What is a system policy?
A policy defines a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. Alibaba Cloud Resource Access Management (RAM) provides system policies and custom policies. All system policies are created and updated by Alibaba Cloud. You can use system policies, but you cannot modify them. You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. During service iteration, SLS adds new permissions to system policies to support new features and capabilities. The update of a system policy affects all RAM identities to which the policy is attached, including RAM users, RAM user groups, and RAM roles. For more information about RAM policies, see Policy overview.
System policies are designed for new users to quickly get started with Alibaba Cloud products on the management console, though they also enable the use of more advanced methods like API operations or CLI commands. If you are familiar with the advanced methods, we recommend that you use custom policies to implement finer-grained control on who is permitted to call what API operations, thereby improving security.
System policies can be classified into service system policies, service role policies, and service-linked role policies. Some cloud services provide only one or two of the three types of policies. For more information, see the policy types that are described in the following section.
Service system policies
AliyunLogFullAccess
The AliyunLogFullAccess policy: Provides full access to Log Service via Management Console. It can be attached to RAM identities.
AliyunLogPutOpenEventPolicy
The AliyunLogPutOpenEventPolicy policy: The permissions to use open event functionality. It can be attached to RAM identities.
AliyunLogReadOnlyAccess
The AliyunLogReadOnlyAccess policy: Provides read-only access to Log Service via Management Console. It can be attached to RAM identities.
Service-linked role policies
AliyunServiceRolePolicyForSLSAILens
SLS assumes the AliyunServiceRolePolicyForSLSAILens service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForSLSAILens policy is the dedicated authorization policy of the AliyunServiceRoleForSLSAILens service-linked role. This policy is defined and used by SLS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForSLSAILens
AliyunServiceRolePolicyForSLSAlert
SLS assumes the AliyunServiceRolePolicyForSLSAlert service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForSLSAlert policy is the dedicated authorization policy of the AliyunServiceRoleForSLSAlert service-linked role. This policy is defined and used by SLS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForSLSAlert
AliyunServiceRolePolicyForSLSAudit
SLS assumes the AliyunServiceRolePolicyForSLSAudit service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForSLSAudit policy is the dedicated authorization policy of the AliyunServiceRoleForSLSAudit service-linked role. This policy is defined and used by SLS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForSLSAudit
AliyunServiceRolePolicyForSLSCostManager
SLS assumes the AliyunServiceRolePolicyForSLSCostManager service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForSLSCostManager policy is the dedicated authorization policy of the AliyunServiceRoleForSLSCostManager service-linked role. This policy is defined and used by SLS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForSLSCostManager
AliyunServiceRolePolicyForSLSFullObserverbility
SLS assumes the AliyunServiceRolePolicyForSLSFullObserverbility service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForSLSFullObserverbility policy is the dedicated authorization policy of the AliyunServiceRoleForSLSFullObserverbility service-linked role. This policy is defined and used by SLS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForSLSFullObserverbility
AliyunServiceRolePolicyForSLSMiddlewareLens
SLS assumes the AliyunServiceRolePolicyForSLSMiddlewareLens service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForSLSMiddlewareLens policy is the dedicated authorization policy of the AliyunServiceRoleForSLSMiddlewareLens service-linked role. This policy is defined and used by SLS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForSLSMiddlewareLens
AliyunServiceRolePolicyForSLSSecurityLens
SLS assumes the AliyunServiceRolePolicyForSLSSecurityLens service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForSLSSecurityLens policy is the dedicated authorization policy of the AliyunServiceRoleForSLSSecurityLens service-linked role. This policy is defined and used by SLS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForSLSSecurityLens
AliyunServiceRolePolicyForSLSStorageLens
SLS assumes the AliyunServiceRolePolicyForSLSStorageLens service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForSLSStorageLens policy is the dedicated authorization policy of the AliyunServiceRoleForSLSStorageLens service-linked role. This policy is defined and used by SLS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
References
By default, RAM identities do not have any permissions. RAM identities can access cloud resources within an Alibaba Cloud account only after an account administrator grants the required permissions to the RAM identities. To ensure resource security, we recommend that you grant only the required permissions to the RAM identities based on the principle of least privilege. For more information, see the following topics: