配置审计服务关联角色(AliyunServiceRoleForConfig)是在某些场景下,为了完成配置审计的某个功能,需要获取其他云服务的访问权限而提供的RAM角色。

说明 更多关于服务关联角色的信息,请参见服务关联角色

应用场景

  • 当配置审计调用各云服务的API查询接口,获取云资源的配置信息时,需要通过服务关联角色获取云资源配置信息的读取权限。
  • 当您设置对象存储OSS的存储空间(Bucket)用于接收资源快照时,配置审计需向您指定的存储空间写入快照文件,需要通过服务关联角色获取存储空间的写入权限。
  • 当您设置日志服务SLS的日志库(Logstore)用于接收资源日志时,配置审计需向您指定的日志库写入日志文件,需要通过服务关联角色获取日志库的写入权限。
  • 当您设置消息服务MNS的主题用于接收资源事件时,配置审计需向您指定的主题写入资源事件,需要通过服务关联角色获取主题的写入权限。

角色说明

配置审计服务关联角色的详细信息如下:
  • 角色名称:AliyunServiceRoleForConfig。
  • 角色权限策略名称:AliyunServiceRolePolicyForConfig。
  • 角色权限策略说明:授予配置审计服务读取云资源配置信息的权限,以及资源快照写入对象存储OSS存储空间、资源日志写入日志服务SLS日志库和资源事件写入消息服务MNS的权限。
    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Deny",
          "Action": [
            "arms:GetPrometheusApiToken"
          ],
          "Resource": "*"
        },
        {
          "Action": [
            "alikafka:List*",
            "alikafka:Get*",
            "cr:List*",
            "cr:GetInstance",
            "cr:GetNamespace",
            "cr:GetRepository",
            "oceanbase:Describe*",
            "oceanbase:List*",
            "bpstudio:Get*",
            "bpstudio:List*",
            "opensearch:List*",
            "opensearch:Describe*",
            "smartag:Describe*",
            "smartag:List*",
            "smartag:Get*",
            "alb:List*",
            "alb:Get*",
            "emr:List*",
            "emr:Describe*",
            "iot:List*",
            "iot:Get*",
            "iot:Query*",
            "eventbridge:Get*",
            "eventbridge:List*",
            "*:ListTagResources",
            "ecs:Describe*",
            "ess:Describe*",
            "vpc:Describe*",
            "rds:DescribeDBInstance*",
            "rds:DescribeRegions",
            "rds:DescribeBackup*",
            "rds:DescribeParameters",
            "rds:DescribeSQLCollector*",
            "rds:DescribeActionEventPolicy",
            "slb:Describe*",
            "*:DescribeTags",
            "oss:GetService",
            "oss:GetBucket*",
            "oss:ListBuckets",
            "oss:ListObjects",
            "ram:List*",
            "ram:Get*",
            "actiontrail:LookupEvents",
            "actiontrail:Describe*",
            "actiontrail:Get*",
            "ots:BatchGet*",
            "ots:Describe*",
            "ots:Get*",
            "ots:List*",
            "ocs:Describe*",
            "cms:Get*",
            "cms:List*",
            "cms:Query*",
            "cms:BatchQuery*",
            "cms:Describe*",
            "kvstore:Describe*",
            "fc:Get*",
            "fc:List*",
            "kms:DescribeKey",
            "kms:DescribeRegions",
            "kms:ListAliases",
            "kms:ListAliasesByKeyId",
            "kms:ListKeys",
            "kms:DescribeKeyVersion",
            "kms:ListKeyVersions",
            "kms:GenerateDataKey",
            "kms:Decrypt",
            "kms:Encrypt",
            "kms:ListResourceTags",
            "cdn:Describe*",
            "yundun*:Get*",
            "yundun*:Describe*",
            "yundun*:Query*",
            "yundun*:List*",
            "polardb:Describe*",
            "dds:Describe*",
            "cen:Describe*",
            "mns:ListTopic",
            "mns:GetTopicAttributes",
            "resourcemanager:GetAccount",
            "resourcemanager:ListAccountsForParent",
            "resourcemanager:ListAccounts",
            "resourcemanager:GetFolder",
            "resourcemanager:ListFoldersForParent",
            "resourcemanager:ListAncestors",
            "resourcemanager:GetResourceDirectory",
            "resourcemanager:ListHandshakesForResourceDirectory",
            "resourcemanager:GetHandshake",
            "resourcemanager:ListResourceGroups",
            "resourcemanager:GetResourceGroup",
            "resourcemanager:ListDelegatedAdministrators",
            "composer:GetFlow",
            "composer:DescribeFlow",
            "nas:Describe*",
            "hbase:Describe*",
            "hbase:Get*",
            "hbase:List*",
            "hbase:Query*",
            "cs:Get*",
            "cs:List*",
            "cs:Describe*",
            "dms:List*",
            "dms:Get*",
            "mq:OnsInstanceInServiceList",
            "mq:OnsInstanceBaseInfo",
            "mq:OnsTopicList",
            "mq:OnsGroupList",
            "mq:QueryInstanceBaseInfo",
            "mq:PUB",
            "mq:SUB",
            "alidns:Describe*",
            "alidns:List*",
            "mse:Query*",
            "mse:List*",
            "ros:Describe*",
            "ros:Get*",
            "ros:List*",
            "elasticsearch:List*",
            "elasticsearch:Describe*",
            "dcdn:Describe*",
            "hcs-sgw:Describe*",
            "eci:Describe*",
            "kms:ListSecrets",
            "kms:DescribeSecret",
            "privatelink:List*",
            "privatelink:Get*",
            "brain-industrial:List*",
            "brain-industrial:Get*",
            "imagesearch:List*",
            "imagesearch:Describe*",
            "hitsdb:Describe*",
            "apigateway:Describe*",
            "sas:DescribeGroupedVul",
            "sas:DescribeFieldStatistics",
            "cmn:List*",
            "cmn:Get*",
            "ledgerdb:Describe*",
            "pvtz:Describe*",
            "oos:Search*",
            "oos:List*",
            "oos:Get*",
            "adb:Describe*",
            "edas:Read*",
            "drds:Describe*",
            "gpdb:Describe*",
            "log:ListProject",
            "log:GetProject",
            "log:ListLogStores",
            "log:GetLogStore",
            "dts:Describe*",
            "arms:Get*",
            "arms:List*",
            "polardbx:Describe*",
            "hbr:Describe*",
            "live:Describe*",
            "vod:Describe*",
            "vod:List*",
            "vod:Get*",
            "lindorm:Get*"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "oss:PutObject",
            "fc:InvokeFunction",
            "mns:PublishMessage",
            "composer:GroupInvokeFlow",
            "composer:CreateFlow",
            "log:PostLogStoreLogs"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "config:*"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "config.aliyuncs.com"
            }
          }
        }
      ]
    }

创建服务关联角色

在配置审计控制台上,创建服务关联角色的操作方法如下:
  • 普通账号

    普通账号使用配置审计服务之前,需要创建服务关联角色。具体操作,请参见授权服务

  • 企业管理账号

    当企业管理账号将资源目录中的所有或部分成员账号添加到账号组时,配置审计自动为该账号组中的所有成员账号创建服务关联角色。关于账号组,请参见账号组

删除服务关联角色

配置审计服务关联角色不能直接删除。删除方法如下:
  1. 登录配置审计控制台,关闭配置审计服务。

    具体操作,请参见关闭配置审计服务

  2. 登录RAM控制台,删除配置审计服务关联角色。

    具体操作,请参见删除RAM角色