AliyunServiceRolePolicyForWaf
Updated at:
Copy as MD
AliyunServiceRolePolicyForWaf is the authorization policy dedicated to a service-linked role. The policy is automatically attached to a service role when the service role is created. Then, the service-linked role is authorized to access other cloud services. This policy is updated by the relevant Alibaba Cloud service. Do not attach this policy to a RAM identity other than a service-linked role.
Policy details
Type: service system policy
Creation time: 10:58:30 on September 17, 2025
Update time: 10:04:15 on June 23, 2026
Current version: v16
Policy content
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:AttachNetworkInterface",
"ecs:DetachNetworkInterface",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:CreateNetworkInterfacePermission",
"ecs:DeleteNetworkInterfacePermission",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSecurityGroupAttribute",
"ecs:CreateSecurityGroup",
"ecs:DeleteSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:DescribeDisks"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"slb:DescribeServerCertificates",
"slb:DescribeDomainExtensions",
"slb:DescribeLoadBalancers",
"slb:DescribeListenerAccessControlAttribute",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeLoadBalancerHTTPListenerAttribute",
"slb:DescribeLoadBalancerHTTPSListenerAttribute",
"slb:DescribeLoadBalancerTCPListenerAttribute",
"slb:DescribeLoadBalancerUDPListenerAttribute",
"slb:DescribeTLSCipherPolicies",
"slb:ListTLSCipherPolicies",
"slb:DescribeLoadBalancers"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"alb:ListLoadBalancers",
"alb:GetLoadBalancerAttribute",
"alb:ListListeners",
"alb:GetListenerAttribute",
"alb:ListListenerCertificates",
"alb:DescribeRegions",
"alb:ListSystemSecurityPolicies",
"alb:ListSecurityPolicies"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeEipAddresses"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cdn:DescribeUserDomains",
"cdn:DescribeCdnDomainDetail",
"cdn:DescribeDomainsBySource",
"cdn:DescribeUserVipsByDomain"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-cert:DescribeUserCertificateList"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"log:ListProject",
"log:ListLogStores",
"log:PostLogStoreLogs",
"log:GetProject",
"log:GetLogStore"
],
"Resource": "acs:log:*:*:project/*",
"Effect": "Allow"
},
{
"Action": [
"log:EnableService",
"log:DescribeService"
],
"Resource": "acs:log:*:*:service",
"Effect": "Allow"
},
{
"Action": [
"log:PostLogStoreLogs",
"log:GetProject",
"log:GetLogStore",
"log:CreateLogStore",
"log:CreateProject",
"log:GetIndex",
"log:CreateIndex",
"log:UpdateIndex",
"log:CreateDashboard",
"log:ClearLogStoreStorage",
"log:UpdateLogStore",
"log:UpdateDashboard",
"log:DeleteProject",
"log:CreateSavedSearch",
"log:UpdateSavedSearch",
"log:DeleteLogStore"
],
"Resource": [
"acs:log:*:*:project/waf*",
"acs:log:*:*:project/apisec*"
],
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "waf.aliyuncs.com"
}
}
},
{
"Action": [
"resourcemanager:ListAccounts",
"resourcemanager:GetAccount",
"resourcemanager:GetResourceDirectory"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"nlb:ListLoadBalancers",
"nlb:ListListeners",
"nlb:GetLoadBalancerAttribute",
"nlb:ListListenerCertificates",
"nlb:ListSecurityPolicy",
"nlb:ListSystemSecurityPolicy"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"bss:DescribePrice"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-greenweb:ListServiceConfigs",
"yundun-greenweb:MultiModalGuard"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "arms:CheckCommercialStatus",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "cms:ListWorkspaces",
"Resource": "*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"kms:DescribeSecret",
"kms:ListSecretVersionIds",
"kms:GetSecretValue"
],
"Resource": [
"acs:kms:*:*:secret/*"
],
"Condition": {
"StringEqualsIgnoreCase": {
"kms:tag/waf:access:enable": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"kms:ListSecrets",
"kms:Decrypt",
"kms:TagResource",
"kms:UntagResource"
],
"Resource": [
"*"
]
},
{
"Action": [
"yundun-ddoscoo:DescribeDomains",
"yundun-ddoscoo:DescribeWebInstanceRelations"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"eiam:CreateApplication",
"eiam:SetApplicationSsoConfig",
"eiam:GetApplicationSsoConfig",
"eiam:ListRegions",
"eiam:ListInstances",
"eiam:ListApplications",
"eiam:UpdateApplicationAuthorizationType",
"eiam:AuthorizeApplicationToOrganizationalUnits",
"eiam:DeleteApplication"
],
"Resource": "*"
}
]
}References
Is this page helpful?