AliyunServiceRolePolicyForSLSAudit 是专用于服务关联角色的授权策略,会在创建服务关联角色 AliyunServiceRoleForSLSAudit 时自动授权,以允许服务关联角色代您访问其他云服务。本策略由对应的阿里云服务按需更新,请勿将本策略授权给服务关联角色之外的 RAM 身份使用。
策略详情
类型:系统策略
创建时间:2025-10-09 13:55:45
更新时间:2025-10-09 13:55:45
当前版本:v1
策略内容
{
"Version": "1",
"Statement": [
{
"Action": [
"resourcemanager:ListAccounts",
"resourcemanager:GetAccount",
"resourcemanager:GetResourceDirectory",
"resourcemanager:GetFolder",
"resourcemanager:ListFoldersForParent",
"resourcemanager:ListAccountsForParent",
"resourcemanager:ListDelegatedAdministrators",
"resourcemanager:ListDelegatedServicesForAccount",
"rds:DescribeRegions",
"rds:DescribeSqlLogInstances",
"rds:DescribeDBInstanceAttribute",
"rds:ListTagResources",
"rds:DisableSqlLogDistribution",
"rds:EnableSqlLogDistribution",
"rds:ModifySQLCollectorPolicy",
"rds:DescribeSQLCollectorRetention",
"hdm:DescribeSqlLogInstancesPaging",
"hdm:ModifyForwardSqlLogConfig",
"hdm:DescribeForwardSqlLogConfig",
"hdm:DescribeSqlLogConfig",
"polardb:DescribeRegions",
"polardb:DescribeDBClusters",
"polardb:DescribeSqlLogClusters",
"polardb:ModifyDBClusterAuditLogCollector",
"polardb:DescribeDBClusterAttribute",
"polardb:DescribeSQLExplorerRetention",
"kvstore:DescribeRegions",
"kvstore:DescribeInstances",
"kvstore:DescribeRedisLogConfig",
"kvstore:ModifyAuditLogConfig",
"kvstore:DescribeInstanceAttribute",
"kvstore:DescribeEngineVersion",
"kvstore:InitializeKvstorePermission",
"drds:DescribeDrdsInstances",
"drds:DescribeDrdsDBs",
"drds:EnableSqlAuditExtraWrite",
"drds:DisableSqlAuditExtraWrite",
"drds:DescribeDrdsRegions",
"drds:DescribeDrdsSqlAuditStatus",
"slb:DescribeRegions",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerAttribute",
"slb:SetAccessLogsDownloadAttribute",
"slb:DeleteAccessLogsDownloadAttribute",
"slb:DescribeAccessLogsDownloadAttribute",
"slb:ListTagResources",
"alb:DescribeRegions",
"alb:ListLoadBalancers",
"alb:EnableLoadBalancerAccessLog",
"alb:DisableLoadBalancerAccessLog",
"alb:GetLoadBalancerAttribute",
"cs:GetClustersByUid",
"cs:GetClusters",
"cs:DescribeClusterDetail",
"cs:DescribeClustersV1",
"cs:DescribeClusterAddonsVersion",
"cs:ModifyClusterAudit",
"cs:UpdateControlPlaneLog",
"cs:DescribeClusterInnerServiceKubeconfig",
"cs:GetClusterAuditProject",
"cs:CheckControlPlaneLogEnable",
"kms:DescribeKeyStores",
"oss:GetBucketInfo",
"oss:ListBuckets",
"oss:GetBucketTagging",
"oss:GetBucketWorm",
"oss:GetBucketLifecycle",
"oss:GetBucketReferer",
"oss:GetBucketInventory",
"oss:GetObject",
"oss:ListObjects",
"oss:RestoreObject",
"oss:GetMetaQueryStatus",
"oss:DoMetaQuery",
"ecs:DescribeDisks",
"ecs:DescribeSnapshots",
"ecs:DescribeRegions",
"ecs:DescribeInstances",
"ecs:DescribeSecurityGroups",
"ecs:CreateSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"mse:GetGateway",
"apig:GetGateway",
"cen:ListTransitRouters",
"cen:ListTransitRouterAttachments",
"cen:ListTransitRouterVbrAttachments",
"vpc:DescribeVpcs",
"vpc:GetNatGatewayAttribute",
