This topic describes the scenarios, permissions, and deletion process for the service-linked role AliyunServiceRoleForHSMLogDelivery.
Scenarios for AliyunServiceRoleForHSMLogDelivery
The Cloud Hardware Security Module (HSM) security audit service requires access to Object Storage Service (OSS) resources. To facilitate this, HSM establishes the service-linked role AliyunServiceRoleForHSMLogDelivery.
Permissions for AliyunServiceRoleForHSMLogDelivery
AliyunServiceRoleForHSMLogDelivery is granted permissions to retrieve the OSS Bucket list and to read and write to a specified path.
Find details about the permissions for AliyunServiceRoleForHSMLogDelivery below.
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "logdelivery.hsm.aliyuncs.com"
}
}
},
{
"Action": [
"oss:GetObject",
"oss:PutObject"
],
"Effect": "Allow",
"Resource": [
"acs:oss:*:*:*/aliyun-hsm-audit-log",
"acs:oss:*:*:*/aliyun-hsm-audit-log/*"
]
},
{
"Action": [
"oss:ListBuckets"
],
"Effect": "Allow",
"Resource": [
"acs:oss:*:*:*"
]
}Delete the service-linked role
To delete the service-linked role for the HSM security audit service (no longer in use), first confirm that no HSM instances are active and the service is disabled. Then, delete the role through the RAM console.