Alibaba Cloud required permissions

Views:

Review the permissions required to deploy resources and the permissions granted when connecting Alibaba Cloud accounts to Trend Vision One.

Alibaba Cloud required permissions

Feature	Required Permissions	Description
Core Features	`actiontrail:DescribeTrails` `adb:DescribeDBClusters` `gpdb:DescribeDBInstances` `apigateway:DescribeInstances` `apigateway:DescribeApiGroups` `apigateway:DescribeApis` `cr:ListInstance` `cr:ListInstanceEndpoint` `cr:ListRepository cr:ListNamespace` `cr:ListRepositoryTag ram:ListUsers` `ram:DeleteOIDCProvider` `ram:DeletePolicy` `ram:DeletePolicyVersion` `ram:DeleteRole` `ram:DetachPolicyFromRole` `ram:DetachPolicyFromUser` `ram:ListEntitiesForPolicy` `ram:ListPolicies` `ram:ListRoles` `ram:ListPoliciesForRole` `ram:ListPolicyVersions` `ram:ListTagResources` `ram:GetOIDCProvider` `ram:GetRole` `ram:GetPolicy` `ram:UpdateRole` `ram:GetUserMFAInfo` `ram:GetLoginProfile` `ram:ListPoliciesForUser` `ram:ListAccessKeys` `ram:GetPolicy ram:ListPolicies` `ram:GetPasswordPolicy` `ram:ListVirtualMFADevices` `ram:ListGroups ram:ListRoles` `ram:GetRole oss:ListBuckets` `oss:GetBucketInfo` `oss:GetBucketPolicy` `oss:GetBucketTagging` `oss:GetBucketLogging` `ots:ListInstance` `ots:ListTable` `ots:DescribeTable` `rds:DescribeDBInstances` `rds:DescribeSQLCollectorPolicy` `rds:DescribeDBInstanceIPArrayList` `rds:DescribeDBInstanceSSL` `rds:DescribeDBInstanceTDE` `rds:DescribeSQLCollectorRetention` `rds:DescribeTags` `cs:DescribeClusterNodePools` `cs:ListClusterChecks` `cs:GetClusters` `cs:DescribeClusters` `yundun-sas:ListUninstallAegisMachines` `yundun-sas:DescribeVulConfig` `yundun-sas:DescribeVersionConfig` `yundun-sas:DescribeConcernNecessity` `yundun-aegis:DescribeNoticeConfig` `yundun-waf:DescribeInstance` `ecs:DescribeInstances` `ecs:DescribeDisks` `ess:DescribeScalingGroups` `vpc:DescribeVpcs` `vpc:DescribeNatGateways` `vpc:DescribeVpnGateways` `vpc:DescribeEipAddresses` `fc:ListFunctions fc:GetResourceTags` `fc:ListLayers` `fc:ListTagResources` `ecs:DescribeDedicatedHosts` `kms:ListKeys` `kms:DescribeKey` `kms:ListAliasesByKeyId` `kms:ListResourceTags` `kms:GetKeyPolicy` `kvstore:DescribeInstances` `alb:ListLoadBalancers` `alb:ListLoadBalancers` `nlb:ListLoadBalancers` `nas:DescribeFileSystems` `ehpc:ListClusters` `ehpc:ListTagResources` `slb:DescribeLoadBalancers` `cen:DescribeCens` `elasticsearch:ListInstance` `dds:DescribeDBInstances` eci:DescribeContainerGroups `fnf:ListFlows eiam:ListInstances` `eiam:GetInstance` `privatelink:ListVpcEndpoints`	These permissions are required to connect Alibaba Cloud accounts to Trend Vision One.
