首次登录云防火墙控制台时,您必须完成允许云防火墙访问相关云资源的授权,才能正常使用云防火墙提供的服务。本文介绍了通过云防火墙服务关联角色AliyunServiceRoleForCloudFW,进行云资源访问授权的相关内容,以及如何删除AliyunServiceRoleForCloudFW。

前提条件

您使用的是阿里云主账号或拥有创建和删除服务关联角色权限的RAM用户账号。

关于如何为RAM用户授予操作服务关联角色的权限,请参见相关问题

背景信息

为了向您提供对云上网络流量的访问控制、监控分析等功能,云防火墙需要访问您的云服务器ECS、专有网络VPC、负载均衡、日志服务、堡垒机、云企业网、云安全中心、云数据库RDS等云服务资源,您可通过系统自动创建的云防火墙服务关联角色AliyunServiceRoleForCloudFW进行访问授权。服务关联角色无需您手动创建或做任何修改。相关内容,请参见服务关联角色

操作步骤

  1. 登录云防火墙控制台
  2. 云防火墙服务关联角色对话框,单击确定
    说明 如果您已经创建过AliyunServiceRoleForCloudFW,则该对话框不会出现,您可以直接在控制台使用云防火墙。
    云防火墙服务关联角色
    您单击确定后,阿里云将自动为您创建云防火墙服务关联角色AliyunServiceRoleForCloudFW。
    您可以在RAM控制台RAM角色管理页面,查看阿里云为云防火墙自动创建的服务关联角色。只有创建服务关联角色AliyunServiceRoleForCloudFW后,您的云防火墙实例才能访问云服务器ECS、专有网络VPC、负载均衡、日志服务、堡垒机、云企业网、云安全中心、云数据库RDS等关联云服务的资源。AliyunServiceRoleForCloudFW

AliyunServiceRoleForCloudFW权限说明

AliyunServiceRoleForCloudFW默认拥有AliyunServiceRolePolicyForCloudFW系统权限策略的授权。AliyunServiceRolePolicyForCloudFW中定义的权限如下所示。