"vpc:DescribeNatGateways",
"vpc:DescribeRegions",
"vpc:OpenPrivateLinkService",
"vpc:DescribeVSwitches",
"vpc:CreateVSwitch",
"vpc:GetFlowLogServiceStatus",
"vpc:OpenFlowLogService",
"vpc:CreateFlowLog",
"vpc:DescribeFlowLogs",
"vpc:DeleteFlowLog",
"hbase:DescribeInstance",
"lindorm:GetLindormInstance",
"dcdn:DescribeDcdnIpaDomainDetail",
"privatelink:ListVpcEndpoints",
"privatelink:CreateVpcEndpoint",
"privatelink:ListVpcEndpointZones",
"privatelink:AddZoneToVpcEndpoint",
"pvtz:DescribeResolveAnalysisScopeStatus",
"pvtz:SetResolveAnalysisScopeStatus",
"alidns:DescribeDomains",
"cr:GetInstance",
"emr:GetCluster",
"eiam:ListInstances",
"eventbridge:CreateRule",
"eventbridge:EnableRule",
"eventbridge:DisableRule",
"eventbridge:UpdateRule",
"eventbridge:GetRule",
"eventbridge:ListRules",
"eventbridge:DeleteRule",
"eventbridge:GetEventBus",
"eventbridge:ListEventBuses",
"eventbridge:ListEventStreamings",
"eventbridge:GetEventStreaming",
"nas:DescribeFileSystems",
"nas:DeleteLogAnalysis",
"nas:CreateLogAnalysis",
"nas:DescribeLogAnalysis",
"config:DescribeIntegratedServiceStatus",
"config:UpdateIntegratedServiceStatus",
"config:StartConfigurationRecorder",
"config:DescribeConfigurationRecorder",
"config:PutConfigurationRecorder",
"asrs:GetAgent",
"cms:BatchGet",
"cms:Cursor",
"actiontrail:CreateServiceTrail",
"actiontrail:DeleteServiceTrail",
"actiontrail:GetServiceTrail",
"actiontrail:DescribeRegions",
"actiontrail:CreateTrail",
"actiontrail:DeleteTrail",
"actiontrail:StartLogging",
"actiontrail:StopLogging",
"actiontrail:UpdateTrail",
"actiontrail:GetTrailStatus",
"actiontrail:DescribeTrails",
"cloudbox:ListCloudBoxes",
"hologram:GetInstance",
"hologram:ListInstances",
"hologram:EnableQueryAudit",
"hologram:DisableQueryAudit",
"emr:ListClusters",
"emr:GetCluster",
"dds:DescribeAuditPolicy",
"dds:ModifyAuditLogFilter",
"dds:ModifyAuditPolicy",
"dds:DescribeDBInstances",
"dds:DescribeMongoDBLogConfig",
"dds:Describe*",
"sfm:Retrieve",
"sr:QueryUpgradableVersions",
"log:GetProductDataCollection",
"log:OpenProductDataCollection",
"log:CloseProductDataCollection",
"milvus:GetInstanceDetail"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ots:BulkImport",
"ots:BulkExport",
"ots:DescribeTable",
"ots:DescribeSearchIndex",
"ots:DescribeTunnel",
"ots:CreateTable",
"ots:CreateTunnel",
"ots:CreateSearchIndex",
"ots:CreateIndex",
"ots:InsertInstance",
"ots:InsertTimeseriesInstance",
"ots:GetRow",
"ots:GetRange",
"ots:GetInstance",
"ots:PutRow",
"ots:PutRow",
"ots:ListInstance",
"ots:ListTable",
"ots:ListSearchIndex",
"ots:ListTunnel",
"ots:UpdateTable",
"ots:UpdateRow",
"ots:BatchGetRow",
"ots:BatchWriteRow",
"ots:DropIndex",
"ots:DeleteTable",
"ots:DeleteRow",
"ots:DeleteSearchIndex",
"ots:DeleteTunnel",
"ots:ComputeSplitPointsBySize",
"ots:AddDefinedColumn",
"ots:DeleteDefinedColumn"
],
"Resource": [
"acs:ots:*:*:instance/bss-*",
"acs:ots:*:*:instance/bss-*/table/*"
],
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"ots:OpenOtsService",