Server & Workload Protection	`ram:GetAccountAlias` `ecs:DescribeInstances` `ecs:DescribeInstanceAttribute` `ecs:DescribeInstanceStatus` `ecs:DescribeInstancesFullStatus` `ecs:DescribeSecurityGroupAttribute` `ecs:DescribeSecurityGroups` `ecs:DescribeManagedInstances` `ecs:DescribeTags` `vpc:DescribeVSwitches` `vpc:DescribeVSwitchAttributes` `vpc:DescribeVpcs` `vpc:DescribeVpcAttribute`
Cloud Security Posture	`actiontrail:DescribeTrails` `adb:DescribeDBClusters` `gpdb:DescribeDBInstances` `apigateway:DescribeInstances` `apigateway:DescribeApiGroups` `apigateway:DescribeApis` `cr:ListInstance` `cr:ListInstanceEndpoint` `cr:ListRepository` `cr:ListNamespace` `cr:ListRepositoryTag` `ram:ListUsers` `ram:GetUserMFAInfo` `ram:GetLoginProfile` `ram:ListPoliciesForUser` `ram:ListAccessKeys` `ram:GetPolicy` `ram:ListPolicies` `ram:GetPasswordPolicy` `ram:ListVirtualMFADevices` `ram:ListGroups` `ram:ListRoles` `ram:GetRole` `oss:ListBuckets` `oss:GetBucketInfo` `oss:GetBucketPolicy` `oss:GetBucketTagging` `oss:GetBucketLogging` `ots:ListInstance` `ots:ListTable` `ots:DescribeTable` `rds:DescribeDBInstances` `rds:DescribeSQLCollectorPolicy` `rds:DescribeDBInstanceIPArrayList` `rds:DescribeDBInstanceSSL` `rds:DescribeParameters` `rds:DescribeDBInstanceTDE` `rds:DescribeSQLCollectorRetention` `rds:DescribeTags` `cs:DescribeClusterNodePools` `cs:ListClusterChecks` `cs:GetClusters` `cs:DescribeClusters` `yundun-sas:ListUninstallAegisMachines` `yundun-sas:DescribeVulConfig` `yundun-sas:DescribeVersionConfig` `yundun-sas:DescribeConcernNecessity` `yundun-aegis:DescribeNoticeConfig` `yundun-waf:DescribeInstance` `ecs:DescribeInstances` `ecs:DescribeDisks` `ess:DescribeScalingGroups` `vpc:DescribeVpcs` `vpc:DescribeNatGateways` `vpc:DescribeVpnGateways` `vpc:DescribeEipAddresses` `fc:ListFunctions` `fc:GetResourceTags` `fc:ListLayers` `fc:ListTagResources` `ecs:DescribeDedicatedHosts` `kms:ListKeys` `kms:DescribeKey` `kms:ListAliasesByKeyId` `kms:ListResourceTags` `kms:GetKeyPolicy` `kvstore:DescribeInstances` `alb:ListLoadBalancers` `nlb:ListLoadBalancers` `nas:DescribeFileSystems` `ehpc:ListClusters` `ehpc:ListTagResources` `slb:DescribeLoadBalancers` `cen:DescribeCens` `elasticsearch:ListInstance` `dds:DescribeDBInstances` `eci:DescribeContainerGroups` `fnf:ListFlows` `eiam:ListInstances` `eiam:GetInstance` `privatelink:ListVpcEndpoints`
Agentless Vulnerability & Threat Detection	Event Bridge permissions: `eventbridge:CheckServiceLinkedRoleForProduct` `eventbridge:DisableRule` `eventbridge:EnableRule` `eventbridge:GetEventBridgeStatus` `eventbridge:GetEventBus` `eventbridge:GetEventSource` `eventbridge:GetRule` `eventbridge:ListEventBuses` `eventbridge:ListEventSources` `eventbridge:ListRules` `eventbridge:ListTagResources` `eventbridge:ListTargets` `eventbridge:ListTargetsByRule` `eventbridge:ListTargetTypes` `eventbridge:ListUserDefinedEventSources` `eventbridge:PutEventSource` `eventbridge:PutRule` `eventbridge:PutTargets` `eventbridge:TagResources` `eventbridge:UntagResources` `eventbridge:UpdateEventBus` `eventbridge:UpdateEventSource` Alibaba Cloud predefined policies: `AliyunEventBridgeResourceCreatePolicy` `AliyunEventBridgeResourceDeletePolicy` `AliyunEventBridgeResourceUpdatePolicy` `AliyunEventBridgePutEventsPolicy` ECS