服务关联角色
使用安全管家服务前,您需要创建服务关联角色AliyunServiceRoleForMssp,用于允许安全管家访问云资源,以便完成安全管家的运营服务。本文介绍如何管理安全管家AliyunServiceRoleForMssp服务关联角色。
背景信息
安全管家服务关联角色AliyunServiceRoleForMssp是安全管家在日常运营的情况下,为了帮助用户完成安全加固服务和安全评估服务,需要获取其他云服务的访问权限而提供的RAM角色,无需您主动创建或做任何修改。
AliyunServiceRoleForMssp应用场景
在日常运营中,安全管家通过AliyunServiceRoleForMssp服务关联角色访问您的云服务器ECS、云安全中心、对象存储OSS、云数据库RDS、企业级分布式应用服务EDAS、负载均衡、访问控制资源,从而为的业务系统完成安全加固、安全评估等相关服务。
AliyunServiceRoleForMssp介绍
角色名称:AliyunServiceRoleForMssp
角色权限策略:AliyunServiceRolePolicyForMssp
权限策略内容:
说明
以下权限说明为系统默认提供的策略,不支持修改。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"bss:DescribeAcccountTran",
"bss:DescribeCostBudgetsSummary",
"bss:DescribePrice",
"bss:DescribeProduct",
"bss:DescribeUserOmsData",
"bssapi:DescribeInstanceBill",
"bssapi:GetOrderDetail",
"bssapi:GetPayAsYouGoPrice",
"bssapi:GetSubscriptionPrice",
"bssapi:QueryAccountTransactionDetails",
"bssapi:QueryAvailableInstances",
"bssapi:QueryOrders",
"bssapi:QueryPermissionList",
"bssapi:QueryProductList",
"bssapi:QueryResourcePackageInstances"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInvocationResults",
"ecs:DescribeCloudAssistantStatus",
"ecs:RunCommand",
"ecs:RebootInstance",
"ecs:DescribeInstances",
"ecs:DescribeSnapshots",
"ecs:InstallCloudAssistant",
"ecs:DescribeRegions",
"ecs:AssumeRole",
"ecs:CreateSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:RevokeSecurityGroup",
"ecs:RevokeSecurityGroupEgress",
"ecs:DeleteSecurityGroup",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSecurityGroupReferences",
"ecs:DescribeDisks",
"ecs:CreateSnapshot",
"ecs:DeleteSnapshot",
"ecs:ModifyOperateVul",
"ecs:DescribeVpcs",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"yundun-waf:CreateProtectionModuleRule",
"yundun-waf:ModifyProtectionModuleRule",
"yundun-waf:ModifyProtectionRuleStatus",
"yundun-waf:DeleteProtectionModuleRule",
"yundun-waf:CreateDefenseTemplate",
"yundun-waf:ModifyTemplateResources",
"yundun-waf:CreateDefenseRule",
"yundun-waf:DeleteDefenseRule"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "eip:DescribeEipAddresses",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"rds:DescribeDBInstanceAttribute",
"rds:DescribeDBInstanceNetInfo",
"rds:ModifySecurityIps",
"rds:DescribeDBInstanceIPArrayList"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"oss:ListBuckets",
"oss:getBucketInfo",
"oss:setBucketAcl",
"oss:getBucketAcl",
"oss:getBucketTagging",
"oss:SetBucketTagging"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"slb:ListResourceGroups",
"slb:DescribeHealthStatus",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerAttribute",
"slb:SetLoadBalancerStatus",
"slb:CreateAccessControlList",
"slb:DeleteAccessControlList",
"slb:DescribeAccessControlLists",
"slb:DescribeAccessControlListAttribute",
"slb:AddAccessControlListEntry",
"slb:RemoveAccessControlListEntry",
"slb:DeleteLoadBalancerListener",
"slb:StartLoadBalancerListener",
"slb:StopLoadBalancerListener",
"slb:DescribeLoadBalancerTCPListenerAttribute",
"slb:DescribeLoadBalancerUDPListenerAttribute",
"slb:DescribeLoadBalancerHTTPListenerAttribute",
"slb:DescribeLoadBalancerHTTPSListenerAttribute",
"slb:SetLoadBalancerUDPListenerAttribute",
"slb:SetLoadBalancerTCPListenerAttribute",
"slb:SetLoadBalancerHTTPListenerAttribute",
"slb:SetLoadBalancerHTTPSListenerAttribute"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"yundun-sas:ModifyCreateVulWhitelist",
"yundun-sas:ModifyOperateVul"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"avds:AddAssets",
"avds:DeleteAssets",
"avds:DescribeAssets",
"avds:CreateScan",
"avds:DescribeAllVulnerabilities",
"avds:GenerateVulReport",
"avds:DescribeScanSessions",
"avds:DescribeVulnerability"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "edas:ListVpc",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"mssp.aliyuncs.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"yundun-cloudfirewall:DeleteControlPolicy",
"yundun-cloudfirewall:AddControlPolicy",
"yundun-cloudfirewall:ModifyControlPolicy",
"yundun-cloudfirewall:ModifyControlPolicyPosition",
"yundun-cloudfirewall:AddAddressBook",
"yundun-cloudfirewall:DeleteAddressBook",
"yundun-cloudfirewall:ModifyAddressBook"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"yundun-*:Get*",
"yundun-*:Describe*",
"yundun-*:Query*",
"yundun-*:List*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"log:GetConfig",
"log:GetIndex",
"log:GetCursor",
"log:GetCursorTime",
"log:GetLogStore",
"log:GetProject",
"log:GetSavedSearch",
"log:ListSavedsearch",
"log:GetSlsService",
"log:GetAlert",
"log:ListAlert",
"log:GetLogs",
"log:GetHistograms",
"log:GetLogging",
"log:GetLogStoreLogs",
"log:GetProjectLogs",
"log:ListLogStores",
"log:ListProject",
"log:ListConfig",
"log:ListDomains"
],
"Resource": [
"acs:log:*:*:project/sas-log-*/logstore/*",
"acs:log:*:*:project/waf-project-*/logstore/*",
"acs:log:*:*:project/wafng-project-*/logstore/*",
"acs:log:*:*:project/cloudfirewall-project-*/logstore/*",
"acs:log:*:*:project/ddoscoo-project-*/logstore/*",
"acs:log:*:*:project/aegis-log-*/logstore/*",
"acs:log:*:*:project/*/logstore/actintrail_*"
]
},
{
"Effect": "Allow",
"Action": [
"yundun-sas:ModifyStartVulScan",
"yundun-aegis:ModifyStartVulScan",
"yundun-sas:Export*"
],
"Resource": "*"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "mssp.aliyuncs.com"
}
}
}
]
}删除服务关联角色
服务关联角色AliyunServiceRoleForMssp需要安全管家服务完成安全运营工作,因此在安全管家服务有效期内,不支持删除服务关联角色AliyunServiceRoleForMssp。安全管家服务到期后,您可以参考以下操作删除服务关联角色。
登录访问控制管理控制台。
在左侧导航栏,选择。
在角色页面,搜索AliyunServiceRoleForMssp,然后在操作列单击删除。
相关文档
更多服务关联角色的信息请参见服务关联角色。
