WAF通用的权限分配就2个,QcloudWAFFullAccess和QcloudWAFReadOnlyAccess,但是往往我们想要更精细化的权限,怎么办呢?
收到用户反馈,只想要下载日志的权限
查看现有配置对应的策略,可以在cam界面https://console.cloud.tencent.com/cam/policy点击"新建自定义策略"->按策略语法新建->搜索"WAF",然后点击对应的策略,如下图
{
"version": "2.0",
"statement": [
{
"action": [
"waf:*",
"wss:CertGetList"
],
"resource": "*",
"effect": "allow"
}
]
}
{
"version": "2.0",
"statement": [
{
"action": [
"waf:WafGet*",
"waf:WAFGetUserInfo",
"waf:WafDownloadAlerts",
"waf:WafPackagePrice",
"waf:WafAreaBanGetAreas",
"waf:WafFreqGetRuleList",
"waf:WafAntiFakeGetUrl",
"waf:WafInterface",
"waf:WafClsOverview",
"waf:QueryFlows",
"waf:WafDownloadRecords",
"waf:WafDownloadlogs",
"waf:WafSearchLogs",
"waf:WafDNSdetectGet*",
"waf:BotGet*",
"waf:BotV2Get*",
"wss:CertGetList",
"waf:Describe*",
"tag:DescribeResourceTagsByResourceIds",
"ssl:DescribeCertificates",
"clb:DescribeLoadBalancers",
"clb:DescribeListeners"
],
"resource": "*",
"effect": "allow"
}
]
}
支持 CAM 的产品
https://cloud.tencent.com/document/product/598/10588
可以看到WAF支持操作级,因此resource只能填*
以下是对操作级的说明,简单的来说,就是可以限制接口,不能限制具体的某个资源
我们可以访问控制台,F12看请求的接口
考虑到QcloudWAFReadOnlyAccess不支持创建日志,而且权限过大,因此需要自定义。
最终下载日志权限的自定义cam配置
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"resource": [
"*"
],
"action": [
"name/waf:DescribeSpartUser",
"name/waf:DescribeUserEdition",
"name/waf:DescribeSpartaProtectionList",
"name/waf:WafDownloadlogs",
"name/waf:WafSearchLogs",
"name/waf:DescribeAccessLogCount",
"name/waf:DescribeAccessLogs",
"name/waf:DescribeAccessDownloadRecords",
"name/waf:DescribeCLS",
"name/waf:DescribeAttackLogCount",
"name/waf:DescribeAttackDetail",
"name/waf:DescribeAttackDownloadRecords",
"name/waf:DescribeCLS",
"name/waf:DeleteDownloadRecord",
"name/waf:CreateAccessDownloadRecord",
"name/waf:CreateAttackDownloadTask"
]
}
]
}
1、CAM配置比较复杂,可以参考现有的策略来改,效率会高很多
2、WAF的策略模版目前还不够丰富,部分特殊需求需要自定义
3、最小化权限原则
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。