permissions: `ecs:CreateSecurityGroup` `ecs:DeleteInstance` `ecs:DeleteInstances` `ecs:DeleteKeyPairs` `ecs:DeleteSecurityGroup` `ecs:DeleteSnapshot` `ecs:DeleteSnapshotGroup` `ecs:DeleteVolume` `ecs:DescribeDisks` `ecs:DescribeImages` `ecs:DescribeInstanceStatus` `ecs:DescribeInstanceTypeResource` `ecs:DescribeInstances` `ecs:DescribeSecurityGroupAttribute` `ecs:DescribeSecurityGroups` `ecs:DescribeVolumes` `ecs:DetachVolume` Function Compute permissions: `fc:CreateFunction` `fc:CreateService` `fc:CreateTrigger` `fc:DeleteConcurrencyConfig` `fc:DeleteFunction` `fc:DeleteFunctionAsyncInvokeConfig` `fc:DeleteService` `fc:DeleteTrigger` `fc:DeleteTriggerWithEventSource` `fc:GetConcurrencyConfig` `fc:GetFunction` `fc:GetFunctionAsyncInvokeConfig` `fc:GetService` `fc:GetTrigger` `fc:InvokeFunction` `fc:InvokeFunctionAsync` `fc:ListFunctions` `fc:ListServices` `fc:ListServiceVersions` `fc:ListTriggers` `fc:ListTriggersWithEventSource` `fc:PutConcurrencyConfig` `fc:PutFunctionAsyncInvokeConfig` `fc:TagResource` `fc:TagResources` `fc:UnTagResource` `fc:UpdateFunction` `fc:UpdateService` `fc:UpdateTrigger` Key Management Service permissions: `kms:CreateSecret` `kms:DeleteSecret` `kms:DescribeSecret` `kms:GetSecretValue` `kms:PutSecretValue` `kms:UpdateSecret` Simple Log Service permissions: `log:CreateIndex` `log:CreateLogging` `log:CreateLogStore` `log:CreateProject` `log:DeleteIndex` `log:DeleteLogStore` `log:DeleteProject` `log:ListProject` `log:ListShards` `log:ListTagResources` `log:GetIndex` `log:GetLogging` `log:GetLogStore` `log:GetLogStoreLogs` `log:GetLogStoreMeteringMode` `log:GetProject` `log:GetProjectPolicy` `log:GetProjectPolicy` `log:TagResources` `log:UpdateIndex` `log:UpdateLogStore` `log:UpdateProject` Simple Message Queue permissions (formerly MNS): `mns:CreateQueue` `mns:DeleteQueue` `mns:GetQueueAttributes` `mns:ListQueue` `mns:ListTagResources` CloudOps Orchestration Service permissions: `oos:CreateSecretParameter` `oos:DeleteParameter` `oos:DeleteSecretParameter` `oos:GetSecretParameter` `oos:ListParameters` `oos:ListSecretParameters` `oos:ListTagResources` `oos:UpdateSecretParameter` Object Storage Service permissions: `oss:AppendObject` `oss:CleanRestoredObject` `oss:DeleteAccessPoint` `oss:DeleteAccessPointForObjectProcess` `oss:DeleteAccessPointPolicy` `oss:DeleteAccessPointPolicyForObjectProcess` `oss:DeleteAccessPointPublicAccessBlock` `oss:DeleteBucket` `oss:DeleteBucketCallbackPolicy` `oss:DeleteBucketCommonHeader` `oss:DeleteBucketCors` `oss:DeleteBucketDataRedundancyTransition` `oss:DeleteBucketEncryption` `oss:DeleteBucketEventNotification` `oss:DeleteBucketImage` `oss:DeleteBucketInventory` `oss:DeleteBucketLifecycle` `oss:DeleteBucketLogging` `oss:DeleteBucketNotification` `oss:DeleteBucketPolicy` `oss:DeleteBucketPublicAccessBlock` `oss:DeleteBucketQoSInfo` `oss:DeleteBucketReplication` `oss:DeleteBucketRequesterQoSInfo` `oss:DeleteBucketResponseHeader` `oss:DeleteBucketTagging` `oss:DeleteBucketWebsite` `oss:DeleteCache` `oss:DeleteObject` `oss:DeleteObjectTagging` `oss:DeleteObjectVersion` `oss:DeletePublicAccessBlock` `oss:DescribeRegions` `oss:GetAccessPoint` `oss:GetAccessPointConfigForObjectProcess` `oss:GetAccessPointForObjectProcess` `oss:GetAccessPointPolicy` `oss:GetAccessPointPolicyForObjectProcess` `oss:GetAccessPointPublicAccessBlock` `oss:GetAsyncFetchTask` `oss:GetBucketAccessMonitor` `oss:GetBucketAcl` `oss:GetBucketArchiveDirectRead` `oss:GetBucketCallbackPolicy` `oss:GetBucketCommonHeader` `oss:GetBucketCors` `oss:GetBucketEncryption` `oss:GetBucketEventNotification` `oss:GetBucketHash` `oss:GetBucketHttpsConfig` `oss:GetBucketImage` `oss:GetBucketInfo` `oss:GetBucketInventory` `oss:GetBucketLifecycle` `oss:GetBucketLocation` `oss:GetBucketLogging` `oss:GetBucketNotification` `oss:GetBucketPolicy` `oss:GetBucketPolicyStatus` `oss:GetBucketPublicAccessBlock` `oss:GetBucketQoSInfo` `oss:GetBucketReferer` `oss:GetBucketResourceGroup` `oss:GetBucketResponseHeader` `oss:GetBucketStat` `oss:GetBucketTagging` `oss:GetBucketTransferAcceleration` `oss:GetBucketVersioning` `oss:GetBucketWebsite` `oss:GetCache` `oss:GetObject` `oss:GetObjectAcl` `oss:GetObjectTagging` `oss:GetPublicAccessBlock` `oss:GetReservedCapacity` `oss:GetStatusList` `oss:ListBuckets` `oss:ListObjectVersions` `oss:ListObjects` `oss:ListOssBucket` `oss:PutBucket` `oss:PutBucketAccessMonitor` `oss:PutBucketAcl` `oss:PutBucketEncryption` `oss:PutBucketLifeCycle` `oss:PutBucketLifecycle` `oss:PutBucketLogging` `oss:PutBucketPublicAccessBlock` `oss:PutBucketTagging` `oss:PutObject` `oss:PutObjectAcl` `oss:PutObjectTagging` `oss:PutPublicAccessBlock` Table Store permissions: `ots:BatchGetRow` `ots:BatchWriteRow` `ots:DeleteRow` `ots:DeleteTags` `ots:DescribeInstance` `ots:DescribeSearchIndex` `ots:DescribeTable` `ots:GetInstance` `ots:GetOtsServiceStatus` `ots:GetRow` `ots:InsertInstance` `ots:InsertTags` `ots:ListInstance` `ots:ListVpcInfoByInstance` `ots:ListVpcInfoByVpc` `ots:OpenOtsService` `ots:PutRow` `ots:UpdateRow` ONS message queue permissions: `mq:CreateInstance` `mq:DeleteInstance` `mq:TagResources` `mq:UpdateInstance` Resource Access Management permissions: `ram:CreateOIDCProvider` `ram:AttachPolicyToRole` `ram:CreatePolicy` `ram:CreatePolicyVersion` `ram:CreateResourceGroup` `ram:CreateRole` `ram:CreateServiceLinkedRole` `ram:DeleteOIDCProvider` `ram:DeletePolicy` `ram:DeletePolicyVersion` `ram:DeleteResourceGroup` `ram:DeleteRole` `ram:DetachPolicyFromRole` `ram:DetachPolicyFromUser` `ram:ListEntitiesForPolicy` `ram:ListPolicies` `ram:ListRoles` `ram:ListPoliciesForRole` `ram:ListPolicyVersions` `ram:ListTagResources` `ram:GetOIDCProvider` `ram:GetRole` `ram:GetPolicy` `ram:PassRole` `ram:TagResources` `ram:UntagResources` `ram:UpdateResourceGroup` `ram:UpdateRole` Resource Manager for resource group permissions: `resourcemanager:CreateResourceAccount` `resourcemanager:CreateResourceGroup` `resourcemanager:GetAccount` `resourcemanager:ListAccounts` `resourcemanager:ListTagResources` `resourcemanager:MoveResourceGroup` `resourcemanager:TagResources` `resourcemanager:UntagResources` Tag permissions: `tag:CreatePolicy` `tag:CreateTags` `tag:DeletePolicy` `tag:DeleteTag` `tag:DetachPolicy` `tag:ListTagValues` VPC permissions: `vpc:CreateVpc` `vpc:CreateVSwitch` `vpc:DeleteVpc` `vpc:DeleteVSwitch` `vpc:DescribeRouteTableList` `vpc:DescribeVpcAttribute` `vpc:DescribeVpcs` `vpc:DescribeVSwitchAttributes` `vpc:DescribeVSwitches`