All Products
Search

This Product

    Simple Log Service:Use a custom policy to authorize Simple Log Service to collect and synchronize logs

    Document Center

    Simple Log Service:Use a custom policy to authorize Simple Log Service to collect and synchronize logs

    Last Updated:Apr 17, 2024

    The Log Audit Service application allows you to collect logs from Alibaba Cloud services across multiple Alibaba Cloud accounts. Before you can collect logs, you must authorize Simple Log Service to collect logs from the required cloud services and authorize the related accounts to synchronize data. To perform the authorization, you can use the AccessKey pair of a Resource Access Management (RAM) user who has the required permissions. You can also follow the steps described in this topic to create a custom policy in RAM.

    Background information

    You can use the Log Audit Service application to collect cloud service logs of an Alibaba Cloud account or across multiple Alibaba Cloud accounts. To collect cloud service logs across multiple Alibaba Cloud accounts, you must grant mutual access permissions between the current Alibaba Cloud account and the other Alibaba Cloud accounts.

    Note

    After the AliyunServiceRoleForSLSAudit service-linked role is created, the current Alibaba Cloud account is granted the required permissions. For more information, see Initially configure Log Audit Service. If you want to grant custom permissions to other Alibaba Cloud accounts, you can perform the steps described in this topic.

    • You must authorize the current Alibaba Cloud account to synchronize logs from other Alibaba Cloud accounts to the Logstore that is dedicated to audit logs within the current Alibaba Cloud account.

    • You must authorize other Alibaba Cloud accounts to synchronize logs to the Logstore that is dedicated to audit logs within the current Alibaba Cloud account.

    The Log Audit Service application of Simple Log Service involves multiple roles and policies. The following tables describes the relationships among the roles and policies.

    Procedure

    1. Use one of the other Alibaba Cloud accounts to log on to the RAM console.

      We recommend that you use a RAM user to complete authorization. The RAM user must have the read and write permissions on RAM resources. For example, a RAM user to whom the AliyunRAMFullAccess policy is attached has the required permissions.

    2. Create a policy named AliyunLogAuditServiceMonitorAccess.

      1. In the left-side navigation pane, choose Permissions > Policies. On the page that appears, click Create Policy.

      2. On the Create Policy page, click the JSON tab.

        Replace the content in the code editor with the following script. 

        {
    "Version": "1",
    "Statement": [
        {
            "Action": "log:*",
            "Resource": [
                "acs:log:*:*:project/slsaudit-*",
                "acs:log:*:*:app/audit"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "rds:ModifySQLCollectorPolicy",
                "vpc:*FlowLog*",
                "drds:*SqlAudit*",
                "kvstore:ModifyAuditLogConfig",
                "polardb:ModifyDBClusterAuditLogCollector",
                "config:UpdateIntegratedServiceStatus",
                "config:StartConfigurationRecorder",
                "config:PutConfigurationRecorder",
                "pvtz:DescribeResolveAnalysisScopeStatus",
                "pvtz:SetResolveAnalysisScopeStatus"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "config.aliyuncs.com",
                        "pvtz.aliyuncs.com"
                    ]
                }
            }
        }
    ]
}

      3. Click Next to edit policy information. On the page that appears, configure the parameters and click OK. The following table describes the parameters.

        Parameter

        Description

        Name

        Enter AliyunLogAuditServiceMonitorAccess.

        Description

        Enter remarks for the policy.

    3. Create a role named sls-audit-service-monitor.

      1. In the left-side navigation pane, choose Identities > Roles. On the page that appears, click Create Role.

      2. In the Select Role Type step, select Alibaba Cloud Service and click Next.

      3. In the Configure Role step, configure the parameters and click OK. The following table describes the parameters.

        Parameter

        Description

        Role Type

        Select Normal Service Role.

        RAM Role Name

        Enter sls-audit-service-monitor.

        Select Trusted Service

        Select Log Service from the drop-down list.

      4. In the Finish step, click Add Permissions to RAM Role.

      5. On the page that appears, click Grant Permission.

    4. Attach the AliyunLogAuditServiceMonitorAccess policy to the sls-audit-service-monitor role.

      In the Grant Permission panel, go to the Select Policy section, select the AliyunLogAuditServiceMonitorAccess policy below Custom Policy, and then select the ReadOnlyAccess policy below System Policy. Then, click OK.

    5. Modify the trust policy of the sls-audit-service-monitor role.

      1. Click the Trust Policy tab. On the tab, click Edit Trust Policy, replace the existing content in the code editor with the following script, and then click Save trust policy document.

        Replace Alibaba Cloud account ID with the actual ID. You can view the ID of your Alibaba Cloud account in Account Center. 

         {
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "Alibaba Cloud account ID@log.aliyuncs.com",
                    "log.aliyuncs.com"
                ]
            }
        }
    ],
    "Version": "1"
}