Mssp服务关联角色
本文为您介绍安全管家服务关联角色(AliyunServiceRoleForMssp)的应用场景以及如何删除服务关联角色。
背景信息
安全管家服务关联角色AliyunServiceRoleForMssp是安全管家在日常运营的情况下,为了帮助用户完成安全加固服务和安全评估服务,需要获取其他云服务的访问权限而提供的RAM角色,无需您主动创建或做任何修改。更多服务关联角色的信息请参见服务关联角色。
AliyunServiceRoleForMssp应用场景
安全管家需要访问您的云服务器ECS、云安全中心、对象存储OSS、云数据库RDS、企业级分布式应用服务EDAS、负载均衡、访问控制的资源进行安全加固和安全评估,用以完成安全管家的运营服务。
AliyunServiceRoleForMssp介绍
角色名称:AliyunServiceRoleForMssp
角色权限策略:AliyunServiceRolePolicyForMssp
权限说明:
说明
以下权限说明为系统默认提供的策略,不支持修改。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInvocationResults",
"ecs:DescribeCloudAssistantStatus",
"ecs:RunCommand",
"ecs:RebootInstance",
"ecs:DescribeInstances",
"ecs:DescribeSnapshots",
"ecs:InstallCloudAssistant",
"ecs:DescribeRegions",
"ecs:AssumeRole",
"ecs:CreateSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:RevokeSecurityGroup",
"ecs:RevokeSecurityGroupEgress",
"ecs:DeleteSecurityGroup",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSecurityGroupReferences",
"ecs:DescribeDisks",
"ecs:CreateSnapshot",
"ecs:DeleteSnapshot",
"ecs:ModifyOperateVul",
"ecs:DescribeVpcs",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"yundun-waf:CreateProtectionModuleRule",
"yundun-waf:ModifyProtectionModuleRule",
"yundun-waf:ModifyProtectionRuleStatus",
"yundun-waf:DeleteProtectionModuleRule",
"yundun-waf:Describe*",
"yundun-waf:Get*",
"yundun-waf:List*",
"yundun-waf:Query*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "eip:DescribeEipAddresses",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"rds:DescribeDBInstanceAttribute",
"rds:DescribeDBInstanceNetInfo",
"rds:ModifySecurityIps",
"rds:DescribeDBInstanceIPArrayList"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"oss:ListBuckets",
"oss:getBucketInfo",
"oss:setBucketAcl",
"oss:getBucketAcl",
"oss:getBucketTagging",
"oss:SetBucketTagging"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"slb:ListResourceGroups",
"slb:DescribeHealthStatus",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerAttribute",
"slb:SetLoadBalancerStatus",
"slb:CreateAccessControlList",
"slb:DeleteAccessControlList",
"slb:DescribeAccessControlLists",
"slb:DescribeAccessControlListAttribute",
"slb:AddAccessControlListEntry",
"slb:RemoveAccessControlListEntry",
"slb:DeleteLoadBalancerListener",
"slb:StartLoadBalancerListener",
"slb:StopLoadBalancerListener",
"slb:DescribeLoadBalancerTCPListenerAttribute",
"slb:DescribeLoadBalancerUDPListenerAttribute",
"slb:DescribeLoadBalancerHTTPListenerAttribute",
"slb:DescribeLoadBalancerHTTPSListenerAttribute",
"slb:SetLoadBalancerUDPListenerAttribute",
"slb:SetLoadBalancerTCPListenerAttribute",
"slb:SetLoadBalancerHTTPListenerAttribute",
"slb:SetLoadBalancerHTTPSListenerAttribute"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"yundun-sas:ModifyCreateVulWhitelist",
"yundun-sas:ModifyOperateVul"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"avds:AddAssets",
"avds:DeleteAssets",
"avds:DescribeAssets",
"avds:CreateScan",
"avds:DescribeAllVulnerabilities",
"avds:GenerateVulReport",
"avds:DescribeScanSessions",
"avds:DescribeVulnerability"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "edas:ListVpc",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"mssp.aliyuncs.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"yundun-cloudfirewall:Get*",
"yundun-cloudfirewall:Describe*",
"yundun-cloudfirewall:Query*",
"yundun-cloudfirewall:List*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"yundun-high:Get*",
"yundun-high:Describe*",
"yundun-high:Query*",
"yundun-high:List*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"log:GetConfig",
"log:GetIndex",
"log:GetCursor",
"log:GetCursorTime",
"log:GetLogStore",
"log:GetProject",
"log:GetSavedSearch",
"log:ListSavedsearch",
"log:GetSlsService",
"log:GetAlert",
"log:ListAlert",
"log:GetLogs",
"log:GetHistograms",
"log:GetLogging",
"log:GetLogStoreLogs",
"log:GetProjectLogs",
"log:ListLogStores",
"log:ListProject",
"log:ListConfig",
"log:ListDomains"
],
"Resource": [
"acs:log:*:*:project/sas-log-*/logstore/*",
"acs:log:*:*:project/waf-project-*/logstore/*",
"acs:log:*:*:project/cloudfirewall-project-*/logstore/*",
"acs:log:*:*:project/ddoscoo-project-*/logstore/*",
"acs:log:*:*:project/aegis-log-*/logstore/*",
"acs:log:*:*:project/*/logstore/actintrail_*"
]
},
{
"Effect": "Allow",
"Action": [
"yundun-aegis:Get*",
"yundun-aegis:Describe*",
"yundun-aegis:Query*",
"yundun-aegis:List*",
"yundun-sas:Get*",
"yundun-sas:Describe*",
"yundun-sas:Query*",
"yundun-sas:ModifyStartVulScan",
"yundun-aegis:ModifyStartVulScan",
"yundun-sas:List*"
],
"Resource": "*"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "mssp.aliyuncs.com"
}
}
}
]
}删除服务关联角色
在安全管家的服务有效期之内要协助您完成云上的安全运营工作,暂不支持删除服务关联角色,在服务到期之后您可以自行删除。
删除服务关联角色具体操作请参见删除服务关联角色。