RAM authorization - Web Application Firewall - Alibaba Cloud Documentation Center

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. Using RAM helps you avoid sharing your Alibaba Cloud account keys with other users and allows you to grant users the least privilege access. RAM uses permission policies to define authorizations. This topic describes the general structure of a RAM policy, and the policy statement elements (Action, Resource, and Condition) defined by Web Application Firewall for RAM permission policies. The RAM code (RamCode) for Web Application Firewall is yundun-waf , and the supported authorization granularity is RESOURCE .

General structure of a policy

Permission policies support JSON format with the following general structure:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

The following list describes the fields in the policy:

Version: Specifies the policy version number. It is fixed at 1.
Statement:
- Effect: Specifies the authorization result. Valid values: Allow and Deny.
- Action: Specifies one or more operations that are allowed or denied.
- Resource: Specifies the specific objects affected by the operations. You can use Alibaba Cloud Resource Names (ARNs) to describe specific resources.
- Condition: Specifies the conditions for the authorization to take effect. This field is optional.
  - Condition operator: Specifies the conditional operators. Different types of conditions support different conditional operators.
  - Condition_key: Specifies the condition keys.
  - Condition_value: Specifies the condition values.

Action

The following table lists the actions defined by Web Application Firewall. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that support authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding ARN in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys that are applicable across all RAM-integrated services. For more information, see Common condition keys.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action	API	Access level	Resource type	Condition key	Dependent action
yundun-waf:InitializeWafOperationRole	InitializeWafOperationRole	create	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DeleteHybridCloudGroup	DeleteHybridCloudGroup	delete	All Resource ``	acs:ResourceGroupId	None
yundun-waf:CreateDefenseResourceGroup	CreateDefenseResourceGroup	create	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyDefenseTemplate	ModifyDefenseTemplate	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeUserEventTrend	DescribeUserEventTrend	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeSlsLogStore	DescribeSlsLogStore	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeSensitiveOutboundStatistic	DescribeSensitiveOutboundStatistic	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:CreateHybridCloudGroup	CreateHybridCloudGroup	create	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeCerts	DescribeCerts	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeTemplateResources	DescribeTemplateResources	list	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ListTagResources	ListTagResources	get	All Resource ``	None	None
yundun-waf:DescribeHybridCloudServerRegions	DescribeHybridCloudServerRegions	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeCustomBaseRuleCompileResult	DescribeCustomBaseRuleCompileResult	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeChargeModule	DescribeChargeModule	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeApisecProtectionResources	DescribeApisecProtectionResources	list	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeFreeUserAssetCount	DescribeFreeUserAssetCount	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeUserAbnormalTrend	DescribeUserAbnormalTrend	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyCloudResourceCert	ModifyCloudResourceCert	none	All Resource ``	None	None
yundun-waf:ModifyTemplateResources	ModifyTemplateResources	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeSlsAuthStatus	DescribeSlsAuthStatus	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeHybridCloudUnassignedMachines	DescribeHybridCloudUnassignedMachines	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeDefenseTemplate	DescribeDefenseTemplate	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeDefenseTemplateValidResources	DescribeDefenseTemplateValidResources	list	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeMemberAccounts	DescribeMemberAccounts	list	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeDomains	DescribeDomains	get	All Resource ``	None	None
yundun-waf:DescribeDefenseRule	DescribeDefenseRule	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribePauseProtectionStatus	DescribePauseProtectionStatus	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DeleteDefenseRule	DeleteDefenseRule	delete	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeSensitiveApiStatistic	DescribeSensitiveApiStatistic	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyResourceLogStatus	ModifyResourceLogStatus	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:CreateDefenseRule	CreateDefenseRule	create	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DeleteDefenseResource	DeleteDefenseResource	delete	*DefenseResource `acs:yundun-waf:{#regionId}:{#accountId}:defenseresource/{#Resource}`	None	None
yundun-waf:DescribeSecurityEventLogs	DescribeSecurityEventLogs	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DeleteCloudResource	DeleteCloudResource	delete	*DefenseResource `acs:yundun-waf:{#regionId}:{#accountId}:defenseresource/{#Resource}`	None	None
yundun-waf:DescribeFreeUserEventTypes	DescribeFreeUserEventTypes	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeVisitUas	DescribeVisitUas	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DeleteDefenseRuleBlockIp	DeleteDefenseRuleBlockIp	delete	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyDomain	ModifyDomain	update	All Resource ``	None	None
yundun-waf:ModifyUserWafLogStatus	ModifyUserWafLogStatus	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeCloudResources	DescribeCloudResources	list	All Resource ``	acs:ResourceGroupId	None
yundun-waf:CreatePostpaidInstance	CreatePostpaidInstance	create	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeUserWafLogStatus	DescribeUserWafLogStatus	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyDefenseSceneConfig	ModifyDefenseSceneConfig	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:CreateCloudResource	CreateCloudResource	create	All Resource ``	None	None
yundun-waf:CreateHybridCloudClusterRule	CreateHybridCloudClusterRule	create	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyHybridCloudGroup	ModifyHybridCloudGroup	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeDefenseResourceGroupNames	DescribeDefenseResourceGroupNames	list	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ChangeResourceGroup	ChangeResourceGroup	update	*DefenseResource `acs:yundun-waf:{#regionId}:{#accountId}:defenseresource/{#Resource}`	None	None
yundun-waf:DescribeHybridCloudClusters	DescribeHybridCloudClusters	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyHybridCloudClusterBypassStatus	ModifyHybridCloudClusterBypassStatus	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeHybridCloudBasicMonitor	DescribeHybridCloudBasicMonitor	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyPauseProtectionStatus	ModifyPauseProtectionStatus	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeApisecSensitiveDomainStatistic	DescribeApisecSensitiveDomainStatistic	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeDDoSStatus	DescribeDDoSStatus	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeResourceRegionId	DescribeResourceRegionId	list	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeResourcePort	DescribeResourcePort	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeHybridCloudProcessMonitor	DescribeHybridCloudProcessMonitor	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeApisecStatistics	DescribeApisecStatistics	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DeleteLogDeliveryConfig	DeleteLogDeliveryConfig	delete	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeRuleHitsTopTuleType	DescribeRuleHitsTopTuleType	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:CreateHybridCloudCluster	CreateHybridCloudCluster	create	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ListTagKeys	ListTagKeys	list	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DeleteMajorProtectionBlackIp	DeleteMajorProtectionBlackIp	delete	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyApisecEvents	ModifyApisecEvents	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeApiExports	DescribeApiExports	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:CreateDefenseResource	CreateDefenseResource	create	All Resource ``	None	None
yundun-waf:DescribeLogDeliveryConfig	DescribeLogDeliveryConfig	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeCloudResourceAccessPortDetails	DescribeCloudResourceAccessPortDetails	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeApisecEvents	DescribeApisecEvents	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeTemplateResourceCount	DescribeTemplateResourceCount	list	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeHybridCloudGroups	DescribeHybridCloudGroups	list	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeCnameCount	DescribeCnameCount	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeSensitiveStatistic	DescribeSensitiveStatistic	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeWafSourceIpSegment	DescribeWafSourceIpSegment	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyDefenseResourceGroup	ModifyDefenseResourceGroup	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeApisecSlsProjects	DescribeApisecSlsProjects	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:VerifyDomainOwner	VerifyDomainOwner	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyUserLogFieldConfig	ModifyUserLogFieldConfig	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeResourceLogDeliveryStatus	DescribeResourceLogDeliveryStatus	list	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeFlowTopUrl	DescribeFlowTopUrl	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeResponseCodeTrendGraph	DescribeResponseCodeTrendGraph	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DeleteDefenseTemplate	DeleteDefenseTemplate	delete	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribePocFunctions	DescribePocFunctions	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeUserAsset	DescribeUserAsset	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyResourceLogFieldConfig	ModifyResourceLogFieldConfig	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeApisecLogDeliveries	DescribeApisecLogDeliveries	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyDomainCert	ModifyDomainCert	none	All Resource ``	None	None
yundun-waf:ModifyApisecStatus	ModifyApisecStatus	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyApisecLogDeliveryStatus	ModifyApisecLogDeliveryStatus	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeCloudResourceAccessedPorts	DescribeCloudResourceAccessedPorts	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeDefenseResourceOwnerUid	DescribeDefenseResourceOwnerUid	list	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyApisecLogDelivery	ModifyApisecLogDelivery	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeUserApiRequest	DescribeUserApiRequest	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeDefenseResource	DescribeDefenseResource	get	*DefenseResource `acs:yundun-waf:{#regionId}:{#accountId}:defenseresource/{#Resource}`	None	None
