Web Application Firewall 3.0 Custom Policies

Updated at:
Copy as MD

When system policies don't meet your authorization requirements, create custom RAM policies to grant WAF the minimum permissions it needs to access underlying services.

This topic provides the policy JSON for each service that WAF 3.0 accesses: Network Load Balancer (NLB), Application Load Balancer (ALB), Classic Load Balancer (CLB), and Elastic Compute Service (ECS).

What is a custom policy?

Resource Access Management (RAM) classifies policies into two types: system policies and custom policies. Custom policies are managed by you and can be tailored to your specific authorization requirements.

Key rules for custom policies:

  • After creating a custom policy, attach it to a RAM user, RAM user group, or RAM role to grant the specified permissions to that principal.

  • To delete a custom policy that is not attached to any principal, delete it directly.

  • To delete a custom policy that is attached to a principal, detach it from the principal first, then delete it.

  • Custom policies support version control. Manage policy versions using the version management mechanism in RAM.

The WAF service-linked role AliyunServiceRoleForWaf is created by the system and allows WAF to access cloud products. This role has default permissions granted by the system policy AliyunServiceRolePolicyForWaf. For more information, see Service-linked roles.

Policy that allows WAF to access NLB

WAF requires the following NLB permissions to list load balancers, retrieve listener configurations, and read security policies.

{
    "Action": [
        "nlb:ListLoadBalancers",
        "nlb:ListListeners",
        "nlb:GetLoadBalancerAttribute",
        "nlb:ListListenerCertificates",
        "nlb:ListSecurityPolicy",
        "nlb:ListSystemSecurityPolicy"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

Policy that allows WAF to access ALB

WAF requires the following ALB permissions to list load balancers, read listener and certificate details, query available regions, and read security policies.

{
    "Action": [
        "alb:ListLoadBalancers",
        "alb:GetLoadBalancerAttribute",
        "alb:ListListeners",
        "alb:GetListenerAttribute",
        "alb:ListListenerCertificates",
        "alb:DescribeRegions",
        "alb:ListSystemSecurityPolicies",
        "alb:ListSecurityPolicies"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

Policy that allows WAF to access CLB

WAF requires the following CLB permissions to list load balancers, read listener attributes across supported protocols, retrieve server certificates, and read TLS security policies.

{
    "Action": [
        "slb:DescribeServerCertificates",
        "slb:DescribeDomainExtensions",
        "slb:DescribeLoadBalancers",
        "slb:DescribeListenerAccessControlAttribute",
        "slb:DescribeLoadBalancerAttribute",
        "slb:DescribeLoadBalancerHTTPListenerAttribute",
        "slb:DescribeLoadBalancerHTTPSListenerAttribute",
        "slb:DescribeLoadBalancerTCPListenerAttribute",
        "slb:DescribeLoadBalancerUDPListenerAttribute",
        "slb:DescribeTLSCipherPolicies",
        "slb:ListTLSCipherPolicies",
        "slb:DescribeLoadBalancers"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

Policy that allows WAF to access ECS

WAF requires the following ECS permissions to describe instances and disks, manage elastic network interfaces (ENIs) and their permissions, and create and manage security groups.

{
    "Action": [
        "ecs:DescribeInstances",
        "ecs:DescribeNetworkInterfaces",
        "ecs:CreateNetworkInterface",
        "ecs:DeleteNetworkInterface",
        "ecs:AttachNetworkInterface",
        "ecs:DetachNetworkInterface",
        "ecs:DescribeNetworkInterfacePermissions",
        "ecs:CreateNetworkInterfacePermission",
        "ecs:DeleteNetworkInterfacePermission",
        "ecs:DescribeSecurityGroups",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:CreateSecurityGroup",
        "ecs:DeleteSecurityGroup",
        "ecs:AuthorizeSecurityGroup",
        "ecs:RevokeSecurityGroup",
        "ecs:DescribeDisks"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

References

For managing custom policies:

For granting permissions to RAM identities: