To enable Log Service, asset discovery, and transparent proxy mode in Web Application Firewall (WAF), you must create the AliyunServiceRoleForWAF service-linked role. This role is created automatically when you enable any of those features — no manual role configuration is required.
How it works
WAF uses the AliyunServiceRoleForWAF service-linked role to interact with ECS, SLB, ALB, VPC, CDN, Simple Log Service (SLS), and Certificate services on your behalf. The role is created automatically the first time you enable Log Service, asset discovery, or transparent proxy mode in the WAF console.
The role uses a system-managed policy named AliyunServiceRolePolicyForWAF. The policy name and content are fixed and cannot be modified.
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:AttachNetworkInterface",
"ecs:DetachNetworkInterface",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:CreateNetworkInterfacePermission",
"ecs:DeleteNetworkInterfacePermission",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSecurityGroupAttribute",
"ecs:CreateSecurityGroup",
"ecs:DeleteSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:DescribeDisks"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"slb:DescribeServerCertificates",
"slb:DescribeDomainExtensions",
"slb:DescribeLoadBalancers",
"slb:DescribeListenerAccessControlAttribute",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeLoadBalancerHTTPListenerAttribute",
"slb:DescribeLoadBalancerHTTPSListenerAttribute",
"slb:DescribeLoadBalancerTCPListenerAttribute",
"slb:DescribeLoadBalancerUDPListenerAttribute",
"slb:DescribeTLSCipherPolicies",
"slb:ListTLSCipherPolicies",
"slb:DescribeLoadBalancers"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"alb:ListLoadBalancers",
"alb:GetLoadBalancerAttribute",
"alb:ListListeners",
"alb:GetListenerAttribute",
"alb:ListListenerCertificates",
"alb:DescribeRegions",
"alb:ListSystemSecurityPolicies",
"alb:ListSecurityPolicies"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeEipAddresses"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cdn:DescribeUserDomains",
"cdn:DescribeCdnDomainDetail",
"cdn:DescribeDomainsBySource",
"cdn:DescribeUserVipsByDomain"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-cert:DescribeUserCertificateList"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"log:PostLogStoreLogs",
"log:GetProject",
"log:ListProject",
"log:GetLogStore",
"log:ListLogStores",
"log:CreateLogStore",
"log:CreateProject",
"log:GetIndex",
"log:CreateIndex",
"log:UpdateIndex",
"log:CreateDashboard",
"log:ClearLogStoreStorage",
"log:UpdateLogStore",
"log:UpdateDashboard",
"log:DeleteProject",
"log:CreateSavedSearch",
"log:UpdateSavedSearch",
"log:DeleteLogStore"
],
"Resource": "acs:log:*:*:project/waf*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "waf.aliyuncs.com"
}
}
}
]
}For more information about policy syntax, see Policy elements.
Prerequisites
Before you begin, ensure that you have:
A WAF instance
An Alibaba Cloud account or a RAM user with permissions to create and delete service-linked roles
Create the AliyunServiceRoleForWAF role
The role is created automatically when you enable any of the following features. Choose the feature you plan to use first.
By enabling Log Service
This method requires that your website is already added to WAF and that Log Service is enabled for WAF. For setup instructions, see Add a website to WAF and Get started with Log Service for WAF.
Log on to the WAF console. In the top navigation bar, select the resource group and the region where your WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Security Operations > Log Service.
Click Authorize Now. In the Tips dialog, click OK.
By enabling Asset Discovery
This method is only available when your WAF instance is deployed in the Chinese mainland. If your instance is outside the Chinese mainland, use the Log Service or transparent proxy mode method instead.
Log on to the WAF console. In the top navigation bar, select the resource group and the region where your WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Asset Center > Asset Discovery.
Click Authorized activation. In the Tips dialog, click OK.
By enabling Transparent Proxy Mode
Log on to the WAF console. In the top navigation bar, select the resource group and the region where your WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Asset Center > Website Access.
On the Domain Names tab, click Website Access.
Set Access Mode to Transparent Proxy Mode, then click Authorized activation. In the Tips dialog, click OK.
Alibaba Cloud automatically creates the AliyunServiceRoleForWAF role. To verify, log on to the RAM console and choose Identities > Roles in the left-side navigation pane.
Delete the AliyunServiceRoleForWAF role
The service-linked role can only be deleted after your WAF instance expires and is automatically released.
To delete the role:
Release your WAF instance and wait for it to be automatically released.
Log on to the RAM console and choose Identities > Roles in the left-side navigation pane.
Find AliyunServiceRoleForWAF and click Delete Role in the Actions column.
In the dialog, enter the role name and click Delete Role.
Resource Access Management (RAM) checks whether any WAF instance is still using the role:
If no instance uses the role, the role is deleted.
If an instance is still using the role, the deletion fails. RAM lists the WAF instances that are using the role. Release those instances before retrying.
For general instructions on deleting a RAM role, see Delete a RAM role.
FAQ
Why wasn't AliyunServiceRoleForWAF automatically created for my RAM user?
RAM users need explicit permission to create service-linked roles. Attach the following policy to your RAM user, replacing <account-ID> with your Alibaba Cloud account ID:
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:<account-ID>:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"waf.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}For instructions on attaching a policy to a RAM user, see Grant permissions to a RAM role.