云防火墙 CFW
云服务在IAM预置了常用授权项,称为系统身份策略。如果IAM系统身份策略无法满足授权要求,管理员可以根据各服务支持的授权项,创建IAM自定义身份策略来进行精细的访问控制,IAM自定义身份策略是对系统身份策略的扩展和补充。
除IAM服务外,Organizations服务中的服务控制策略(Service Control Policy,以下简称SCP)也可以使用这些授权项元素设置访问控制策略。
SCP不直接进行授权,只划定权限边界。将SCP绑定到组织单元或者成员账号时,并没有直接对组织单元或成员账号授予操作权限,而是规定了成员账号或组织单元包含的成员账号的授权范围。IAM身份策略授予权限的有效性受SCP限制,只有在SCP允许范围内的权限才能生效。
IAM服务与Organizations服务在使用这些元素进行访问控制时,存在着一些区别,详情请参见:IAM服务与Organizations服务权限访问控制的区别。
本章节介绍IAM服务身份策略授权场景中自定义身份策略和组织服务中SCP使用的元素,这些元素包含了操作(Action)、资源(Resource)和条件(Condition)。
操作(Action)
操作(Action)即为身份策略中支持的授权项。
- “访问级别”列描述如何对操作进行分类(List、Read和Write等)。此分类可帮助您了解在身份策略中相应操作对应的访问级别。
- “资源类型”列指每个操作是否支持资源级权限。
- 资源类型支持通配符号*表示所有。如果此列没有值(-),则必须在身份策略语句的Resource元素中指定所有资源类型(“*”)。
- 如果该列包含资源类型,则必须在具有该操作的语句中指定该资源的URN。
- 资源类型列中必需资源在表中用星号(*)标识,表示使用此操作必须指定该资源类型。
关于CFW定义的资源类型的详细信息请参见资源类型(Resource)。
- “条件键”列包括了可以在身份策略语句的Condition元素中支持指定的键值。
- 如果该授权项资源类型列存在值,则表示条件键仅对列举的资源类型生效。
- 如果该授权项资源类型列没有值(-),则表示条件键对整个授权项生效。
- 如果此列条件键没有值(-),表示此操作不支持指定条件键。
关于CFW定义的条件键的详细信息请参见条件(Condition)。
- “别名”列包括了可以在身份策略中配置的策略授权项。通过这些授权项,可以控制支持策略授权的API访问。详细信息请参见身份策略兼容性说明。
您可以在身份策略语句的Action元素中指定以下CFW的相关操作。
|
授权项 |
描述 |
访问级别 |
资源类型(*为必须) |
条件键 |
别名 |
|---|---|---|---|---|---|
|
cfw:instance:listDomainParseServers |
授予查询域名解析服务器列表的权限。 |
List |
instance * |
cfw:domain:get |
|
|
cfw:instance:updateDomainParseServer |
授予更新域名解析服务器的权限。 |
Write |
instance * |
cfw:acl:put |
|
|
cfw:domainGroup:update |
授予更新域名组的权限。 |
Write |
domainGroup * |
- |
cfw:ipGroup:put |
|
instance * |
|||||
|
cfw:domainGroup:delete |
授予删除域名组的权限。 |
Write |
domainGroup * |
- |
cfw:ipGroup:delete |
|
instance * |
|||||
|
cfw:domainGroup:list |
授予列出域名组列表的权限。 |
List |
instance * |
cfw:ipGroup:list |
|
|
cfw:instance:listAdvanceIpsRules |
授予查询云防火墙高级ips规则列表的权限。 |
List |
instance * |
cfw:ipsMode:get |
|
|
cfw:instance:updateCustomRule |
授予更新云防火墙用户自定义ips的权限。 |
Write |
instance * |
cfw:ipsMode:operate |
|
|
cfw:instance:updateLogConfig |
授予更新云防火墙LTS日志配置的权限。 |
Write |
instance * |
cfw:instance:upgrade |
|
|
- |
|||||
|
cfw:instance:createCaptureTask |
授予创建云防火墙抓包任务的权限。 |
Write |
instance * |
cfw:captureTask:create |
|
|
cfw:instance:createCustomRule |
授予创建云防火墙自定义IPS规则的权限。 |
Write |
instance * |
cfw:ipsMode:operate |
|
|
cfw:instance:createTags |
授予创建云防火墙标签的权限。 |
Tagging |
instance * |
cfw:instance:upgrade |
|
|
- |
|||||
|
cfw:instance:deleteInstance |
授予删除云防火墙实例的权限。 |
Write |
instance * |
cfw:instance:delete |
|
|
cfw:instance:deleteCaptureTask |
授予删除云防火墙抓包任务的权限。 |
Write |
instance * |
cfw:captureTask:delete |
|
|
cfw:instance:deleteCustomRule |
授予删除云防火墙用户自定义IPS规则的权限。 |
Write |
instance * |
cfw:ipsMode:operate |
|
|
cfw:instance:deleteTags |
授予删除云防火墙标签的权限。 |
Tagging |
instance * |
cfw:instance:upgrade |
|
|