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:DescribeInstances",
                "ecs:DescribeTags",
                "ecs:JoinSecurityGroup",
                "ecs:LeaveSecurityGroup",
                "ecs:AuthorizeSecurityGroupEgress",
                "ecs:DescribeRegions",
                "ecs:DescribeVpcs",
                "ecs:RevokeSecurityGroupEgress",
                "ecs:ModifySecurityGroupAttribute",
                "ecs:DeleteSecurityGroup",
                "ecs:RevokeSecurityGroup",
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:CreateSecurityGroup",
                "ecs:AuthorizeSecurityGroup",
                "ecs:DescribeSecurityGroups",
                "ecs:DescribeSecurityGroupReferences",
                "ecs:ModifySecurityGroupPolicy",
                "ecs:ModifySecurityGroupRule",
                "ecs:ModifySecurityGroupEgressRule",
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:DeleteNetworkInterfacePermission",
                "ecs:AttachNetworkInterface",
                "ecs:DetachNetworkInterface"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:DescribeVpcs",
                "vpc:DescribeNatGateways",
                "vpc:DescribeSnatTableEntries",
                "vpc:DescribeForwardTableEntries",
                "vpc:DescribeBandwidthPackages",
                "vpc:DescribeEipAddresses",
                "vpc:DescribeRouterInterfaces",
                "vpc:DescribeRouteTableList",
                "vpc:DescribeRouteTables",
                "vpc:DescribeVSwitches",
                "vpc:CreateRouteEntry",
                "vpc:DeleteRouteEntry",
                "vpc:CreateVpc",
                "vpc:DeleteVpc",
                "vpc:CreateVSwitch",
                "vpc:DeleteVSwitch",
                "vpc:DescribeZones",
                "vpc:CreateVirtualBorderRouter",
                "vpc:ConnectRouterInterface",
                "vpc:ModifyRouterInterfaceAttribute",
                "vpc:DeleteRouterInterface",
                "vpc:CreateRouterInterface",
                "vpc:DeleteVirtualBorderRouter",
                "vpc:DeactivateRouterInterface",
                "vpc:DescribeVirtualBorderRouters",
                "vpc:DescribePhysicalConnections",
                "vpc:ModifyVirtualBorderRouterAttribute",
                "vpc:DescribeVpcAttribute",
                "vpc:DescribeVSwitchAttributes",
                "vpc:DescribeHaVips",
                "vpc:DescribeVpnConnections",
                "vpc:DescribeVpnRouteEntries",
                "vpc:DescribeVpnPbrRouteEntries",
                "vpc:DescribeVpnGateways",
                "vpc:DescribeSslVpnServers",
                "vpc:AssociateEipAddress",
                "vpc:UnassociateEipAddress",
                "vpc:CreateRouteTable",
                "vpc:DeleteRouteTable",
                "vpc:AssociateRouteTable",
                "vpc:UnassociateRouteTable",
                "vpc:CreateSnatEntry",
                "vpc:DeleteSnatEntry",
                "vpc:DescribeSnatTableEntries",
                "vpc:DescribeRouteEntryList"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "slb:DescribeRegions",
                "slb:DescribeLoadBalancers",
                "slb:DescribeLoadBalancerAttribute",
                "slb:DescribeLoadBalancerUDPListenerAttribute",
                "slb:DescribeLoadBalancerTCPListenerAttribute",
                "slb:DescribeLoadBalancerHTTPListenerAttribute",
                "slb:DescribeLoadBalancerHTTPSListenerAttribute",
                "slb:DescribeHealthStatus",
                "slb:DescribeAccessControlListAttribute"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:PostLogStoreLogs",
                "log:GetProject",
                "log:ListProject",
                "log:GetLogStore",
                "log:ListLogStores",
                "log:CreateLogStore",
                "log:CreateProject",
                "log:GetIndex",
                "log:CreateIndex",
                "log:UpdateIndex",
                "log:CreateDashboard",
                "log:ClearLogStoreStorage",
                "log:UpdateLogStore",
                "log:UpdateDashboard",
                "log:CreateSavedSearch",
                "log:UpdateSavedSearch",
                "log:DeleteLogStore",
                "log:DeleteSavedSearch",
                "log:GetSavedSearch",
                "log:ListSavedSearch",
                "log:DeleteDashboard",
                "log:GetDashboard",
                "log:ListDashboard"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "yundun-bastionhost:DescribeInstance",
                "yundun-bastionhost:DescribeRegions",
                "yundun-bastionhost:DescribeInstances",
                "yundun-bastionhost:DescribeInstanceBastionhost",
                "yundun-bastionhost:DescribeInstanceAttribute"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cen:DescribeCens",
                "cen:DescribeCenAttachedChildInstances",
                "cen:DescribeCenAttachedChildInstanceAttribute",
                "cen:AttachCenChildInstance",
                "cen:DetachCenChildInstance",
                "cen:PublishRouteEntries",
                "cen:WithdrawPublishedRouteEntries",
                "cen:DescribePublishedRouteEntries",
                "cen:DescribeCenRegionDomainRouteEntries",
                "cen:ModifyCenAttribute",
                "cen:CreateCenRouteMap",
                "cen:DeleteCenRouteMap",
                "cen:ModifyCenRouteMap",
                "cen:DescribeCenRouteMaps",
                "cen:DescribeCenChildInstanceRouteEntries",
                "cen:CreateCenChildInstanceRouteEntryToCen",
                "cen:DeleteCenChildInstanceRouteEntryToCen",
                "cen:ListTransitRouters",
                "cen:CreateTransitRouter",
                "cen:DeleteTransitRouter",
                "cen:ListTransitRouterAttachments",
                "cen:CreateTransitRouterVpcAttachment",
                "cen:DeleteTransitRouterVpcAttachment",
                "cen:UpdateTransitRouterVpcAttachmentAttribute",
                "cen:UpdateTransitRouterPeerAttachmentAttribute",
                "cen:CreateTransitRouterVbrAttachment",
                "cen:DeleteTransitRouterVbrAttachment",
                "cen:ListTransitRouterPeerAttachments",
                "cen:ListTransitRouterVpcAttachments",
                "cen:ListTransitRouterVbrAttachments",
                "cen:ListTransitRouterAvailableResource",
                "cen:CreateTransitRouterRouteTable",
                "cen:UpdateTransitRouterRouteTable",
                "cen:DeleteTransitRouterRouteTable",
                "cen:ListTransitRouterRouteTables",
                "cen:CreateTransitRouterRouteEntry",
                "cen:DeleteTransitRouterRouteEntry",
                "cen:ListTransitRouterRouteEntries",
                "cen:ListTransitRouterRouteTableAssociations",
                "cen:AssociateTransitRouterAttachmentWithRouteTable",
                "cen:DissociateTransitRouterAttachmentFromRouteTable",
                "cen:ListTransitRouterRouteTablePropagations",
                "cen:EnableTransitRouterRouteTablePropagation",
                "cen:DisableTransitRouterRouteTablePropagation",
                "cen:ModifyCenUserQuota"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "netana:DescribeNetworkQuotas",
                "netana:DescribeNetworkQuotaRequestResult",
                "netana:CreateNetworkQuotaRequest"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "yundun-sas:DescribeVulList",
                "yundun-sas:DescribeVulDetails"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "rds:DescribeDBInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "cen.aliyuncs.com"
                }
            }
        },
        {
            "Action": [
                "resourcemanager:ListAccounts"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "cloudfw.aliyuncs.com"
                }
            }
        }
    ]
}

关于权限策略语法的详细说明,请参见权限策略基本元素

删除服务关联角色

如果不再需要使用云防火墙,您可以删除云防火墙服务关联角色AliyunServiceRoleForCloudFW。只有当云防火墙实例已经过期并自动释放后,您才可以删除服务关联角色。在已有的云防火墙实例已经自动释放后,您可以参考以下步骤,在RAM控制台删除云防火墙服务关联角色。

  1. 登录RAM控制台
  2. 在左侧导航栏,单击RAM角色管理
  3. 使用搜索功能,定位到云防火墙服务关联角色AliyunServiceRoleForCloudFW,单击操作列的删除
  4. 单击确定

相关问题

为什么我的RAM用户无法自动创建云防火墙服务关联角色AliyunServiceRoleForCloudFW?

您需要拥有指定的权限,才能自动创建或删除AliyunServiceRoleForCloudFW。因此,在RAM用户无法自动创建AliyunServiceRoleForCloudFW时,您需为RAM用户添加以下权限策略。详细操作步骤指导,请参见为RAM角色授权
{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:主账号ID:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "cloudfw.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}