配置审计服务关联角色(AliyunServiceRoleForConfig)是在某些场景下,为了完成配置审计的某个功能,需要获取其他云服务的访问权限而提供的RAM角色。
说明 更多关于服务关联角色的信息,请参见
服务关联角色。
应用场景
- 当配置审计调用各云服务的API查询接口,获取云资源的配置信息时,需要通过服务关联角色获取云资源配置信息的读取权限。
- 当您设置对象存储OSS的存储空间(Bucket)用于接收资源快照时,配置审计需向您指定的存储空间写入快照文件,需要通过服务关联角色获取存储空间的写入权限。
- 当您设置日志服务SLS的日志库(Logstore)用于接收资源日志时,配置审计需向您指定的日志库写入日志文件,需要通过服务关联角色获取日志库的写入权限。
- 当您设置消息服务MNS的主题用于接收资源事件时,配置审计需向您指定的主题写入资源事件,需要通过服务关联角色获取主题的写入权限。
角色说明
配置审计服务关联角色的详细信息如下:
- 角色名称:AliyunServiceRoleForConfig。
- 角色权限策略名称:AliyunServiceRolePolicyForConfig。
- 角色权限策略说明:授予配置审计服务读取云资源配置信息的权限,以及资源快照写入对象存储OSS存储空间、资源日志写入日志服务SLS日志库和资源事件写入消息服务MNS的权限。
{ "Version": "1", "Statement": [ { "Action": [ "ecs:Describe*", "ess:Describe*", "vpc:Describe*", "rds:DescribeDBInstance*", "rds:DescribeRegions", "rds:DescribeBackup*", "rds:DescribeParameters", "rds:DescribeSQLCollector*", "rds:DescribeActionEventPolicy", "slb:Describe*", "*:DescribeTags", "oss:GetService", "oss:GetBucket*", "oss:ListBuckets", "oss:ListObjects", "ram:List*", "ram:Get*", "actiontrail:LookupEvents", "actiontrail:Describe*", "actiontrail:Get*", "ots:BatchGet*", "ots:Describe*", "ots:Get*", "ots:List*", "ocs:Describe*", "cms:Get*", "cms:List*", "cms:Query*", "cms:BatchQuery*", "cms:Describe*", "kvstore:Describe*", "fc:Get*", "fc:List*", "kms:DescribeKey", "kms:DescribeRegions", "kms:ListAliases", "kms:ListAliasesByKeyId", "kms:ListKeys", "kms:DescribeKeyVersion", "kms:ListKeyVersions", "cdn:Describe*", "yundun*:Get*", "yundun*:Describe*", "yundun*:Query*", "yundun*:List*", "polardb:Describe*", "dds:Describe*", "cen:Describe*", "mns:ListTopic", "mns:GetTopicAttributes", "resourcemanager:GetAccount", "resourcemanager:ListAccountsForParent", "resourcemanager:ListAccounts", "resourcemanager:GetFolder", "resourcemanager:ListFoldersForParent", "resourcemanager:ListAncestors", "resourcemanager:GetResourceDirectory", "resourcemanager:ListHandshakesForResourceDirectory", "resourcemanager:GetHandshake", "resourcemanager:ListResourceGroups", "resourcemanager:GetResourceGroup", "composer:GetFlow", "composer:DescribeFlow", "nas:Describe*", "hbase:Describe*", "hbase:Get*", "hbase:List*", "hbase:Query*", "cs:Get*", "cs:List*", "dms:List*", "dms:Get*", "mq:OnsInstanceInServiceList", "mq:OnsInstanceBaseInfo", "mq:OnsTopicList", "mq:OnsGroupList", "mq:QueryInstanceBaseInfo", "mq:PUB", "mq:SUB", "mq:ListTagResources", "alidns:Describe*", "alidns:List*", "mse:Query*", "mse:List*", "ros:Describe*", "ros:Get*", "ros:List*", "elasticsearch:List*", "elasticsearch:Describe*", "dcdn:Describe*", "hcs-sgw:Describe*", "eci:Describe*", "kms:ListSecrets", "kms:DescribeSecret", "privatelink:List*", "privatelink:Get*", "brain-industrial:List*", "brain-industrial:Get*", "imagesearch:List*", "imagesearch:Describe*", "hitsdb:Describe*", "apigateway:Describe*", "sas:DescribeGroupedVul", "sas:DescribeFieldStatistics", "cmn:List*", "cmn:Get*", "ledgerdb:Describe*", "pvtz:Describe*", "oos:Search*", "oos:List*", "adb:Describe*", "edas:Read*", "drds:Describe*", "gpdb:Describe*" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "oss:PutObject", "fc:InvokeFunction", "mns:PublishMessage", "composer:GroupInvokeFlow", "composer:CreateFlow", "log:PostLogStoreLogs" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "config:*" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "config.aliyuncs.com" } } } ] }
在文档使用中是否遇到以下问题
更多建议
匿名提交