yundun-waf:CreateLogDeliveryConfig	CreateLogDeliveryConfig	create	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeSensitiveOutboundDistribution	DescribeSensitiveOutboundDistribution	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeDefenseRules	DescribeDefenseRules	list	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeHybridCloudUnsupportPorts	DescribeHybridCloudUnsupportPorts	list	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeRuleHitsTopResource	DescribeRuleHitsTopResource	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeDomainDNSRecord	DescribeDomainDNSRecord	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeApisecSuggestions	DescribeApisecSuggestions	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeSensitiveOutboundTrend	DescribeSensitiveOutboundTrend	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeDomainUsedPorts	DescribeDomainUsedPorts	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeIpAbroadCountryInfos	DescribeIpAbroadCountryInfos	list	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeUserSlsLogRegions	DescribeUserSlsLogRegions	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyHybridCloudSdkPullinStatus	ModifyHybridCloudSdkPullinStatus	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyDefenseResourceXff	ModifyDefenseResourceXff	update	*DefenseResource `acs:yundun-waf:{#regionId}:{#accountId}:defenseresource/{#Resource}`	None	None
yundun-waf:DescribeVerifyContent	DescribeVerifyContent	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeHybridCloudClusterRule	DescribeHybridCloudClusterRule	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribePeakTrend	DescribePeakTrend	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:CreateDomain	CreateDomain	create	All Resource ``	None	None
yundun-waf:ModifyMajorProtectionBlackIp	ModifyMajorProtectionBlackIp	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeApisecProtectionGroups	DescribeApisecProtectionGroups	list	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeHybridCloudResources	DescribeHybridCloudResources	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeAbnormalCloudResources	DescribeAbnormalCloudResources	none	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeFlowTopResource	DescribeFlowTopResource	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeApisecEventDetail	DescribeApisecEventDetail	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeApisecAbnormalDomainStatistic	DescribeApisecAbnormalDomainStatistic	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyHybridCloudGroupExpansionServer	ModifyHybridCloudGroupExpansionServer	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ListTagValues	ListTagValues	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyDomainPunishStatus	ModifyDomainPunishStatus	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeRuleHitsTopUrl	DescribeRuleHitsTopUrl	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:SyncProductInstance	SyncProductInstance	create	All Resource ``	acs:ResourceGroupId	None
yundun-waf:CreateMajorProtectionBlackIp	CreateMajorProtectionBlackIp	create	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DeleteApisecAbnormals	DeleteApisecAbnormals	delete	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeDefenseTemplateValidGroups	DescribeDefenseTemplateValidGroups	list	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeNetworkFlowTimeSeriesMetric	DescribeNetworkFlowTimeSeriesMetric	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeFlowChart	DescribeFlowChart	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyApisecModuleStatus	ModifyApisecModuleStatus	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeBaseSystemRules	DescribeBaseSystemRules	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeDefenseResourceGroups	DescribeDefenseResourceGroups	list	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyHybridCloudCluster	ModifyHybridCloudCluster	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeHybridCloudUser	DescribeHybridCloudUser	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DeleteDomain	DeleteDomain	delete	All Resource ``	None	None
yundun-waf:ModifyHybridCloudClusterRule	ModifyHybridCloudClusterRule	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyMemberAccount	ModifyMemberAccount	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ClearMajorProtectionBlackIp	ClearMajorProtectionBlackIp	delete	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyApisecApiResource	ModifyApisecApiResource	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyCloudResource	ModifyCloudResource	update	*DefenseResource `acs:yundun-waf:{#regionId}:{#accountId}:defenseresource/{#Resource}`	None	None
yundun-waf:DescribeDefenseTemplates	DescribeDefenseTemplates	list	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeDefenseResources	DescribeDefenseResources	list	All Resource ``	None	None
yundun-waf:ModifyDefenseRuleCache	ModifyDefenseRuleCache	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeFreeUserEvents	DescribeFreeUserEvents	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ReCreateCloudResource	ReCreateCloudResource	none	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeHybridCloudClusterRules	DescribeHybridCloudClusterRules	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeCommonLogFields	DescribeCommonLogFields	list	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyHybridCloudGroupShrinkServer	ModifyHybridCloudGroupShrinkServer	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyDefaultHttps	ModifyDefaultHttps	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeLogDeliveryConfigs	DescribeLogDeliveryConfigs	list	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeSensitiveRequestLog	DescribeSensitiveRequestLog	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeDefenseGroupValidResources	DescribeDefenseGroupValidResources	list	All Resource ``	acs:ResourceGroupId	None
