日本熟妇hd丰满老熟妇,中文字幕一区二区三区在线不卡 ,亚洲成片在线观看,免费女同在线一区二区

AI 助理
備案控制臺
文檔
輸入文檔關鍵字查找
首頁 密鑰管理服務 密鑰管理服務KMS 安全合規 訪問控制 使用RAM進行訪問控制 基于身份的策略 密鑰管理服務自定義權限策略參考 自定義權限策略示例

自定義權限策略示例

更新時間:
產品詳情
我的收藏

本文介紹自定義權限策略示例。

說明

如果示例中有${region}${account},請替換為您實際的地域和阿里云賬號,您也可以根據需求縮小資源范圍。

允許訪問所有的KMS資源

重要

為保障數據安全,不推薦您配置允許訪問KMS所有資源的權限策略。

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:*"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

允許指定的IP地址段或IP地址訪問KMS所有資源

以下代碼以192.168.0.0/16、172.16.215.218為例。

{
  "Version": "1",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "kms:*"
    ],
    "Resource": [
      "*"
    ],
    "Condition": {
      "IpAddress": {
        "acs:SourceIp": [
          "192.168.0.0/16",
          "172.16.215.218"
        ]
      }
    }
  }]
}

管理KMS中的密鑰

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
                "kms:List*",
                "kms:Describe*",
                "kms:Create*",
                "kms:Enable*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Set*",
                "kms:Update*",
                "kms:Delete*",
                "kms:Cancel*",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:TagResources",
                "kms:UntagResources",
                "kms:ImportKeyMaterial",
                "kms:ScheduleKeyDeletion"
      ],
      "Resource": [
        "acs:kms:${region}:${account}:key",
        "acs:kms:${region}:${account}:key/*",
        "acs:kms:${region}:${account}:alias",
        "acs:kms:${region}:${account}:alias/*"
      ]
    }
  ]
}

列舉密鑰、查看密鑰屬性(元數據)

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:List*",
        "kms:Describe*"
      ],
      "Resource": [
        "acs:kms:${region}:${account}:key",
        "acs:kms:${region}:${account}:key/*"
      ]
    }
  ]
}

使用密鑰進行加密、解密和生成數據密鑰

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": [
         "acs:kms:${region}:${account}:key/*",
         "acs:kms:${region}:${account}:alias/*"
     ]
    }
  ]
}
說明

如果您在密碼運算等操作中使用密鑰別名來標識一個密鑰,需要在資源元素中配置相應的別名資源。

允許使用含有指定標簽的密鑰進行信封加密、解密和生成數據密鑰

以下代碼以標簽鍵為Project、標簽值為Apollo為例。

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt", 
                "kms:Decrypt", 
                "kms:GenerateDataKey"
            ],
            "Resource": [
                "acs:kms:${region}:${account}:key/*"
            ],
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "kms:tag/Project": [
                        "Apollo"
                    ]
                }
            }
        }
    ]
}

使用非對稱密鑰進行加密和解密

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
            "kms:AsymmetricEncrypt",  
            "kms:AsymmetricDecrypt", 
      ],
      "Resource": [
        "acs:kms:${region}:${account}:key/*",
        "acs:kms:${region}:${account}:alias/*"
      ]
    }
  ]
}
說明

如果您在密碼運算等操作中使用密鑰別名來標識一個密鑰,需要在資源元素中配置相應的別名資源。

使用非對稱密鑰進行數字簽名和驗簽

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
                "kms:AsymmetricSign", 
                "kms:AsymmetricVerify"
      ],
      "Resource": [
        "acs:kms:${region}:${account}:key/*",
        "acs:kms:${region}:${account}:alias/*"
      ]
    }
  ]
}
說明

如果您在密碼運算等操作中使用密鑰別名來標識一個密鑰,需要在資源元素中配置相應的別名資源。

管理KMS中的憑據

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:List*",
                "kms:Describe*",
                "kms:PutSecretValue",
                "kms:Update*",
                "kms:DeleteSecret",
                "kms:RestoreSecret",
                "kms:RotateSecret",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:TagResources",
                "kms:UntagResources"
            ],
            "Resource": [
                "acs:kms:${region}:${account}:secret",
                "acs:kms:${region}:${account}:secret/*",
                "acs:kms:${region}:${account}:alias",
                "acs:kms:${region}:${account}:alias/*"
            ]
        }
    ]
}

列舉憑據、讀取憑據屬性(元數據)

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:List*",
                "kms:Describe*"
            ],
            "Resource": [
                "acs:kms:${region}:${account}:secret",
                "acs:kms:${region}:${account}:secret/*",
                "acs:kms:${region}:${account}:alias",
                "acs:kms:${region}:${account}:alias/*"
            ]
        }
    ]
}

獲取指定憑據名稱的憑據值

以下代碼以憑據名稱是example-secret為例,并且該憑據通過密鑰ID為keyId-example的密鑰加密。

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "kms:GetSecretValue",
            "Resource": "acs:kms:${region}:${account}:secret/example-secret"
        },
        {
            "Effect": "Allow",
            "Action": "kms:Decrypt",
            "Resource": "acs:kms:${region}:${account}:key/keyId-example"
        }
    ]
}