AliyunServiceRolePolicyForWaf

Updated at:
Copy as MD

AliyunServiceRolePolicyForWaf is the authorization policy dedicated to a service-linked role. The policy is automatically attached to a service role when the service role is created. Then, the service-linked role is authorized to access other cloud services. This policy is updated by the relevant Alibaba Cloud service. Do not attach this policy to a RAM identity other than a service-linked role.

Policy details

  • Type: service system policy

  • Creation time: 10:58:30 on September 17, 2025

  • Update time: 10:04:15 on June 23, 2026

  • Current version: v16

Policy content

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:DescribeInstances",
        "ecs:DescribeNetworkInterfaces",
        "ecs:CreateNetworkInterface",
        "ecs:DeleteNetworkInterface",
        "ecs:AttachNetworkInterface",
        "ecs:DetachNetworkInterface",
        "ecs:DescribeNetworkInterfacePermissions",
        "ecs:CreateNetworkInterfacePermission",
        "ecs:DeleteNetworkInterfacePermission",
        "ecs:DescribeSecurityGroups",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:CreateSecurityGroup",
        "ecs:DeleteSecurityGroup",
        "ecs:AuthorizeSecurityGroup",
        "ecs:RevokeSecurityGroup",
        "ecs:DescribeDisks"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "slb:DescribeServerCertificates",
        "slb:DescribeDomainExtensions",
        "slb:DescribeLoadBalancers",
        "slb:DescribeListenerAccessControlAttribute",
        "slb:DescribeLoadBalancerAttribute",
        "slb:DescribeLoadBalancerHTTPListenerAttribute",
        "slb:DescribeLoadBalancerHTTPSListenerAttribute",
        "slb:DescribeLoadBalancerTCPListenerAttribute",
        "slb:DescribeLoadBalancerUDPListenerAttribute",
        "slb:DescribeTLSCipherPolicies",
        "slb:ListTLSCipherPolicies",
        "slb:DescribeLoadBalancers"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "alb:ListLoadBalancers",
        "alb:GetLoadBalancerAttribute",
        "alb:ListListeners",
        "alb:GetListenerAttribute",
        "alb:ListListenerCertificates",
        "alb:DescribeRegions",
        "alb:ListSystemSecurityPolicies",
        "alb:ListSecurityPolicies"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:DescribeEipAddresses"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "cdn:DescribeUserDomains",
        "cdn:DescribeCdnDomainDetail",
        "cdn:DescribeDomainsBySource",
        "cdn:DescribeUserVipsByDomain"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "yundun-cert:DescribeUserCertificateList"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:ListProject",
        "log:ListLogStores",
        "log:PostLogStoreLogs",
        "log:GetProject",
        "log:GetLogStore"
      ],
      "Resource": "acs:log:*:*:project/*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:EnableService",
        "log:DescribeService"
      ],
      "Resource": "acs:log:*:*:service",
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:PostLogStoreLogs",
        "log:GetProject",
        "log:GetLogStore",
        "log:CreateLogStore",
        "log:CreateProject",
        "log:GetIndex",
        "log:CreateIndex",
        "log:UpdateIndex",
        "log:CreateDashboard",
        "log:ClearLogStoreStorage",
        "log:UpdateLogStore",
        "log:UpdateDashboard",
        "log:DeleteProject",
        "log:CreateSavedSearch",
        "log:UpdateSavedSearch",
        "log:DeleteLogStore"
      ],
      "Resource": [
        "acs:log:*:*:project/waf*",
        "acs:log:*:*:project/apisec*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "waf.aliyuncs.com"
        }
      }
    },
    {
      "Action": [
        "resourcemanager:ListAccounts",
        "resourcemanager:GetAccount",
        "resourcemanager:GetResourceDirectory"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "nlb:ListLoadBalancers",
        "nlb:ListListeners",
        "nlb:GetLoadBalancerAttribute",
        "nlb:ListListenerCertificates",
        "nlb:ListSecurityPolicy",
        "nlb:ListSystemSecurityPolicy"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "bss:DescribePrice"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "yundun-greenweb:ListServiceConfigs",
        "yundun-greenweb:MultiModalGuard"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "arms:CheckCommercialStatus",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "cms:ListWorkspaces",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:DescribeSecret",
        "kms:ListSecretVersionIds",
        "kms:GetSecretValue"
      ],
      "Resource": [
        "acs:kms:*:*:secret/*"
      ],
      "Condition": {
        "StringEqualsIgnoreCase": {
          "kms:tag/waf:access:enable": "true"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:ListSecrets",
        "kms:Decrypt",
        "kms:TagResource",
        "kms:UntagResource"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Action": [
        "yundun-ddoscoo:DescribeDomains",
        "yundun-ddoscoo:DescribeWebInstanceRelations"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Effect": "Allow",
      "Action": [
        "eiam:CreateApplication",
        "eiam:SetApplicationSsoConfig",
        "eiam:GetApplicationSsoConfig",
        "eiam:ListRegions",
        "eiam:ListInstances",
        "eiam:ListApplications",
        "eiam:UpdateApplicationAuthorizationType",
        "eiam:AuthorizeApplicationToOrganizationalUnits",
        "eiam:DeleteApplication"
      ],
      "Resource": "*"
    }
  ]
}

References