"ots:GetOtsServiceStatus"
],
"Resource": "acs:ots:*:*:*"
},
{
"Action": [
"bss:DescribeBillList",
"bss:DescribeGaapBill",
"bss:DescribePrice",
"bssapi:QuerySettleBill",
"bssapi:QuerySplitItemBill",
"bssapi:QueryUserOmsData",
"bssapi:DescribeSplitItemBill",
"bssapi:QueryRelationList",
"bssapi:DescribeInstanceBill",
"bssapi:CreateInstance"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"log:CreateProject",
"log:GetProject",
"log:ListProject",
"log:ListLogStores",
"log:GetLogStore",
"log:GetLogStoreLogs",
"log:PostLogStoreLogs",
"log:BatchPostLogStoreLogs",
"log:ClearLogStoreStorage",
"log:CreateIndex",
"log:UpdateIndex",
"log:GetIndex",
"log:CreateDashboard",
"log:UpdateDashboard",
"log:ListDashboard",
"log:CreateLogStore",
"log:UpdateLogStore",
"log:CreateSavedSearch",
"log:UpdateSavedSearch",
"log:CreateJob",
"log:UpdateJob",
"log:DeleteJob",
"log:ListJobs",
"log:GetJob",
"log:ListShards",
"log:GetCursorOrData",
"log:GetConsumerGroupCheckPoint",
"log:UpdateConsumerGroup",
"log:ConsumerGroupHeartBeat",
"log:ConsumerGroupUpdateCheckPoint",
"log:ListConsumerGroup",
"log:CreateConsumerGroup",
"log:GetLogging",
"log:CreateLogging",
"log:UpdateLogging",
"log:DeleteLogging",
"log:PostProjectQuery",
"log:GetProjectQuery",
"log:PutProjectQuery",
"log:DeleteProjectQuery",
"log:GetMachineGroup",
"log:GetAppliedMachineGroups",
"log:ListMachineGroup",
"log:SplitShard",
"log:UpdateMachineGroup",
"log:UpdateMachineGroupMachine",
"log:GetConfig",
"log:ListConfig",
"log:GetLogs",
"log:CreateExternalStore",
"log:DeleteExternalStore",
"log:GetExternalStore",
"log:ListExternalStore",
"log:ListProductCollectionCluster",
"log:ListCollectionPolicies"
],
"Resource": [
"acs:log:*:*:project/*",
"acs:log::*:collectionpolicy/*"
],
"Effect": "Allow"
},
{
"Action": [
"log:GetDataExpression",
"log:CreateDataExpression",
"log:UpdateDataExpression"
],
"Resource": [
"acs:log:*:*:dataexpression/sls_default_data_expression/*"
],
"Effect": "Allow"
},
{
"Action": [
"log:GetApp",
"log:UpdateApp",
"log:CreateApp"
],
"Resource": [
"acs:log:*:*:app/audit"
],
"Effect": "Allow"
},
{
"Action": [
"mgw:GetImportJob",
"mgw:ListImportJob"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:PassRole",
"Resource": "acs:ram::*:role/aliyunserviceroleforslsaudit",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:Service": "audit.log.aliyuncs.com"
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"r-kvstore.aliyuncs.com",
"logdelivery.alb.aliyuncs.com",
"logdelivery.nas.aliyuncs.com",
"nat.aliyuncs.com",
"privatelink.aliyuncs.com",
"config.aliyuncs.com",
"pvtz.aliyuncs.com",
"mongodb.aliyuncs.com",
"actiontrail.aliyuncs.com"
]
}
}
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "audit.log.aliyuncs.com"
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"middlewarelens.log.aliyuncs.com",
"ai-lens.log.aliyuncs.com",
"securitylens.log.aliyuncs.com",
"storagelens.log.aliyuncs.com"
]
}
}
}
]
}相关文档
该文章对您有帮助吗?