- |
|||||
|
cfw:instance:getCaptureTaskResult |
授予查询云防火墙抓包任务结果的权限。 |
Read |
instance * |
cfw:captureTask:getResult |
|
|
cfw:instance:listProjectTags |
授予查询云防火墙项目标签列表的权限。 |
List |
- |
- |
cfw:instance:list |
|
cfw:instance:getRegionDb |
授予查询云防火墙地理位置库的权限。 |
Read |
instance * |
cfw:acl:list |
|
|
cfw:instance:listAccessControlLog |
授予查询云防火墙访问控制日志列表的权限。 |
List |
instance * |
cfw:accessControlLog:list |
|
|
cfw:instance:listAttackLog |
授予查询云防火墙攻击日志列表的权限。 |
List |
instance * |
cfw:attackLog:list |
|
|
cfw:instance:listCaptureTask |
授予查询云防火墙抓包任务列表的权限。 |
List |
instance * |
cfw:captureTask:list |
|
|
cfw:instance:listCustomRule |
授予查询云防火墙用户自定义IPS列表的权限。 |
List |
instance * |
cfw:ipsMode:get |
|
|
cfw:instance:getEw |
授予查询云防火墙东西向墙的权限。 |
Read |
instance * |
cfw:instance:list |
|
|
cfw:instance:listFlowLog |
授予展示云防火墙流量日志列表的权限。 |
List |
instance * |
cfw:flowLog:list |
|
|
cfw:instance:listIpsRule |
授予展示云防火墙IPS规则列表的权限。 |
List |
instance * |
cfw:ipsMode:get |
|
|
cfw:instance:updateAdvanceIpsRule |
授予更新云防火墙高级ips规则的权限。 |
Write |
instance * |
cfw:ipsMode:operate |
|
|
cfw:instance:saveTags |
授予替换云防火墙标签的权限。 |
Tagging |
instance * |
cfw:instance:upgrade |
|
|
- |
|||||
|
cfw:instance:stopCaptureTask |
授予停止云防火墙抓包任务的权限。 |
Write |
instance * |
cfw:captureTask:stop |
|
|
cfw:instance:updateAlarmConfig |
授予更新云防火墙告警配置的权限。 |
Write |
instance * |
cfw:instance:create |
|
|
cfw:instance:getAlarmConfig |
授予查询云防火墙告警配置的权限。 |
Read |
instance * |
cfw:instance:list |
|
|
cfw:instance:enableMultiAccount |
授予开启云防火墙多账号管理的权限。 |
Write |
instance * |
- |
|
|
cfw:instance:listAccounts |
授予查看多账号列表的权限。 |
List |
instance * |
- |
|
|
cfw:instance:listOrganizationTree |
授予查看组织树的权限。 |
List |
instance * |
- |
|
|
cfw:instance:addAccount |
授予添加账号的权限。 |
Write |
instance * |
- |
|
|
cfw:instance:updateAntiVirusRule |
授予更新云防火墙反病毒规则的权限。 |
Write |
instance * |
- |
|
|
cfw:instance:getAntiVirusRule |
授予查看云防火墙反病毒规则的权限。 |
Read |
instance * |
- |
|
|
cfw:instance:createReportProfile |
授予创建防火墙周报模板的权限。 |
Write |
instance * |
- |
|
|
cfw:instance:updateReportProfile |
授予更新防火墙周报模板的权限。 |
Write |
instance * |
- |
|
|
cfw:instance:deleteReportProfile |
授予删除防火墙周报模板的权限。 |
Write |
instance * |
- |
CFW的API通常对应着一个或多个授权项。表2展示了API与授权项的关系,以及该API需要依赖的授权项。
|
API |
对应的授权项 |
依赖的授权项 |
|---|---|---|
|
GET /v1/{project_id}/cfw/logs/flow |
cfw:instance:listFlowLog |
- |
|
GET /v1/{project_id}/cfw/logs/access-control |
cfw:instance:listAccessControlLog |
- |
|
GET /v1/{project_id}/cfw/logs/attack |
cfw:instance:listAttackLog |
- |
|
PUT /v1/{project_id}/cfw/logs/configuration |
cfw:instance:updateLogConfig |
- |
|
GET /v1/{project_id}/acl-rule/import-status |
cfw:acl:getImportStatus |
- |
|
POST /v1/{project_id}/firewall/east-west |
cfw:instance:createInstance |
|
|
DELETE /v2/{project_id}/firewall/{resource_id} |
cfw:instance:deleteInstance |
- |
|
GET /v1/{project_id}/ips-rule |
cfw:instance:listIpsRule |
- |
|
GET /v1/{project_id}/regions |
cfw:instance:getRegionDb |
- |
|
GET /v1/{project_id}/advanced-ips-rules |
cfw:instance:listAdvanceIpsRules |
- |
|
POST /v1/{project_id}/advanced-ips-rule |
cfw:instance:updateAdvanceIpsRule |
- |
|
GET /v1/{project_id}/ips/custom-rule |
cfw:instance:listCustomRule |
- |
|
PUT /v1/{project_id}/ips/custom-rule/{ips_cfw_id} |
cfw:instance:updateCustomRule |
- |
|
POST /v1/{project_id}/ips/custom-rule/batch-delete |
cfw:instance:deleteCustomRule |
- |
|
POST /v1/{project_id}/ips/custom-rule |
cfw:instance:createCustomRule |
- |
|
GET /v1/{project_id}/cfw/alarm/config |
cfw:instance:getAlarmConfig |
- |
|
PUT /v1/{project_id}/cfw/alarm/config |
cfw:instance:updateAlarmConfig |
- |
|
GET /v1/{project_id}/firewall/east-west |
cfw:instance:getEw |
|
|
POST /v2/{project_id}/cfw-cfw/{fw_instance_id}/tags/create |
cfw:instance:createTags |
- |
|
DELETE /v2/{project_id}/cfw-cfw/{fw_instance_id}/tags/delete |
cfw:instance:deleteTags |
- |
|
PUT /v2/{project_id}/cfw-cfw/{fw_instance_id}/tags/save |
cfw:instance:saveTags |
- |
|
GET /v2/{project_id}/cfw-cfw/tags |
cfw:instance:listProjectTags |
- |
|
GET /v1/{project_id}/capture-task |
cfw:instance:listCaptureTask |
- |
|
POST /v1/{project_id}/capture-task |
cfw:instance:createCaptureTask |
- |
|
POST /v1/{project_id}/capture-task/stop |
cfw:instance:stopCaptureTask |
- |
|
POST /v1/{project_id}/capture-task/batch-delete |
cfw:instance:deleteCaptureTask |
- |
|
GET /v1/{project_id}/capture-task/capture-result |
cfw:instance:getCaptureTaskResult |
- |
|
GET /v1/{project_id}/dns/servers |
cfw:instance:listDomainParseServers |
- |
|
PUT /v1/{project_id}/dns/servers |
cfw:instance:updateDomainParseServer |
- |
|
PUT /v1/{project_id}/domain-set/{set_id} |
cfw:domainGroup:update |
- |
|
DELETE /v1/{project_id}/domain-set/{set_id} |
cfw:domainGroup:delete |
- |
|
GET /v1/{project_id}/domain-sets |
cfw:domainGroup:list |
- |
|
POST /v1/{project_id}/system/multi-account/enable |
cfw:instance:enableMultiAccount |
|
|
GET /v1/{project_id}/system/multi-account/accounts |
cfw:instance:listAccounts |
|
|
POST /v1/{project_id}/system/multi-account/accounts |
cfw:instance:addAccount |
|
|
GET /v1/{project_id}/system/multi-account/organization-tree |
cfw:instance:listOrganizationTree |
|
|
GET /v1/{project_id}/anti-virus/rule |
cfw:instance:getAntiVirusRule |
- |
|
PUT /v1/{project_id}/anti-virus/rule |
cfw:instance:updateAntiVirusRule |
- |
|
PUT /v1/{project_id}/report-profile/{report_profile_id} |
cfw:instance:updateReportProfile |
- |
|
DELETE /v1/{project_id}/report-profile/{report_profile_id} |
cfw:instance:deleteReportProfile |
- |
|
POST /v1/{project_id}/report-profile |
cfw:instance:createReportProfile |
- |
|
DELETE /v1/{project_id}/address-items |
cfw:ipGroup:deleteIpGroupMember |
- |
|
GET /v1/{project_id}/address-sets/{set_id} |
cfw:ipGroup:getIpGroup |
- |
|
GET /v1/{project_id}/address-items |
cfw:ipGroup:listIpGroupMember |
- |
|
GET /v1/{project_id}/address-sets |
cfw:ipGroup:listIpGroups |
- |
|
DELETE /v1/{project_id}/domain-set/domains/{set_id} |
cfw:domainGroup:delete |
- |
|
GET /v1/{project_id}/service-items |
cfw:serviceGroup:listServiceGroupMember |
- |
|
DELETE /v1/{project_id}/service-items/{item_id} |
cfw:serviceGroup:deleteServiceGroupMember |
- |
|
POST /v1/{project_id}/black-white-list |
cfw:blackWhiteList:create |
- |
|
DELETE /v1/{project_id}/service-sets/{set_id} |
cfw:serviceGroup:delete |
- |
|
POST /v1/{project_id}/firewalls/list |
cfw:instance:listInstance |
- |
|
PUT /v1/{project_id}/service-sets/{set_id} |
cfw:serviceGroup:update |
- |
|
POST /v1/{project_id}/eip/protect |
cfw:eip:updateProtectStatus |
- |
|
POST /v1/{project_id}/domain-set |
cfw:domainGroup:create |
- |
|
GET /v1/{project_id}/firewall/exist |
cfw:instance:getInstance |
- |
|
DELETE /v1/{project_id}/acl-rule |
cfw:acl:deleteAclRule |
- |
|
GET /v1/{project_id}/domain/parse/{domain_name} |
cfw:instance:listDomainParseServers |
- |
|
POST /v1/{project_id}/acl-rule/count |
cfw:acl:listAclRules |
- |
|
DELETE /v1/{project_id}/address-sets/{set_id} |
cfw:ipGroup:deleteIpGroup |
- |
|
POST /v1/{project_id}/domain-set/domains/{set_id} |
cfw:domainGroup:create |
- |
|
GET /v1/{project_id}/service-sets |
cfw:serviceGroup:list |
- |
|
GET /v2/{project_id}/cfw-acl/tags |
cfw:acl:listAclTags |
- |
|
POST /v1/{project_id}/service-set |
cfw:serviceGroup:create |
- |
|
DELETE /v1/{project_id}/service-items |
cfw:serviceGroup:deleteServiceGroupMember |
- |
|
POST /v1/{project_id}/ips/switch |
cfw:instance:updateIpsStatus |
- |
|
POST /v1/{project_id}/ips/protect |
cfw:instance:updateIpsMode |
- |
|
GET /v1/{project_id}/service-sets/{set_id} |
cfw:serviceGroup:get |
- |
|
DELETE /v1/{project_id}/acl-rule/count |
cfw:acl:deleteHitCount |
- |
|
PUT /v1/{project_id}/address-sets/{set_id} |
cfw:ipGroup:updateIpGroup |
- |
|
DELETE /v1/{project_id}/acl-rule/{acl_rule_id} |
cfw:acl:deleteAclRule |
- |
|
PUT /v1/{project_id}/acl-rule/action |
cfw:acl:updateAclRuleAction |
- |
|
POST /v1/{project_id}/address-set |
cfw:ipGroup:createIpGroup |
- |
|
PUT /v1/{project_id}/black-white-list/{list_id} |
cfw:blackWhiteList:update |
- |
|
DELETE /v1/{project_id}/address-items/{item_id} |
cfw:ipGroup:deleteIpGroupMember |
- |
|
GET /v1/{project_id}/ips/switch |
cfw:instance:getIpsStatus |
- |
|
PUT /v1/{project_id}/acl-rule/{acl_rule_id} |
cfw:acl:updateAclRule |
- |
|
GET /v1/{project_id}/vpcs/protection |
cfw:instance:listProtectedVpc |
- |
|
GET /v1/{project_id}/eip-count/{object_id} |
cfw:eip:count |
- |
|
GET /v1/{project_id}/black-white-lists |
cfw:blackWhiteList:list |
- |
|
GET /v1/{project_id}/eips/protect |
cfw:eip:list |
- |
|
DELETE /v1/{project_id}/black-white-list/{list_id} |
cfw:blackWhiteList:delete |
- |
|
GET /v1/{project_id}/acl-rules |
cfw:acl:listAclRules |
- |
|
GET /v1/{project_id}/domain-set/domains/{domain_set_id} |
cfw:domainGroup:list |
- |
|
POST /v1/{project_id}/acl-rule |
cfw:acl:createAclRule |
- |
|
PUT /v1/{project_id}/acl-rule/order/{acl_rule_id} |
cfw:acl:setPriority |
- |
|
POST /v1/{project_id}/address-items |
cfw:ipGroup:createIpGroupMember |
- |
|
GET /v1/{project_id}/ips/protect |
cfw:instance:getIpsMode |
- |
|
POST /v1/{project_id}/service-items |
cfw:serviceGroup:createServiceGroupMember |
- |
|
GET /v1/{project_id}/cfw/logs/configuration |
cfw:instance:getLogConfig |
- |
|
POST /v1/{project_id}/cfw/logs/configuration |
cfw:instance:updateLogConfig |
- |
|
POST /v2/{project_id}/firewall |
cfw:instance:createInstance |
- |
|
GET /v3/{project_id}/jobs/{job_id} |
cfw:instance:listInstance |
- |
资源类型(Resource)
资源类型(Resource)表示身份策略所作用的资源。如表3中的某些操作指定了可以在该操作指定的资源类型,则必须在具有该操作的身份策略语句中指定该资源的URN,身份策略仅作用于此资源;如未指定,Resource默认为“*”,则身份策略将应用到所有资源。您也可以在身份策略中设置条件,从而指定资源类型。
CFW定义了以下可以在自定义身份策略的Resource元素中使用的资源类型。
|
资源类型 |
URN |
|---|---|
|
blackWhiteList |
cfw:<region>:<account-id>:blackWhiteList:<blackWhiteList-id> |
|
acl |
cfw:<region>:<account-id>:acl:<acl-id> |
|
instance |
cfw:<region>:<account-id>:instance:<fwInstance-id> |
|
serviceGroup |
cfw:<region>:<account-id>:serviceGroup:<serviceGroup-id> |
|
domainGroup |
cfw:<region>:<account-id>:domainGroup:<domainGroup-id> |
|
ipGroup |
cfw:<region>:<account-id>:ipGroup:<ipGroup-id> |
|
eip |
cfw:<region>:<account-id>:eip:<eip-id> |
条件(Condition)
条件键概述
条件(Condition)是身份策略生效的特定条件,包括条件键和运算符。
- 条件键表示身份策略语句的Condition元素中的键值。根据适用范围,分为全局级条件键和服务级条件键。
- 全局级条件键(前缀为g:)适用于所有操作,在鉴权过程中,云服务不需要提供用户身份信息,系统将自动获取并鉴权。详情请参见:全局条件键。
- 服务级条件键(前缀通常为服务缩写,如cfw:)仅适用于对应服务的操作,详情请参见表4。
- 单值/多值表示API调用时请求中与条件关联的值数。单值条件键在API调用时的请求中最多包含一个值,多值条件键在API调用时请求可以包含多个值。例如:g:SourceVpce是单值条件键,表示仅允许通过某个VPC终端节点发起请求访问某资源,一个请求最多包含一个VPC终端节点ID值。g:TagKeys是多值条件键,表示请求中携带的所有标签的key组成的列表,当用户在调用API请求时传入标签可以传入多个值。
- 运算符与条件键、条件值一起构成完整的条件判断语句,当请求信息满足该条件时,身份策略才能生效。支持的运算符请参见:运算符。
CFW支持的服务级条件键
CFW定义了以下可以在自定义身份策略的Condition元素中使用的条件键,您可以使用这些条件键进一步细化身份策略语句应用的条件。
