您可以授予RDS审计中心、日志审计服务使用SLS日志审计服务关联角色(AliyunServiceRoleForSLSAudit)来获取其他云服务中的资源。本文介绍AliyunServiceRoleForSLSAudit角色的应用场景和权限策略。

应用场景

AliyunServiceRoleForSLSAudit角色用于在RDS审计中心、日志审计服务中采集云产品日志。

当您在RDS审计中心或日志审计服务中进行日志采集时,日志服务会调用相关云产品的OpenAPI接口获取采集账号下的云产品信息。此过程中,日志服务需要通过AliyunServiceRoleForSLSAudit角色获取云产品的部分读取及修改权限。更多信息,请参见服务关联角色

AliyunServiceRoleForSLSAudit角色说明

  • 角色名称:AliyunServiceRoleForSLSAudit
  • 角色权限策略:AliyunServiceRolePolicyForSLSAudit
  • 权限说明:
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "resourcemanager:ListAccounts",
                    "resourcemanager:GetAccount",
                    "resourcemanager:GetResourceDirectory",
                    "resourcemanager:GetFolder",
                    "resourcemanager:ListFoldersForParent",
                    "resourcemanager:ListAccountsForParent",
                    "rds:DescribeRegions",
                    "rds:DescribeSqlLogInstances",
                    "rds:DescribeDBInstanceAttribute",
                    "rds:ListTagResources",
                    "rds:DisableSqlLogDistribution",
                    "rds:EnableSqlLogDistribution",
                    "rds:ModifySQLCollectorPolicy",
                    "polardb:DescribeSqlLogClusters",
                    "polardb:ModifyDBClusterAuditLogCollector",
                    "polardb:DescribeDBClusterAttribute",
                    "kvstore:DescribeRegions",
                    "kvstore:DescribeInstances",
                    "kvstore:DescribeRedisLogConfig",
                    "kvstore:ModifyAuditLogConfig",
                    "kvstore:DescribeInstanceAttribute",
                    "drds:DescribeDrdsInstances",
                    "drds:DescribeDrdsDBs",
                    "drds:EnableSqlAuditExtraWrite",
                    "drds:DisableSqlAuditExtraWrite",
                    "drds:DescribeDrdsRegions",
                    "drds:DescribeDrdsSqlAuditStatus",
                    "slb:DescribeRegions",
                    "slb:DescribeLoadBalancers",
                    "slb:DescribeLoadBalancerAttribute",
                    "cs:GetClustersByUid",
                    "cs:GetClusters",
                    "kms:DescribeKeyStores",
                    "oss:GetBucketInfo",
                    "oss:ListBuckets",
                    "oss:GetBucketTagging",
                    "oss:GetBucketWorm",
                    "ecs:DescribeDisks",
                    "ecs:DescribeSnapshots",
                    "ecs:DescribeRegions"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "log:CreateProject",
                    "log:GetProject",
                    "log:ListProject",
                    "log:ListLogStores",
                    "log:GetLogStore",
                    "log:GetLogStoreLogs",
                    "log:PostLogStoreLogs",
                    "log:CreateIndex",
                    "log:UpdateIndex",
                    "log:CreateDashboard",
                    "log:UpdateDashboard",
                    "log:CreateLogStore",
                    "log:CreateSavedSearch",
                    "log:UpdateSavedSearch",
                    "log:CreateJob",
                    "log:UpdateJob"
                ],
                "Resource": [
                    "acs:log:*:*:project/*"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "log:GetApp",
                    "log:UpdateApp"
                ],
                "Resource": [
                    "acs:log:*:*:app/audit"
                ],
                "Effect": "Allow"
            },
            {
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "audit.log.aliyuncs.com"
                    }
                }
            }
        ]
    }