If the current system policies do not meet your requirements, you can create custom policies to achieve minimal authorization. Custom policies enable fine-grained control and enhance resource access security. This topic describes the scenarios and examples for using custom policies for Web Application Firewall (WAF) 3.0.
What is a custom policy?
Resource Access Management (RAM) policies are classified into system policies and custom policies. You can manage custom policies based on your business requirements.
After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.
You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, before you can delete the RAM policy you must detach the RAM policy from the principal.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.
The system-created WAF service-linked AliyunServiceRoleForWaf role allows WAF to access cloud products. This role has default permissions granted by the system policy AliyunServiceRolePolicyForWaf. For more information, see Service-linked roles.
Policy that allows WAF to access NLB
{
"Action": [
"nlb:ListLoadBalancers",
"nlb:ListListeners",
"nlb:GetLoadBalancerAttribute",
"nlb:ListListenerCertificates",
"nlb:ListSecurityPolicy",
"nlb:ListSystemSecurityPolicy"
],
"Resource": "*",
"Effect": "Allow"
}Policy that allows WAF to access ALB
{
"Action": [
"alb:ListLoadBalancers",
"alb:GetLoadBalancerAttribute",
"alb:ListListeners",
"alb:GetListenerAttribute",
"alb:ListListenerCertificates",
"alb:DescribeRegions",
"alb:ListSystemSecurityPolicies",
"alb:ListSecurityPolicies"
],
"Resource": "*",
"Effect": "Allow"
},
Policy that allows WAF to access CLB
{
"Action": [
"slb:DescribeServerCertificates",
"slb:DescribeDomainExtensions",
"slb:DescribeLoadBalancers",
"slb:DescribeListenerAccessControlAttribute",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeLoadBalancerHTTPListenerAttribute",
"slb:DescribeLoadBalancerHTTPSListenerAttribute",
"slb:DescribeLoadBalancerTCPListenerAttribute",
"slb:DescribeLoadBalancerUDPListenerAttribute",
"slb:DescribeTLSCipherPolicies",
"slb:ListTLSCipherPolicies",
"slb:DescribeLoadBalancers"
],
"Resource": "*",
"Effect": "Allow"
}Policy that allows WAF to access ECS
{
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:AttachNetworkInterface",
"ecs:DetachNetworkInterface",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:CreateNetworkInterfacePermission",
"ecs:DeleteNetworkInterfacePermission",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSecurityGroupAttribute",
"ecs:CreateSecurityGroup",
"ecs:DeleteSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:DescribeDisks"
],
"Resource": "*",
"Effect": "Allow"
}References
For more information on managing custom policies, refer to the following topics:
For more information on granting permissions, refer to the following topics: