配置审计服务关联角色(AliyunServiceRoleForConfig)是在某些场景下,为了完成配置审计的某个功能,需要获取其他云服务的访问权限而提供的RAM角色。
说明 更多关于服务关联角色的信息,请参见服务关联角色。
应用场景
配置审计服务关联角色的应用场景如下:
- 当配置审计调用各云服务的OpenAPI查询接口,获取当前账号下云资源的配置信息时,需要通过服务关联角色获取云资源配置信息的读取权限。
- 当您设置OSS Bucket地址用于接收资源变更历史快照时,配置审计需向您指定的OSS Bucket写入快照文件,需要通过服务关联角色获取OSS Bucket的写入权限。
创建服务关联角色
删除服务关联角色
角色说明
配置审计服务关联角色的详细信息如下:
- 角色名称:AliyunServiceRoleForConfig。
- 角色权限策略名称:AliyunServiceRolePolicyForConfig。
- 角色权限策略说明:授予配置审计服务读取当前账号下云资源配置信息的权限,以及资源配置变更快照写入OSS Bucket的权限。
{ "Version": "1", "Statement": [ { "Action": [ "ecs:Describe*", "ess:Describe*", "vpc:Describe*", "rds:DescribeDBInstance*", "rds:DescribeRegions", "rds:DescribeBackup*", "slb:Describe*", "*:DescribeTags", "oss:GetService", "oss:GetBucket*", "oss:ListBuckets", "oss:ListObjects", "ram:List*", "ram:Get*", "actiontrail:LookupEvents", "actiontrail:Describe*", "actiontrail:Get*", "ots:BatchGet*", "ots:Describe*", "ots:Get*", "ots:List*", "ocs:Describe*", "cms:Get*", "cms:List*", "cms:Query*", "cms:BatchQuery*", "cms:Describe*", "kvstore:Describe*", "fc:Get*", "fc:List*", "kms:DescribeKey", "kms:DescribeRegions", "kms:ListAliases", "kms:ListAliasesByKeyId", "kms:ListKeys", "cdn:Describe*", "yundun*:Get*", "yundun*:Describe*", "yundun*:Query*", "yundun*:List*", "polardb:Describe*", "dds:Describe*", "cen:Describe*", "mns:ListTopic", "mns:GetTopicAttributes", "resourcemanager:GetAccount", "resourcemanager:ListAccountsForParent", "resourcemanager:ListAccounts", "resourcemanager:GetFolder", "resourcemanager:ListFoldersForParent", "resourcemanager:ListAncestors", "resourcemanager:GetResourceDirectory", "composer:GetFlow", "composer:DescribeFlow", "nas:Describe*", "hbase:Describe*", "hbase:Get*", "hbase:List*", "hbase:Query*", "cs:Get*" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "oss:PutObject", "fc:InvokeFunction", "mns:PublishMessage", "composer:GroupInvokeFlow", "log:PostLogStoreLogs" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "config:*" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "config.aliyuncs.com" } } } ] }
在文档使用中是否遇到以下问题
更多建议
匿名提交