首次登录云防火墙(Cloud Firewall)控制台时,您必须完成允许云防火墙访问相关云资源的授权,才能正常使用云防火墙提供的服务。本文介绍了通过云防火墙服务关联角色AliyunServiceRoleForCloudFW,进行云资源访问授权的相关内容,以及如何删除AliyunServiceRoleForCloudFW。
前提条件
您使用的是阿里云账号或拥有创建和删除服务关联角色权限的RAM用户账号。如何为RAM用户授予操作服务关联角色的权限,请参见相关问题。
背景信息
为了向您提供对云上网络流量的访问控制、监控分析等功能,云防火墙需要访问您的云服务器 ECS、专有网络 VPC、负载均衡、日志服务、运维安全中心(堡垒机)、云企业网云安全中心、云数据库 RDS等云服务资源,您可通过系统自动创建的云防火墙服务关联角色AliyunServiceRoleForCloudFW进行访问授权。服务关联角色无需您手动创建或做任何修改。相关内容,请参见服务关联角色。
操作步骤
登录云防火墙控制台。
在云防火墙服务关联角色对话框,单击确定。
说明如果您已经创建过AliyunServiceRoleForCloudFW,则不会出现该对话框,您可以直接在控制台使用云防火墙。
完成后,阿里云将自动为您创建云防火墙服务关联角色AliyunServiceRoleForCloudFW。
您可以在RAM控制台的角色页面,查看阿里云为云防火墙自动创建的服务关联角色。只有创建服务关联角色AliyunServiceRoleForCloudFW后,您的云防火墙实例才能访问云服务器 ECS、专有网络 VPC、负载均衡、日志服务、运维安全中心(堡垒机)、云企业网云安全中心、云数据库 RDS等关联云服务的资源。
AliyunServiceRoleForCloudFW权限说明
AliyunServiceRoleForCloudFW默认拥有AliyunServiceRolePolicyForCloudFW系统权限策略的授权。AliyunServiceRolePolicyForCloudFW中定义的权限如下所示。
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeTags",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:DescribeRegions",
"ecs:DescribeVpcs",
"ecs:RevokeSecurityGroupEgress",
"ecs:ModifySecurityGroupAttribute",
"ecs:DeleteSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:DescribeSecurityGroupAttribute",
"ecs:CreateSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSecurityGroupReferences",
"ecs:ModifySecurityGroupPolicy",
"ecs:ModifySecurityGroupRule",
"ecs:ModifySecurityGroupEgressRule",
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DeleteNetworkInterfacePermission",
"ecs:AttachNetworkInterface",
"ecs:DetachNetworkInterface",
"ecs:ModifyNetworkInterfaceAttribute",
"ecs:DescribePrefixLists",
"ecs:ListTagResources",
"ecs:ImportImage",
"ecs:ModifyInstanceSpec",
"ecs:CreateImage"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeNatGateways",
"vpc:DescribeSnatTableEntries",
"vpc:DescribeForwardTableEntries",
"vpc:DescribeBandwidthPackages",
"vpc:GetNatGatewayAttribute",
"vpc:ModifyNatGatewayAttribute",
"vpc:DescribeEipAddresses",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeVSwitches",
"vpc:CreateRouteEntry",
"vpc:DeleteRouteEntry",
"vpc:CreateVpc",
"vpc:DeleteVpc",
"vpc:CreateVSwitch",
"vpc:DeleteVSwitch",
"vpc:DescribeZones",
"vpc:CreateVirtualBorderRouter",
"vpc:ConnectRouterInterface",
"vpc:ModifyRouterInterfaceAttribute",
"vpc:DeleteRouterInterface",
"vpc:CreateRouterInterface",
"vpc:DeleteVirtualBorderRouter",
"vpc:DeactivateRouterInterface",
"vpc:DescribeVirtualBorderRouters",
"vpc:DescribePhysicalConnections",
"vpc:ModifyVirtualBorderRouterAttribute",
"vpc:DescribeVpcAttribute",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeHaVips",
"vpc:DescribeVpnConnections",
"vpc:DescribeVpnRouteEntries",
"vpc:DescribeVpnPbrRouteEntries",
"vpc:DescribeVpnGateways",
"vpc:DescribeSslVpnServers",
"vpc:AssociateEipAddress",
"vpc:UnassociateEipAddress",
"vpc:CreateRouteTable",
"vpc:DeleteRouteTable",
"vpc:AssociateRouteTable",
"vpc:UnassociateRouteTable",
"vpc:CreateSnatEntry",
"vpc:DeleteSnatEntry",
"vpc:DescribeSnatTableEntries",
"vpc:DescribeRouteEntryList",
"vpc:DescribeIpv6Addresses",
"vpc:ListVpcPeerConnections",
"vpc:CreateRouteEntries",
"vpc:DeleteRouteEntries",
"vpc:ModifyRouteEntry",
"vpc:DescribeRegions",
"vpc:CheckCanAllocateVpcPrivateIpAddress",
"vpc:CreateTrafficMirrorFilterRules",