yundun-waf:CreateApiExport	CreateApiExport	create	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeResourceInstanceCerts	DescribeResourceInstanceCerts	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeChargeResult	DescribeChargeResult	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyLogDeliveryConfig	ModifyLogDeliveryConfig	create	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyHybridCloudServer	ModifyHybridCloudServer	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribePunishedDomains	DescribePunishedDomains	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeNetworkFlowTopNMetric	DescribeNetworkFlowTopNMetric	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeApisecUserOperations	DescribeApisecUserOperations	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeApisecAssetTrend	DescribeApisecAssetTrend	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeRuleHitsTopRuleId	DescribeRuleHitsTopRuleId	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeHybridCloudResourceDetail	DescribeHybridCloudResourceDetail	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DeleteMemberAccount	DeleteMemberAccount	delete	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyResourceLogDeliveryStatus	ModifyResourceLogDeliveryStatus	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeAccountDelegatedStatus	DescribeAccountDelegatedStatus	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DeleteHybridCloudClusterRule	DeleteHybridCloudClusterRule	delete	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeSecurityEventTimeSeriesMetric	DescribeSecurityEventTimeSeriesMetric	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeResourceSupportRegions	DescribeResourceSupportRegions	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeDefenseResourceNames	DescribeDefenseResourceNames	list	All Resource ``	acs:ResourceGroupId	None
yundun-waf:UntagResources	UntagResources	delete	*DefenseResource `acs:yundun-waf:{#regionId}:{#accountId}:defenseresource/{#Resource}`	None	None
yundun-waf:TagResources	TagResources	create	*DefenseResource `acs:yundun-waf:{#regionId}:{#accountId}:defenseresource/{#Resource}`	None	None
yundun-waf:DescribeDefenseResourceGroup	DescribeDefenseResourceGroup	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeUserLogFieldConfig	DescribeUserLogFieldConfig	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeRuleHitsTopClientIp	DescribeRuleHitsTopClientIp	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeResourceLogStatus	DescribeResourceLogStatus	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeRuleHitsTopUa	DescribeRuleHitsTopUa	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DeleteDefenseResourceGroup	DeleteDefenseResourceGroup	delete	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeHybridCloudSdkServers	DescribeHybridCloudSdkServers	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeApisecAbnormals	DescribeApisecAbnormals	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeDefaultHttps	DescribeDefaultHttps	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DeleteApisecEvents	DeleteApisecEvents	delete	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeVisitTopIp	DescribeVisitTopIp	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeInstance	DescribeInstance	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ReleaseInstance	ReleaseInstance	delete	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeMajorProtectionBlackIps	DescribeMajorProtectionBlackIps	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeApisecSlsLogStores	DescribeApisecSlsLogStores	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeRuleGroups	DescribeRuleGroups	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:CreatePocFunction	CreatePocFunction	create	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeHybridCloudProtectableCount	DescribeHybridCloudProtectableCount	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeSlsLogStoreStatus	DescribeSlsLogStoreStatus	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeSensitiveDetectionResult	DescribeSensitiveDetectionResult	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeHybridCloudClusterServers	DescribeHybridCloudClusterServers	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeDomainDetail	DescribeDomainDetail	get	All Resource ``	None	None
yundun-waf:ModifyDefenseRuleStatus	ModifyDefenseRuleStatus	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeDefenseResourceTemplates	DescribeDefenseResourceTemplates	list	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeSecurityEventTopNMetric	DescribeSecurityEventTopNMetric	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeRoleAuthStatus	DescribeRoleAuthStatus	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeDefenseRuleStatistics	DescribeDefenseRuleStatistics	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeDefenseSceneConfig	DescribeDefenseSceneConfig	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyApisecAbnormals	ModifyApisecAbnormals	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeHybridCloudSupportRegions	DescribeHybridCloudSupportRegions	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyDefenseRule	ModifyDefenseRule	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:CreateDefenseTemplate	CreateDefenseTemplate	create	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeSensitiveRequests	DescribeSensitiveRequests	list	All Resource ``	acs:ResourceGroupId	None
yundun-waf:ModifyDefenseTemplateStatus	ModifyDefenseTemplateStatus	update	All Resource ``	acs:ResourceGroupId	None
yundun-waf:CreateMemberAccounts	CreateMemberAccounts	create	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeProductInstances	DescribeProductInstances	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeResourceLogFieldConfig	DescribeResourceLogFieldConfig	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:CreateSM2Cert	CreateSM2Cert	create	All Resource ``	acs:ResourceGroupId	None
yundun-waf:CopyDefenseTemplate	CopyDefenseTemplate	create	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeApisecEventDomainStatistic	DescribeApisecEventDomainStatistic	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeUserAbnormalType	DescribeUserAbnormalType	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:CreateCerts	CreateCerts	create	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeApisecRules	DescribeApisecRules	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeApisecApiResources	DescribeApisecApiResources	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeFreeUserEventCount	DescribeFreeUserEventCount	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeApisecMatchedHosts	DescribeApisecMatchedHosts	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeCertDetail	DescribeCertDetail	get	All Resource ``	acs:ResourceGroupId	None
yundun-waf:DescribeUserEventType	DescribeUserEventType	get	All Resource ``	acs:ResourceGroupId	None

