背景
WAF通用的权限分配就2个,QcloudWAFFullAccess和QcloudWAFReadOnlyAccess,但是往往我们想要更精细化的权限,怎么办呢?
问题说明
收到用户反馈,只想要下载日志的权限
配置步骤
策略查找
查看现有配置对应的策略,可以在cam界面https://console.cloud.tencent.com/cam/policy点击"新建自定义策略"->按策略语法新建->搜索"WAF",然后点击对应的策略,如下图
查找现有策略语法QcloudWAFFullAccess
代码语言:javascript复制{
"version": "2.0",
"statement": [
{
"action": [
"waf:*",
"wss:CertGetList"
],
"resource": "*",
"effect": "allow"
}
]
}QcloudWAFReadOnlyAccess
代码语言:javascript复制
{
"version": "2.0",
"statement": [
{
"action": [
"waf:WafGet*",
"waf:WAFGetUserInfo",
"waf:WafDownloadAlerts",
"waf:WafPackagePrice",
"waf:WafAreaBanGetAreas",
"waf:WafFreqGetRuleList",
"waf:WafAntiFakeGetUrl",
"waf:WafInterface",
"waf:WafClsOverview",
"waf:QueryFlows",
"waf:WafDownloadRecords",
"waf:WafDownloadlogs",
"waf:WafSearchLogs",
"waf:WafDNSdetectGet*",
"waf:BotGet*",
"waf:BotV2Get*",
"wss:CertGetList",
"waf:Describe*",
"tag:DescribeResourceTagsByResourceIds",
"ssl:DescribeCertificates",
"clb:DescribeLoadBalancers",
"clb:DescribeListeners"
],
"resource": "*",
"effect": "allow"
}
]
}确定产品支持CAM情况
支持 CAM 的产品
https://cloud.tencent.com/document/product/598/10588
可以看到WAF支持操作级,因此resource只能填*
CAM支持级别以下是对操作级的说明,简单的来说,就是可以限制接口,不能限制具体的某个资源
怎么确认需要哪个资源
我们可以访问控制台,F12看请求的接口
考虑到QcloudWAFReadOnlyAccess不支持创建日志,而且权限过大,因此需要自定义。
最终下载日志权限的自定义cam配置
代码语言:javascript复制{
"version": "2.0",
"statement": [
{
"effect": "allow",
"resource": [
"*"
],
"action": [
"name/waf:DescribeSpartUser",
"name/waf:DescribeUserEdition",
"name/waf:DescribeSpartaProtectionList",
"name/waf:WafDownloadlogs",
"name/waf:WafSearchLogs",
"name/waf:DescribeAccessLogCount",
"name/waf:DescribeAccessLogs",
"name/waf:DescribeAccessDownloadRecords",
"name/waf:DescribeCLS",
"name/waf:DescribeAttackLogCount",
"name/waf:DescribeAttackDetail",
"name/waf:DescribeAttackDownloadRecords",
"name/waf:DescribeCLS",
"name/waf:DeleteDownloadRecord",
"name/waf:CreateAccessDownloadRecord",
"name/waf:CreateAttackDownloadTask"
]
}
]
}总结
1、CAM配置比较复杂,可以参考现有的策略来改,效率会高很多
2、WAF的策略模版目前还不够丰富,部分特殊需求需要自定义
3、最小化权限原则
