This topic describes the use cases, permission policy, and related operations of the Access Analyzer service-linked role (AliyunServiceRoleForAccessAnalyzer).
Background
A service-linked role (SLR) is a type of RAM role that is associated with a specific Alibaba Cloud service. In certain scenarios, a cloud service needs permissions to access other cloud services to perform its functions. By using a service-linked role, you can securely authorize a cloud service to access other resources on your behalf without having to manually create and manage the role. For more information, see Service-linked roles.
Use cases
The Access Analyzer service-linked role (AliyunServiceRoleForAccessAnalyzer) applies to the following scenarios:
External access analysis
When you create an external access analyzer to identify resources in your account that are accessed by external accounts, Access Analyzer needs to read the bucket policies, ACLs, and trust policies of RAM roles in your account to identify resources that are accessible to external accounts.
Over-privileged access analysis
When you create an over-privileged access analyzer to identify RAM identities that have excessive permissions, Access Analyzer needs to read the RAM identity configurations (users, roles, permission policies, logon settings, and AccessKey pairs) and combine them with ActionTrail activity logs to analyze the actual usage of identities. This helps discover super administrators, privileged identities, inactive identities, and over-privileged identities.
Access Analyzer obtains these read-only permissions through the service-linked role to analyze permission information and ActionTrail activity logs.
Permission policy
Role name: AliyunServiceRoleForAccessAnalyzer
Permission policy: AliyunServiceRolePolicyForAccessAnalyzer
Policy content:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:GetBucketPolicy",
"oss:GetBucketAcl",
"oss:ListBuckets",
"oss:GetBucketPublicAccessBlock",
"oss:GetBucketPolicyStatus",
"ram:GetPolicy",
"ram:GetRole",
"ram:ListUsers",
"ram:ListRoles",
"ram:GetLoginProfile",
"ram:ListAccessKeys",
"ram:ListEntitiesForPolicy",
"ram:ListUsersForGroup",
"ram:GenerateServiceLastAccessedDetails",
"ram:GetServiceLastAccessedDetails"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"actiontrail:CreateServiceTrail",
"actiontrail:DeleteServiceTrail",
"actiontrail:GetServiceTrail",
"actiontrail:GetServiceTrailDeliveryStatus"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": "accessanalyzer.aliyuncs.com"
}
}
}
]
}The preceding permission policy contains three groups of permissions:
The first group of permissions allows Access Analyzer to read OSS bucket policies, ACLs, and public access block configurations, as well as RAM user and role configurations (logon settings, AccessKey pairs, and permission policy attachments) for external access analysis and over-privileged access analysis.
The second group of permissions allows Access Analyzer to create and manage ActionTrail service trails to collect activity logs for analyzing the permission usage of identities.
The third group of permissions allows Access Analyzer to automatically delete the service-linked role after all analyzers are deleted.
This policy is updated by Access Analyzer as needed. To view the latest version of the policy, search for AliyunServiceRolePolicyForAccessAnalyzer on the Policies page of the RAM console.
Create the service-linked role
The Access Analyzer service-linked role (AliyunServiceRoleForAccessAnalyzer) is automatically created in the following scenarios:
When you create an analyzer for the first time in the Access Analyzer console, the service-linked role is automatically created.
When you create an analyzer by calling an API operation, the service-linked role is automatically created.
The creation behavior of the service-linked role varies depending on the scope of the analyzer:
Account-scoped analyzers: The system creates the service-linked role in the current account.
Resource directory-scoped analyzers: The system creates the service-linked role in all member accounts of the resource directory.
Creating a service-linked role requires the RAM permission ram:CreateServiceLinkedRole. If your current identity does not have this permission, contact the administrator of your Alibaba Cloud account (root account) to grant it.
For the specific steps to create an analyzer, see Detect over-privileged identities and Identify external access.
View the service-linked role
After the service-linked role (AliyunServiceRoleForAccessAnalyzer) is created, you can view the basic information, trust policy, and permission policy of the role in the RAM console.
Log on to the RAM console.
In the left-side navigation pane, choose Identities > Roles.
In the role list, search for
AliyunServiceRoleForAccessAnalyzerand click the role name to go to the role details page.In the basic information section on the role details page, view the role ID, creation time, and other information.
Click the Trust Policy Management tab and check whether the
Servicefield in the trust policy containsaccessanalyzer.aliyuncs.com.View the permission policy of the role:
On the role details page, click the Permissions tab.
In the policy list, find
AliyunServiceRolePolicyForAccessAnalyzerand click the policy name.View the policy content to understand the specific authorization scope.
Delete the service-linked role
If you need to delete AliyunServiceRoleForAccessAnalyzer (the service-linked role), you must first ensure that the corresponding service is no longer in use.
Prerequisites
If the scope of the analyzer is the current account, you only need to delete all analyzers (including over-privileged access analyzers and external access analyzers) in the current account.
If the scope of the analyzer is the resource directory, you need to delete the resource directory analyzer, and also delete the service-linked roles that were automatically created in all member accounts of the resource directory.
Procedure
Log on to the RAM console.
In the left-side navigation pane, choose Identities > Roles.
In the role list, search for
AliyunServiceRoleForAccessAnalyzer, and then click Delete in the Actions column.In the dialog box that appears, click OK.
If Access Analyzer is still using the service-linked role, the deletion may fail. Before you delete the service-linked role, make sure that all analyzers are deleted and that the service-linked role is no longer in use.
FAQ
Why is a service-linked role required when creating an analyzer?
Access Analyzer needs to read RAM identity information, permission policies, and ActionTrail audit logs in your account to perform analysis. Through the service-linked role mechanism, you can authorize Access Analyzer to access this data within a controlled permission scope without using your own AccessKey or manually creating a role.
Does deleting the service-linked role affect existing findings?
You must delete all analyzers before deleting the service-linked role. After you delete an analyzer, all findings and remediation advice generated by the analyzer are also removed and cannot be recovered. If you only need to temporarily stop using the analyzer, we recommend that you keep the role and the analyzer instead of deleting them.
Are the permissions of this service-linked role updated automatically?
Yes. AliyunServiceRolePolicyForAccessAnalyzer is a system policy that is updated by Access Analyzer as needed. When Access Analyzer supports analyzing more types of resources, the policy may add corresponding permissions. Permission updates are performed automatically by Alibaba Cloud and do not require manual action.