This topic describes how to create a service-linked role for Security Center, view the information about the service-linked role, and delete the service-linked role.
Overview
A service-linked role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. A service-linked role is used to authorize access across Alibaba Cloud services. The following table lists the service-linked roles that are provided by Security Center.
Service-linked role | Service identifier | Permission policy |
AliyunServiceRoleForSas | sas.aliyuncs.com | AliyunServiceRolePolicyForSas |
AliyunServiceRoleForSasCspm | cspm.sas.aliyuncs.com | AliyunServiceRolePolicyForSasCspm |
AliyunServiceRoleForSasRd | rd.sas.aliyuncs.com | AliyunServiceRolePolicyForSasRd |
For more information, see Service-linked roles.
AliyunServiceRoleForSas
Scenarios
The AliyunServiceRoleForSas service-linked role is suitable for the following scenarios:
You can authorize Security Center to access resources of cloud services such as Container Registry and ApsaraDB RDS to detect security risks in your container assets.
You can authorize Security Center to access resources of cloud services such as Virtual Private Cloud (VPC) and Elastic Compute Service (ECS). You can enable the cloud honeypot feature to deliver attack discovery capabilities and attack source tracing capabilities within and outside the cloud.
You can authorize Security Center to access resources of cloud services such as ECS. You can enable the feature of defense against brute-force attacks to protect your server passwords from being cracked.
You can authorize Security Center to access resources of cloud services such as Log Analysis. You can enable the log analysis feature to deliver log query and analysis capabilities.
You can authorize Security Center to access resources of cloud services such as Cloud Backup and ECS. You can enable the anti-ransomware feature to defend against ransomware and back up your data.
You can authorize Security Center to access resources of cloud services such as Resource Management by using the management account of a resource directory or a delegated administrator account. Then, you can enable the multi-account management feature to manage the security risks of multiple members in a centralized manner.
Create the service-linked role
The first time you use one of the following features and obtain the required permissions, the AliyunServiceRoleForSas service-linked role is automatically created.
Module | Feature |
Container security |
|
Host security |
|
Detection and response | Log analysis |
Others |
|
View the information about the service-linked role
After the service-linked role is created, you can view the information about the service-linked role. To view the information, find the role on the Roles page of the RAM console and click the name of the role. Then, you can view the following information about the role on the details page of the role:
Basic information
In the Basic Information section, you can view the basic information about the role, including the name, creation time, Alibaba Cloud Resource Name (ARN), and description.
Permission policy
On the Permissions tab, you can click the policy name to view the policy document.
NoteYou cannot view the permission policy that is attached to a service-linked role on the Policies page of the RAM console. You can view the permission policy only on the role details page.
Trust policy
On the Trust Policy Management tab, you can view the document of the trust policy that is attached to the role. A trust policy describes the trusted entities of a RAM role. A trusted entity refers to an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. You can view the value of the
Servicefield in the trust policy of the service-linked role to obtain the trusted entity.
For more information about how to view the information about a service-linked role, see View the information about a RAM role.
Delete the service-linked role
If you do not use Security Center for a long period of time or want to delete your Alibaba Cloud account, you may need to manually delete the service linked role in the RAM console. For more information, see Delete a RAM role.
AliyunServiceRoleForSasCloudSiem
Scenarios
The AliyunServiceRoleForSasCloudSiem service-linked role allows Security Center to access resources of cloud services such as VPC and Cloud Firewall. The threat analysis feature can collect the logs of cloud services that are added to threat analysis for protection, deliver the logs, and handle related events. The feature also allows you to manage alerts in a centralized manner and trace the sources of threats.
Create the service-linked role
The first time you use the threat analysis feature and obtain the required permissions, the AliyunServiceRoleForSasCloudSiem service-linked role is automatically created.
View information about the service-linked role
After the service-linked role is created, you can view the information about the service-linked role. To view the information, find the role on the Roles page of the RAM console and click the name of the role. Then, you can view the following information about the role on the details page of the role:
Basic information
In the Basic Information section, you can view the basic information about the role, including the name, creation time, Alibaba Cloud Resource Name (ARN), and description.
Permission policy
On the Permissions tab, you can click the policy name to view the policy document.