Resource

The following table lists the resources defined by Web Application Firewall. Specify them in the Resource element of RAM policy statements to grant permissions for specific operations. They are uniquely identified by ARNs. Format: acs:{#ramcode}:{#regionId}:{#accountId}:{#resourceType}:

acs: The initialism of Alibaba Cloud service, which indicates the public cloud of Alibaba Cloud.
{#ramcode}: The code used in RAM to indicate an Alibaba Cloud service.
{#regionId}: The region ID. If the resource covers all regions, set it to an asterisk (*).
{#accountId}: The ID of the Alibaba Cloud account. If the resource covers all Alibaba Cloud accounts, set it to an asterisk (*).
{#resourceType}: The service-defined resource identifier. It supports a hierarchical structure, which is similar to a file path. If the statement covers global resources, set it to an asterisk (*).

Resource type	ARN
DefenseResource	acs:yundun-waf:{#regionId}:{#accountId}:defenseresource/{#Resource}

Condition

The following table lists the product-level condition keys defined by Web Application Firewall. You can also use Alibaba Cloud's Common condition keys. Specify these keys in the Condition element of RAM policy statements to define granular authorization rules. In the condition key, specify the condition values in the Condition_value element of the policy.

Each condition key has a specific data type, such as string, number, Boolean, or IP address. The data type determines which conditional operators can be used to compare the request values against policy values. You must specify the conditional operators compatible with the data type of the condition key. Mismatched operators will invalidate the policy. See Condition operator for valid combinations.

Condition key	Description	Data type
acs:ResourceGroupId	资源组ID	String

How to create custom RAM policies?

You can create custom policies and grant them to RAM users, RAM user groups, or RAM roles. For instructions, see: