本文为您介绍自动修正功能的服务关联角色(AliyunServiceRoleForConfigRemediation)的应用场景、权限策略、创建及删除操作。
应用场景
当您使用配置审计的自动修正功能修正不合规资源时,需要获取不合规资源的访问权限。此时,配置审计提供了服务关联角色(AliyunServiceRoleForConfigRemediation),解决跨服务授权问题。
说明 更多关于服务关联角色的信息,请参见服务关联角色。
角色说明
自动修正功能的服务关联角色的详细信息如下:
- 角色名称:AliyunServiceRoleForConfigRemediation。
- 角色权限策略名称:AliyunServiceRolePolicyForConfigRemediation。
- 角色权限策略说明:授予配置审计访问对应云服务中资源的权限。
{ "Version": "1", "Statement": [ { "Action": [ "actiontrail:CreateTrail", "actiontrail:StartLogging", "cbn:TagResources", "cdn:SetDomainServerCertificate", "cdn:TagResources", "cen:TagResources", "composer:CreateFlow", "composer:GroupInvokeFlow", "composer:InvokeFlow", "cs:GetClusterInfo", "cs:ListClusters", "cs:TagResources", "cs:UpdateClusterTags", "ddoscoo:CreateTagResources", "ddoscoo:TagResources", "dds:TagResources", "ecs:DescribeInstances", "ecs:ModifyInstanceAttribute", "ecs:ModifyInstanceNetworkSpec", "ecs:TagResources", "hbase:TagResources", "kms:TagResource", "kms:UpdateRotationPolicy", "kms:DescribeKey", "kms:SetDeletionProtection", "kvstore:ModifyAuditLogConfig", "kvstore:TagResources", "kvstore:ReleaseInstancePublicConnection", "kvstore:DescribeSecurityIps", "kvstore:ModifySecurityIps", "kvstore:ModifyInstanceConfig", "kvstore:DescribeDBInstanceNetInfo", "nas:AddTags", "nas:TagResources", "oos:StartExecution", "oos:TagResources", "oss:GetBucketTagging", "oss:PutBucketTagging", "oss:PutBucketACL", "oss:PutBucketEncryption", "oss:PutBucketLogging", "oss:PutBucketReferer", "oss:PutBucketVersioning", "polardb:TagResources", "ram:SetPasswordPolicy", "ram:UpdateLoginProfile", "rds:MigrateSecurityIPMode", "rds:ModifyActionEventPolicy", "rds:ModifySQLCollectorPolicy", "rds:ModifySQLCollectorRetention", "rds:TagResources", "rds:ModifySecurityIps", "rds:DescribeDBInstanceIPArrayList", "rds:DescribeDBInstanceNetInfo", "rds:ReleaseInstancePublicConnection", "slb:DescribeLoadBalancerAttribute", "slb:SetLoadBalancerDeleteProtection", "slb:SetLoadBalancerModificationProtection", "slb:TagResources", "tag:ListTagResources", "tag:TagResources", "tag:UntagResources", "vpc:TagResources", "vpc:DescribeNatGateways", "vpc:DescribeForwardTableEntries", "vpc:DeleteForwardEntry", "yundun-ddoscoo:TagResources", "yundun-ddoscoo:CreateTagResources", "yundun-high:TagResources", "yundun-high:CreateTagResources", "yundun-waf:ModifyLogServiceStatus", "yundun-waf:ModifyProtectionModuleStatus", "apigateway:DescribeApi", "apigateway:AbolishApi", "apigateway:DescribeApiGroups", "apigateway:ModifyApiGroupNetworkPolicy", "apigateway:ModifyInstanceAttribute", "apigateway:ModifyApi", "apigateway:TagResources" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:PassRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "acs:Service": [ "composer.aliyuncs.com", "oos.aliyuncs.com" ] } } }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "remediation.config.aliyuncs.com" } } } ] }
创建自动修正功能的服务关联角色
如果您针对规则设置了修正模板,当配置审计通过该规则检测资源为不合规时,会自动在RAM控制台创建自动修正服务关联角色。