloud resources within your account before you can use the features of Cloud Firewall. This topic describes how to authorize Cloud Firewall to access other cloud resources by using the AliyunServiceRoleForCloudFW service-linked role and how to delete the role.

Prerequisites

An Alibaba Cloud account or a Resource Access Management (RAM) user that has the permissions to create or delete service-linked roles is used. For information about how to grant RAM users the permissions on service-linked roles, see FAQ.

Background information

To provide features such as access control, monitoring, and analysis on cloud traffic, Cloud Firewall must access other cloud resources within your account, such as Elastic Compute Service (ECS) instances, Virtual Private Cloud (VPC), Server Load Balancer (SLB) instances, Simple Log Service, Bastionhost, Cloud Enterprise Network (CEN) instances, Security Center, and ApsaraDB RDS instances. You can use the AliyunServiceRoleForCloudFW service-linked role to authorize Cloud Firewall to access these resources. This role is automatically created. For more information, see Service-linked roles.

Procedure

  1. Log on to the Cloud Firewall console.

  2. In the Service-Linked Role for Cloud Firewall dialog box, click OK.

    Note

    If the AliyunServiceRoleForCloudFW service-linked role is created, the dialog box does not appear and you can directly use Cloud Firewall in the console.

    云防火墙服务关联角色

    Then, Alibaba Cloud automatically creates the AliyunServiceRoleForCloudFW service-linked role.

    On the Roles page in the RAM console, you can view the service-linked role. Cloud Firewall can access other cloud resources within your account only after the AliyunServiceRoleForCloudFW service-linked role is created.