"vpc:UpdateTrafficMirrorFilterAttribute",
"vpc:AddSourcesToTrafficMirrorSession",
"vpc:GetTrafficMirrorServiceStatus",
"vpc:ListTrafficMirrorFilters",
"vpc:CreateTrafficMirrorFilter",
"vpc:DeleteTrafficMirrorFilter",
"vpc:UpdateTrafficMirrorSessionAttribute",
"vpc:DeleteTrafficMirrorFilterRules",
"vpc:ListTrafficMirrorSessions",
"vpc:CreateTrafficMirrorSession",
"vpc:RemoveSourcesFromTrafficMirrorSession",
"vpc:DeleteTrafficMirrorSession",
"vpc:OpenTrafficMirrorService",
"vpc:UpdateTrafficMirrorFilterRuleAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"slb:DescribeRegions",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeLoadBalancerUDPListenerAttribute",
"slb:DescribeLoadBalancerTCPListenerAttribute",
"slb:DescribeLoadBalancerHTTPListenerAttribute",
"slb:DescribeLoadBalancerHTTPSListenerAttribute",
"slb:DescribeHealthStatus",
"slb:DescribeAccessControlListAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"alb:DescribeRegions",
"alb:ListLoadBalancers",
"alb:GetLoadBalancerAttribute",
"alb:ListListeners",
"alb:GetListenerAttribute",
"alb:GetListenerHealthStatus",
"alb:ListAcls",
"alb:ListAclEntries"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"nlb:DescribeRegions",
"nlb:ListLoadBalancers",
"nlb:GetLoadBalancerAttribute",
"nlb:ListListeners",
"nlb:GetListenerAttribute",
"nlb:GetListenerHealthStatus"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"log:PostLogStoreLogs",
"log:GetProject",
"log:ListProject",
"log:GetLogStore",
"log:ListLogStores",
"log:CreateLogStore",
"log:CreateProject",
"log:DeleteProject",
"log:GetLogStoreLogs",
"log:GetIndex",
"log:CreateIndex",
"log:UpdateIndex",
"log:CreateDashboard",
"log:ClearLogStoreStorage",
"log:UpdateLogStore",
"log:UpdateDashboard",
"log:CreateSavedSearch",
"log:UpdateSavedSearch",
"log:DeleteLogStore",
"log:DeleteSavedSearch",
"log:GetSavedSearch",
"log:ListSavedSearch",
"log:DeleteDashboard",
"log:GetDashboard",
"log:ListDashboard",
"log:GetLogStoreHistogram"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-bastionhost:DescribeInstance",
"yundun-bastionhost:DescribeRegions",
"yundun-bastionhost:DescribeInstances",
"yundun-bastionhost:DescribeInstanceBastionhost",
"yundun-bastionhost:DescribeInstanceAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cen:DescribeCens",
"cen:DescribeCenAttachedChildInstances",
"cen:DescribeCenAttachedChildInstanceAttribute",
"cen:AttachCenChildInstance",
"cen:DetachCenChildInstance",
"cen:PublishRouteEntries",
"cen:WithdrawPublishedRouteEntries",
"cen:DescribePublishedRouteEntries",
"cen:DescribeCenRegionDomainRouteEntries",
"cen:ModifyCenAttribute",
"cen:CreateCenRouteMap",
"cen:DeleteCenRouteMap",
"cen:ModifyCenRouteMap",
"cen:DescribeCenRouteMaps",
"cen:DescribeCenChildInstanceRouteEntries",
"cen:CreateCenChildInstanceRouteEntryToCen",
"cen:DeleteCenChildInstanceRouteEntryToCen",
"cen:ListTransitRouters",
"cen:CreateTransitRouter",
"cen:DeleteTransitRouter",
"cen:ListTransitRouterAttachments",
"cen:CreateTransitRouterVpcAttachment",
"cen:DeleteTransitRouterVpcAttachment",
"cen:UpdateTransitRouterVpcAttachmentAttribute",
"cen:UpdateTransitRouterPeerAttachmentAttribute",
"cen:CreateTransitRouterVbrAttachment",
"cen:DeleteTransitRouterVbrAttachment",
"cen:ListTransitRouterPeerAttachments",
"cen:ListTransitRouterVpcAttachments",
"cen:ListTransitRouterVbrAttachments",
"cen:ListTransitRouterAvailableResource",
"cen:CreateTransitRouterRouteTable",
"cen:UpdateTransitRouterRouteTable",
"cen:DeleteTransitRouterRouteTable",
"cen:ListTransitRouterRouteTables",
"cen:CreateTransitRouterRouteEntry",
"cen:DeleteTransitRouterRouteEntry",
"cen:ListTransitRouterRouteEntries",
"cen:ListTransitRouterRouteTableAssociations",
"cen:AssociateTransitRouterAttachmentWithRouteTable",
"cen:DissociateTransitRouterAttachmentFromRouteTable",
"cen:ListTransitRouterRouteTablePropagations",
"cen:EnableTransitRouterRouteTablePropagation",
"cen:DisableTransitRouterRouteTablePropagation",
"cen:ModifyCenUserQuota",
"cen:ReplaceTransitRouterRouteTableAssociation",
"cen:CheckTransitRouterService",
"cen:ListTransitRouterPrefixListAssociation"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"netana:DescribeNetworkQuotas",
"netana:DescribeNetworkQuotaRequestResult",
"netana:CreateNetworkQuotaRequest"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"privatelink:CheckProductOpen",
"privatelink:OpenPrivateLinkService",
"privatelink:CreateVpcEndpoint",
"privatelink:DeleteVpcEndpoint",
"privatelink:ListVpcEndpoints",
"privatelink:ListVpcEndpointZones",
"privatelink:AddZoneToVpcEndpoint",
"privatelink:RemoveZoneFromVpcEndpoint",
"privatelink:ListVpcEndpointServicesByEndUser"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-sas:DescribeVulList",
"yundun-sas:DescribeVulDetails",
"yundun-sas:DescribeCloudCenterInstances"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-cert:DescribeCACertificateList",
"yundun-cert:GetUserStatus",
"yundun-cert:CreateTestOrder",
"yundun-cert:CreateRootCACertificate",
"yundun-cert:CreateSubCACertificate"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cs:DescribeUserQuota",
"cs:DescribeClusterNodes",
"cs:DescribeClusterNodePools",
"cs:DescribeClusterNodePoolDetail",
"cs:DescribeUserClusterNamespaces",
"cs:DescribeClustersV1",
"cs:DescribeClusterUserKubeconfig",
"cs:DescribeClusterResources",
"cs:DescribeClusterDetail",
"cs:GetClusters",
"cs:DescribeUserPermission",
"cs:UpdateUserPermissions",
"cs:GrantPermissions",
"cs:CleanClusterUserPermissions"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"rds:DescribeDBInstances"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "cen.aliyuncs.com"
}
}
},
{
"Action": [
"resourcemanager:ListAccounts"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cms:QueryMetricList",
"cms:QueryMetricData",
"cms:QueryMetricLast"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "yundun-aegis:DescribeAccesskeyLeakList",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "cloudfw.aliyuncs.com"
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "privatelink.aliyuncs.com"
}
}
}
]
}关于权限策略语法的详细说明,请参见权限策略基本元素。
删除服务关联角色
如果不再需要使用云防火墙,您可以删除云防火墙服务关联角色AliyunServiceRoleForCloudFW。只有当云防火墙实例已经过期并自动释放后,您才可以删除服务关联角色。具体操作,请参见删除RAM角色。
相关问题
为什么我的RAM用户无法自动创建云防火墙服务关联角色AliyunServiceRoleForCloudFW?
您需要拥有指定的权限,才能自动创建或删除AliyunServiceRoleForCloudFW。因此,在RAM用户无法自动创建AliyunServiceRoleForCloudFW时,您需为RAM用户添加以下权限策略。详细操作步骤指导,请参见为RAM用户授权。
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:主账号ID:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"cloudfw.aliyuncs.com"
]
}
}
}
],
"Version": "1"
} 该文章对您有帮助吗?