Use a custom policy to authorize Log Service to collect and synchronize logs - Log Service

The Log Audit Service application allows you to collect logs from Alibaba Cloud services across multiple Alibaba Cloud accounts. Before you can collect logs, you must authorize Log Service and the related accounts. To authorize Log Service, you can use the AccessKey pair of a RAM user who has the required permissions. You can also follow the steps described in this topic to create a custom policy in Resource Access Management (RAM).

Background information

You can use the Log Audit Service application to collect cloud service logs of an Alibaba Cloud account or across multiple Alibaba Cloud accounts. To collect the logs of cloud services across multiple Alibaba Cloud accounts, you must grant mutual access between the current Alibaba Cloud account and the other Alibaba Cloud accounts.

Note When the AliyunServiceRoleForSLSAudit service-linked role is created, the current Alibaba Cloud account is automatically authorized. For more information, see Initially configure Log Audit Service. If you want to authorize other Alibaba Cloud accounts by using a custom policy, you can perform the steps described in this topic.

You must authorize the current Alibaba Cloud account to receive logs from other Alibaba Cloud accounts. The logs are stored in the Logstore that is dedicated to audit logs.
You must authorize other Alibaba Cloud accounts to synchronize logs to the current Alibaba Cloud account. The logs are stored in the Logstore that is dedicated to audit logs.

The Log Audit Service application of Log Service involves multiple roles and policies. The following tables describes the relationships among the roles and policies.

Current Alibaba Cloud account


Role	Policy
AliyunServiceRoleForSLSAudit	AliyunServiceRolePolicyForSLSAudit

Other Alibaba Cloud accounts


Role	Policy
sls-audit-service-monitor	ReadOnlyAccess AliyunLogAuditServiceMonitorAccess

Procedure

Use one of the other Alibaba Cloud accounts to log on to the RAM console.
We recommend that you use a RAM user to complete authorization. The RAM user must be granted the read and write permissions on RAM resources. To grant the required permissions to the RAM user, you can attach the AliyunRAMFullAccess policy to the RAM user.

Create a policy named AliyunLogAuditServiceMonitorAccess.

In the left-side navigation pane, choose Permissions > Policies. On the page that appears, click Create Policy.

On the Create Custom Policy page, set the parameters and click OK. The following table describes the parameters.

Parameter Description

Policy Name Set the value to AliyunLogAuditServiceMonitorAccess.

Configuration Mode Select Script.

Parameter	Description
Policy Name	Set the value to AliyunLogAuditServiceMonitorAccess.
Configuration Mode	Select Script.
Policy Document	The content of the policy. Replace the content in the editor with the following script: `{ "Version": "1", "Statement": [ { "Action": "log:", "Resource": [ "acs:log:::project/slsaudit-", "acs:log:::app/audit" ], "Effect": "Allow" }, { "Action": [ "rds:ModifySQLCollectorPolicy", "vpc:FlowLog", "drds:SqlAudit", "kvstore:ModifyAuditLogConfig", "polardb:ModifyDBClusterAuditLogCollector" ], "Resource": "*", "Effect": "Allow" } ] }`

Policy Document

The content of the policy. Replace the content in the editor with the following script:

{
    "Version": "1",
    "Statement": [
        {
            "Action": "log:*",
            "Resource": [
                "acs:log:*:*:project/slsaudit-*",
                "acs:log:*:*:app/audit"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "rds:ModifySQLCollectorPolicy",
                "vpc:*FlowLog*",
                "drds:*SqlAudit*",
                "kvstore:ModifyAuditLogConfig",
                "polardb:ModifyDBClusterAuditLogCollector"                      
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Create a role named sls-audit-service-monitor.

In the left-side navigation pane, choose Identities > Roles. On the page that appears, click Create Role.
In the Select Role Type step, select Alibaba Cloud Service and click Next.

In the Configure Role step, set the parameters and click OK. The following table describes the parameters.


Parameter	Description
Role Type	Select Normal Service Role.
RAM Role Name	Set the value to sls-audit-service-monitor.
Select Trusted Service	Select Log Service from the drop-down list.

In the Finish step, click Add Permissions to RAM Role.

Attach the AliyunLogAuditServiceMonitorAccess policy to the sls-audit-service-monitor role.
In the Add Permissions panel, click Custom Policy in the Select Policy section and select the AliyunLogAuditServiceMonitorAccess policy. Then, click System Policy and select the ReadOnlyAccess policy. Click OK.
Modify the trust policy of the sls-audit-service-monitor role.
1. On the Roles page, find and click the sls-audit-service-monitor role to go to the details page of the role.
2. Click the Trust Policy Management tab. On the tab, replace the content in the editor with the following script and click OK.
  Replace Alibaba Cloud account ID with the actual ID. You can view the ID of your Alibaba Cloud account in the Account Management console.
```
 {
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "Alibaba Cloud account ID@log.aliyuncs.com",
                    "log.aliyuncs.com"
                ]
            }
        }
    ],
    "Version": "1"
}
```