In specific scenarios, Security Center uses a service-linked role (SLR) to obtain access permissions to other Alibaba Cloud services to support a feature. This topic describes the SLRs that Security Center uses, including their definitions and use cases.
A service-linked role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. Security Center uses SLRs to obtain access permissions to other Alibaba Cloud services or cloud resources.
In most cases, the system automatically creates an SLR when you perform an operation. If the system fails to create an SLR automatically or if Security Center does not support automatic creation, you must manually create the SLR.
Resource Access Management (RAM) provides a system policy for each SLR. You cannot modify this policy. To view the details of the system policy for a specific SLR, go to the role’s details page. For more information, see System policy reference.
Scenarios
The following table describes the SLRs that Security Center provides.
Service-linked role | Service identifier | Scenarios |
AliyunServiceRoleForSas | sas.aliyuncs.com |
|
AliyunServiceRoleForSasCloudSiem | cloudsiem.sas.aliyuncs.com | Lets Security Center access resources in Alibaba Cloud services such as VPC and Cloud Firewall. This lets you use the threat analysis and response feature to detect logs of connected Alibaba Cloud services, deliver logs, and handle related events. This provides capabilities such as centralized alert management and threat source analysis. |
AliyunServiceRoleForSasCspm | cspm.sas.aliyuncs.com | Lets Security Center access resources in Alibaba Cloud services such as ActionTrail. This allows the Cloud Security Posture Management feature to provide cloud platform configuration check capabilities. |
AliyunServiceRoleForSasRd | rd.sas.aliyuncs.com | In a multi-account scenario, this role allows a delegated administrator account of Security Center to access the Security Center console of a member account in a resource directory. This allows the delegated administrator account to centrally configure security protection settings for multiple member accounts of an enterprise and monitor the security risk status of each member account in real time. |
AliyunServiceRoleForSasSecurityLake | security-lake.sas.aliyuncs.com | When you use the threat analysis cold data feature, this role allows the feature to access resources in Object Storage Service (OSS) and Data Lake Formation (DLF). This lets you manage the log data of threat analysis and response, and perform interactive queries and analysis on the data. |
Create a service-linked role
AliyunServiceRoleForSas
The first time you use one of the following features and grant the required permissions, the system automatically creates the AliyunServiceRoleForSas SLR.
Module | Features |
Risk governance |
|
Container security |
|
Host security |
|
Other configurations |
|
AliyunServiceRoleForSasCloudSiem
The first time you use the threat analysis and response feature and grant the required permissions, the system automatically creates the AliyunServiceRoleForSasCloudSiem SLR. For more information, see Grant the threat analysis and response feature the permissions to access Alibaba Cloud resources.
AliyunServiceRoleForSasCspm
The first time you use the Cloud Security Posture Management feature and grant the required permissions, the system automatically creates the AliyunServiceRoleForSasCspm SLR.
Starting from November 21, 2022 (UTC+8), the access policy for the Cloud Security Posture Management feature is migrated from the AliyunServiceRoleForSas SLR to AliyunServiceRoleForSasCspm. To continue using the features provided by Cloud Security Posture Management, go to the Cloud Security Posture Management page. In the Role Policy Migration Reminder dialog box, click OK to confirm the policy migration. Then, click Authorize Now to complete the authorization.
AliyunServiceRoleForSasRd
After a management account or a delegated administrator account uses the multi-account security management feature to add a member account of a resource directory to the monitored account list, the AliyunServiceRoleForSasRd SLR is automatically created under the member account.
AliyunServiceRoleForSasSecurityLake
The first time you use the cold data feature for log management of threat analysis and response and grant the required permissions, the system automatically creates the AliyunServiceRoleForSasSecurityLake SLR.
View a service-linked role
After an SLR is created, you can view the following information about the role on the Roles page of the RAM console:
Basic information
In the Basic Information section of the role details page, view the basic information about the role, including its name, creation time, Alibaba Cloud Resource Name (ARN), and description.
Access policy
On the Permissions tab of the role details page, click the name of the access policy to view the policy document.
NoteYou can view the access policy of an SLR only from the role itself. You cannot directly view the policy on the Policies page of the RAM console.
Trust policy
On the Trust Policy tab of the role details page, view the trust policy document. A trust policy describes the trusted entities of a RAM role. A trusted entity is an identity that can assume the RAM role. The trusted entity of an SLR is an Alibaba Cloud service. You can view this in the
Servicefield of the trust policy.
For more information about how to view an SLR, see View a RAM role.
Delete a service-linked role
After an SLR is deleted, the features that depend on the role become unavailable. Proceed with caution.
If you no longer use Security Center for an extended period or before you log off from your Alibaba Cloud account, you may need to manually delete the SLR in the Resource Access Management (RAM) console. For more information, see Delete a RAM role.
References
For more information about SLRs, see Service-linked roles.