Permissions of the AliyunServiceRoleForCloudFW service-linked role

By default, the AliyunServiceRoleForCloudFW service-linked role is attached with the AliyunServiceRolePolicyForCloudFW policy. The following code block provides the permissions that are defined in the AliyunServiceRolePolicyForCloudFW policy:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:DescribeInstances",
                "ecs:DescribeTags",
                "ecs:JoinSecurityGroup",
                "ecs:LeaveSecurityGroup",
                "ecs:AuthorizeSecurityGroupEgress",
                "ecs:DescribeRegions",
                "ecs:DescribeVpcs",
                "ecs:RevokeSecurityGroupEgress",
                "ecs:ModifySecurityGroupAttribute",
                "ecs:DeleteSecurityGroup",
                "ecs:RevokeSecurityGroup",
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:CreateSecurityGroup",
                "ecs:AuthorizeSecurityGroup",
                "ecs:DescribeSecurityGroups",
                "ecs:DescribeSecurityGroupReferences",
                "ecs:ModifySecurityGroupPolicy",
                "ecs:ModifySecurityGroupRule",
                "ecs:ModifySecurityGroupEgressRule",
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:DeleteNetworkInterfacePermission",
                "ecs:AttachNetworkInterface",
                "ecs:DetachNetworkInterface",
                "ecs:DescribePrefixLists",
                "ecs:ListTagResources"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:DescribeVpcs",
                "vpc:DescribeNatGateways",
                "vpc:DescribeSnatTableEntries",
                "vpc:DescribeForwardTableEntries",
                "vpc:DescribeBandwidthPackages",
                "vpc:GetNatGatewayAttribute",
                "vpc:ModifyNatGatewayAttribute",
                "vpc:DescribeEipAddresses",
                "vpc:DescribeRouterInterfaces",
                "vpc:DescribeRouteTableList",
                "vpc:DescribeRouteTables",
                "vpc:DescribeVSwitches",
                "vpc:CreateRouteEntry",
                "vpc:DeleteRouteEntry",
                "vpc:CreateVpc",
                "vpc:DeleteVpc",
                "vpc:CreateVSwitch",
                "vpc:DeleteVSwitch",
                "vpc:DescribeZones",
                "vpc:CreateVirtualBorderRouter",
                "vpc:ConnectRouterInterface",
                "vpc:ModifyRouterInterfaceAttribute",
                "vpc:DeleteRouterInterface",
                "vpc:CreateRouterInterface",
                "vpc:DeleteVirtualBorderRouter",
                "vpc:DeactivateRouterInterface",
                "vpc:DescribeVirtualBorderRouters",
                "vpc:DescribePhysicalConnections",
                "vpc:ModifyVirtualBorderRouterAttribute",
                "vpc:DescribeVpcAttribute",
                "vpc:DescribeVSwitchAttributes",
                "vpc:DescribeHaVips",
                "vpc:DescribeVpnConnections",
                "vpc:DescribeVpnRouteEntries",
                "vpc:DescribeVpnPbrRouteEntries",
                "vpc:DescribeVpnGateways",
                "vpc:DescribeSslVpnServers",
                "vpc:AssociateEipAddress",
                "vpc:UnassociateEipAddress",
                "vpc:CreateRouteTable",
                "vpc:DeleteRouteTable",
                "vpc:AssociateRouteTable",
                "vpc:UnassociateRouteTable",
                "vpc:CreateSnatEntry",
                "vpc:DeleteSnatEntry",
                "vpc:DescribeSnatTableEntries",
                "vpc:DescribeRouteEntryList",
                "vpc:DescribeIpv6Addresses",
                "vpc:ListVpcPeerConnections",
                "vpc:CreateRouteEntries",
                "vpc:DeleteRouteEntries"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "slb:DescribeRegions",
                "slb:DescribeLoadBalancers",
                "slb:DescribeLoadBalancerAttribute",
                "slb:DescribeLoadBalancerUDPListenerAttribute",
                "slb:DescribeLoadBalancerTCPListenerAttribute",
                "slb:DescribeLoadBalancerHTTPListenerAttribute",
                "slb:DescribeLoadBalancerHTTPSListenerAttribute",
                "slb:DescribeHealthStatus",
                "slb:DescribeAccessControlListAttribute"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "alb:DescribeRegions",
                "alb:ListLoadBalancers",
                "alb:GetLoadBalancerAttribute",
                "alb:ListListeners",
                "alb:GetListenerAttribute",
                "alb:GetListenerHealthStatus",
                "alb:ListAcls",
                "alb:ListAclEntries"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "nlb:DescribeRegions",
                "nlb:ListLoadBalancers",
                "nlb:GetLoadBalancerAttribute",
                "nlb:ListListeners",
                "nlb:GetListenerAttribute",
                "nlb:GetListenerHealthStatus"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:PostLogStoreLogs",
                "log:GetProject",
                "log:ListProject",
                "log:GetLogStore",
                "log:ListLogStores",
                "log:CreateLogStore",
                "log:CreateProject",
                "log:GetIndex",
                "log:CreateIndex",
                "log:UpdateIndex",
                "log:CreateDashboard",
                "log:ClearLogStoreStorage",
                "log:UpdateLogStore",
                "log:UpdateDashboard",
                "log:CreateSavedSearch",
                "log:UpdateSavedSearch",
                "log:DeleteLogStore",
                "log:DeleteSavedSearch",
                "log:GetSavedSearch",
                "log:ListSavedSearch",
                "log:DeleteDashboard",
                "log:GetDashboard",
                "log:ListDashboard"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "yundun-bastionhost:DescribeInstance",
                "yundun-bastionhost:DescribeRegions",
                "yundun-bastionhost:DescribeInstances",
                "yundun-bastionhost:DescribeInstanceBastionhost",
                "yundun-bastionhost:DescribeInstanceAttribute"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cen:DescribeCens",
                "cen:DescribeCenAttachedChildInstances",
                "cen:DescribeCenAttachedChildInstanceAttribute",
                "cen:AttachCenChildInstance",
                "cen:DetachCenChildInstance",
                "cen:PublishRouteEntries",
                "cen:WithdrawPublishedRouteEntries",
                "cen:DescribePublishedRouteEntries",
                "cen:DescribeCenRegionDomainRouteEntries",
                "cen:ModifyCenAttribute",
                "cen:CreateCenRouteMap",
                "cen:DeleteCenRouteMap",
                "cen:ModifyCenRouteMap",
                "cen:DescribeCenRouteMaps",
                "cen:DescribeCenChildInstanceRouteEntries",
                "cen:CreateCenChildInstanceRouteEntryToCen",
                "cen:DeleteCenChildInstanceRouteEntryToCen",
                "cen:ListTransitRouters",
                "cen:CreateTransitRouter",
                "cen:DeleteTransitRouter",
                "cen:ListTransitRouterAttachments",
                "cen:CreateTransitRouterVpcAttachment",
                "cen:DeleteTransitRouterVpcAttachment",
                "cen:UpdateTransitRouterVpcAttachmentAttribute",
                "cen:UpdateTransitRouterPeerAttachmentAttribute",
                "cen:CreateTransitRouterVbrAttachment",
                "cen:DeleteTransitRouterVbrAttachment",
                "cen:ListTransitRouterPeerAttachments",
                "cen:ListTransitRouterVpcAttachments",
                "cen:ListTransitRouterVbrAttachments",
                "cen:ListTransitRouterAvailableResource",
                "cen:CreateTransitRouterRouteTable",
                "cen:UpdateTransitRouterRouteTable",
                "cen:DeleteTransitRouterRouteTable",
                "cen:ListTransitRouterRouteTables",
                "cen:CreateTransitRouterRouteEntry",
                "cen:DeleteTransitRouterRouteEntry",
                "cen:ListTransitRouterRouteEntries",
                "cen:ListTransitRouterRouteTableAssociations",
                "cen:AssociateTransitRouterAttachmentWithRouteTable",
                "cen:DissociateTransitRouterAttachmentFromRouteTable",
                "cen:ListTransitRouterRouteTablePropagations",
                "cen:EnableTransitRouterRouteTablePropagation",
                "cen:DisableTransitRouterRouteTablePropagation",
                "cen:ModifyCenUserQuota",
                "cen:ReplaceTransitRouterRouteTableAssociation",
                "cen:CheckTransitRouterService",
                "cen:ListTransitRouterPrefixListAssociation"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "netana:DescribeNetworkQuotas",
                "netana:DescribeNetworkQuotaRequestResult",
                "netana:CreateNetworkQuotaRequest"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "yundun-sas:DescribeVulList",
                "yundun-sas:DescribeVulDetails"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "rds:DescribeDBInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "cen.aliyuncs.com"
                }
            }
        },
        {
            "Action": [
                "resourcemanager:ListAccounts"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "cloudfw.aliyuncs.com"
                }
            }
        }
    ]
}

For more information, see Policy elements.

Delete a service-linked role

If you no longer require Cloud Firewall, you can delete the AliyunServiceRoleForCloudFW service-linked role. Before you delete the service-linked role, make sure that Cloud Firewall expires and is automatically released. For more information, see Delete a RAM role.

FAQ

Why is the AliyunServiceRoleForCloudFW service-linked role not automatically created for my RAM user?

The AliyunServiceRoleForCloudFW service-linked role can be automatically created or deleted only if your RAM user has the required permissions. To obtain the permissions, attach the following policy to your RAM user. For more information, see Grant permissions to the RAM user.

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:ID of an Alibaba Cloud account:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "cloudfw.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}