Grant log query permissions to a RAM user - Web Application Firewall

By default, RAM users cannot query or analyze WAF logs. An Alibaba Cloud account must grant the required permissions before a RAM user can access log data in Web Application Firewall (WAF).

Prerequisites

Before you begin, make sure that you have:

An Alibaba Cloud account with administrator access
A RAM user to authorize
Log Service enabled for WAF (one-time setup performed by the Alibaba Cloud account)
WAF authorized to write log data to the dedicated Logstore in Log Service (one-time setup performed by the Alibaba Cloud account, a RAM user with AliyunLogFullAccess, or a RAM user with specific permissions)

Choose a permission option

Select the option that matches your access requirements. Each option defines what the RAM user can and cannot do after authorization.

Option	Permission	What the RAM user can do	What the RAM user cannot do
Full Log Service access	`AliyunLogFullAccess`	Perform all Log Service operations, including managing other projects and Logstores	None — full access is granted
Read-only log access	`AliyunLogReadOnlyAccess`	View logs in WAF after the Alibaba Cloud account enables Log Service and authorizes WAF	Create indexes, dashboards, or saved searches; manage Log Service resources
WAF-only log access (custom policy)	Custom policy	Enable Log Service for WAF, query and analyze logs in the WAF-dedicated Logstore, create dashboards and saved searches within that project	Access other Log Service projects or Logstores; perform Log Service management operations outside the WAF scope

For AliyunLogFullAccess and AliyunLogReadOnlyAccess, see Grant permissions to the RAM user.

The rest of this topic covers the custom policy option, which grants access only to the WAF-dedicated Log Service resources.

Create and attach a custom policy

Step 1: Create the policy

Log on to the RAM console using your Alibaba Cloud account.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.

Enter the following policy content and click Next: Edit Basic Information. The policy grants the following permissions:

Project access (log:GetProject, log:CreateProject): allows WAF to retrieve and initialize the dedicated Log Service project when enabling the feature. log:CreateProject applies to all projects (project/*) because WAF needs account-level access to create the project on first use; all other permissions are scoped to ${Project} only.
Logstore management (log:ListLogStores, log:CreateLogStore): allows WAF to list and create the dedicated Logstore within ${Project}.
Index operations (log:GetIndex, log:CreateIndex, log:UpdateIndex): allows the RAM user to create and maintain the index on ${Logstore}, which is required for log query and analysis.
Dashboard and saved search (log:CreateDashboard, log:UpdateDashboard, log:CreateSavedSearch, log:UpdateSavedSearch): allows the RAM user to build and update dashboards and saved searches within ${Project}.

Important

Replace ${Project} and ${Logstore} with the names of the Log Service project and Logstore dedicated to WAF.

{
  "Version": "1",
  "Statement": [
    {
      "Action": "log:GetProject",
      "Resource": "acs:log:*:*:project/${Project}",
      "Effect": "Allow"
    },
    {
      "Action": "log:CreateProject",
      "Resource": "acs:log:*:*:project/*",
      "Effect": "Allow"
    },
    {
      "Action": "log:ListLogStores",
      "Resource": "acs:log:*:*:project/${Project}/logstore/*",
      "Effect": "Allow"
    },
    {
      "Action": "log:CreateLogStore",
      "Resource": "acs:log:*:*:project/${Project}/logstore/*",
      "Effect": "Allow"
    },
    {
      "Action": "log:GetIndex",
      "Resource": "acs:log:*:*:project/${Project}/logstore/${Logstore}",
      "Effect": "Allow"
    },
    {
      "Action": "log:CreateIndex",
      "Resource": "acs:log:*:*:project/${Project}/logstore/${Logstore}",
      "Effect": "Allow"
    },
    {
      "Action": "log:UpdateIndex",
      "Resource": "acs:log:*:*:project/${Project}/logstore/${Logstore}",
      "Effect": "Allow"
    },
    {
      "Action": "log:CreateDashboard",
      "Resource": "acs:log:*:*:project/${Project}/dashboard/*",
      "Effect": "Allow"
    },
    {
      "Action": "log:UpdateDashboard",
      "Resource": "acs:log:*:*:project/${Project}/dashboard/*",
      "Effect": "Allow"
    },
    {
      "Action": "log:CreateSavedSearch",
      "Resource": "acs:log:*:*:project/${Project}/savedsearch/*",
      "Effect": "Allow"
    },
    {
      "Action": "log:UpdateSavedSearch",
      "Resource": "acs:log:*:*:project/${Project}/savedsearch/*",
      "Effect": "Allow"
    }
  ]
}

Specify the Name and Description fields.
Click OK.

Step 2: Attach the policy to the RAM user

In the left-side navigation pane, choose Identities > Users.
Find the RAM user to authorize and click Add Permissions in the Actions column.
In the Add Permissions panel, select the custom policy you created and click OK.

Result

After authorization, the RAM user can enable Log Service for WAF and query or analyze logs in the WAF-dedicated Logstore. The RAM user cannot access other Log Service projects or Logstores, or perform Log Service management operations outside the WAF scope.