NoteYou cannot view the permission policy that is attached to a service-linked role on the Policies page of the RAM console. You can view the permission policy only on the role details page.
Trust policy
On the Trust Policy Management tab, you can view the document of the trust policy that is attached to the role. A trust policy describes the trusted entities of a RAM role. A trusted entity refers to an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. You can view the value of the
Servicefield in the trust policy of the service-linked role to obtain the trusted entity.
For more information about how to view the information about a service-linked role, see View the information about a RAM role.
Delete the service-linked role
If you do not use Security Center for a long period of time or want to delete your Alibaba Cloud account, you may need to manually delete the service linked role in the RAM console. For more information, see Delete a RAM role.
AliyunServiceRoleForSasCspm
Scenarios
The AliyunServiceRoleForSasCspm service-linked role allows Security Center to access resources of cloud services such as ActionTrail. You can enable the configuration assessment feature to check the configurations of your cloud services.
Create the service-linked role
The first time you use the configuration assessment feature and obtain the required permissions, the AliyunServiceRoleForSasCspm service-linked role is automatically created.
On November 21, 2022 (UTC+8), the policy for the configuration assessment feature is migrated from the AliyunServiceRoleForSas service-linked role to the AliyunServiceRoleForSasCspm service-linked role. To make sure that the configuration assessment feature can work as expected, go to the Cloud Platform Configuration Assessment page and click Determine in the Role Policy Migration Reminder message. Then, click Authorize Immediately to complete authorization.
View the information about the service-linked role
After the service-linked role is created, you can view the information about the service-linked role. To view the information, find the role on the Roles page of the RAM console and click the name of the role. Then, you can view the following information about the role on the details page of the role:
Basic information
In the Basic Information section, you can view the basic information about the role, including the name, creation time, Alibaba Cloud Resource Name (ARN), and description.
Permission policy
On the Permissions tab, you can click the policy name to view the policy document.
NoteYou cannot view the permission policy that is attached to a service-linked role on the Policies page of the RAM console. You can view the permission policy only on the role details page.
Trust policy
On the Trust Policy Management tab, you can view the document of the trust policy that is attached to the role. A trust policy describes the trusted entities of a RAM role. A trusted entity refers to an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. You can view the value of the
Servicefield in the trust policy of the service-linked role to obtain the trusted entity.
For more information about how to view the information about a service-linked role, see View the information about a RAM role.
Delete the service-linked role
If you do not use Security Center for a long period of time or want to delete your Alibaba Cloud account, you may need to manually delete the service linked role in the RAM console. For more information, see Delete a RAM role.
AliyunServiceRoleForSasRd
Scenarios
The AliyunServiceRoleForSasRd service-linked role allows the delegated administrator accounts of Security Center to log on to the Security Center console as members in the resource directory that is involved when the multi-account management feature is enabled. This way, you can configure security settings for multiple members of an enterprise in a centralized manner, and monitor the security status of the members in real time.
Create the service-linked role
After the management account of your resource directory or a delegated administrator account uses the multi-account management feature to add a member of your resource directory to the list of managed accounts, the AliyunServiceRoleForSasRd service-linked role is automatically created for the member.
View the information about the service-linked role
After the service-linked role is created, you can view the information about the service-linked role as a member of your resource directory. To view the information, find the role on the Roles page of the RAM console and click the name of the role. Then, you can view the following information about the role on the details page of the role:
Basic information
In the Basic Information section, you can view the basic information about the role, including the name, creation time, Alibaba Cloud Resource Name (ARN), and description.
Permission policy
On the Permissions tab, you can click the policy name to view the policy document.
NoteYou cannot view the permission policy that is attached to a service-linked role on the Policies page of the RAM console. You can view the permission policy only on the role details page.
Trust policy
On the Trust Policy Management tab, you can view the document of the trust policy that is attached to the role. A trust policy describes the trusted entities of a RAM role. A trusted entity refers to an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. You can view the value of the
Servicefield in the trust policy of the service-linked role to obtain the trusted entity.
Delete the service-linked role
If you do not use Security Center for a long period of time or want to delete your Alibaba Cloud account, you may need to manually delete the service linked role in the RAM console as a member of your resource directory. For more information, see Delete a RAM role.