本文介绍自定义权限策略示例。
说明
如果示例中有${region}和${account},请替换为您实际的地域和阿里云账号,您也可以根据需求缩小资源范围。
允许访问所有的KMS资源
重要
为保障数据安全,不推荐您配置允许访问KMS所有资源的权限策略。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:*"
],
"Resource": [
"*"
]
}
]
} 允许指定的IP地址段或IP地址访问KMS所有资源
以下代码以192.168.0.0/16、172.16.215.218为例。
{
"Version": "1",
"Statement": [{
"Effect": "Allow",
"Action": [
"kms:*"
],
"Resource": [
"*"
],
"Condition": {
"IpAddress": {
"acs:SourceIp": [
"192.168.0.0/16",
"172.16.215.218"
]
}
}
}]
}管理KMS中的密钥
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:List*",
"kms:Describe*",
"kms:Create*",
"kms:Enable*",
"kms:Disable*",
"kms:Get*",
"kms:Set*",
"kms:Update*",
"kms:Delete*",
"kms:Cancel*",
"kms:TagResource",
"kms:UntagResource",
"kms:TagResources",
"kms:UntagResources",
"kms:ImportKeyMaterial",
"kms:ScheduleKeyDeletion"
],
"Resource": [
"acs:kms:${region}:${account}:key",
"acs:kms:${region}:${account}:key/*",
"acs:kms:${region}:${account}:alias",
"acs:kms:${region}:${account}:alias/*"
]
}
]
}列举密钥、查看密钥属性(元数据)
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:List*",
"kms:Describe*"
],
"Resource": [
"acs:kms:${region}:${account}:key",
"acs:kms:${region}:${account}:key/*"
]
}
]
}使用密钥进行加密、解密和生成数据密钥
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"acs:kms:${region}:${account}:key/*",
"acs:kms:${region}:${account}:alias/*"
]
}
]
}说明
如果您在密码运算等操作中使用密钥别名来标识一个密钥,需要在资源元素中配置相应的别名资源。
允许使用含有指定标签的密钥进行信封加密、解密和生成数据密钥
以下代码以标签键为Project、标签值为Apollo为例。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"acs:kms:${region}:${account}:key/*"
],
"Condition": {
"StringEqualsIgnoreCase": {
"kms:tag/Project": [
"Apollo"
]
}
}
}
]
} 使用非对称密钥进行加密和解密
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:AsymmetricEncrypt",
"kms:AsymmetricDecrypt",
],
"Resource": [
"acs:kms:${region}:${account}:key/*",
"acs:kms:${region}:${account}:alias/*"
]
}
]
}说明
如果您在密码运算等操作中使用密钥别名来标识一个密钥,需要在资源元素中配置相应的别名资源。
使用非对称密钥进行数字签名和验签
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:AsymmetricSign",
"kms:AsymmetricVerify"
],
"Resource": [
"acs:kms:${region}:${account}:key/*",
"acs:kms:${region}:${account}:alias/*"
]
}
]
}说明
如果您在密码运算等操作中使用密钥别名来标识一个密钥,需要在资源元素中配置相应的别名资源。
管理KMS中的凭据
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:List*",
"kms:Describe*",
"kms:PutSecretValue",
"kms:Update*",
"kms:DeleteSecret",
"kms:RestoreSecret",
"kms:RotateSecret",
"kms:TagResource",
"kms:UntagResource",
"kms:TagResources",
"kms:UntagResources"
],
"Resource": [
"acs:kms:${region}:${account}:secret",
"acs:kms:${region}:${account}:secret/*",
"acs:kms:${region}:${account}:alias",
"acs:kms:${region}:${account}:alias/*"
]
}
]
} 列举凭据、读取凭据属性(元数据)
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:List*",
"kms:Describe*"
],
"Resource": [
"acs:kms:${region}:${account}:secret",
"acs:kms:${region}:${account}:secret/*",
"acs:kms:${region}:${account}:alias",
"acs:kms:${region}:${account}:alias/*"
]
}
]
} 获取指定凭据名称的凭据值
以下代码以凭据名称是example-secret为例,并且该凭据通过密钥ID为keyId-example的密钥加密。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "kms:GetSecretValue",
"Resource": "acs:kms:${region}:${account}:secret/example-secret"
},
{
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "acs:kms:${region}:${account}:key/keyId-example"
}
]
}仅允许创建指定地域的KMS实例
以仅允许在新加坡和马来西亚(吉隆坡)创建KMS实例为例。该权限策略仅适用于拥有AliyunKMSFullAccess权限的RAM用户、RAM用户组和RAM角色。如何授权,请参见为RAM用户授权、为RAM用户组授权和为RAM角色授权。
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"bss:CreateInstance",
"bss:ModifyInstance"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"bssapi:ProductCode": [
"kms"
]
},
"StringNotLike": {
"Resource": [
"acs:kms:ap-southeast-1:*:*",
"acs:kms:ap-southeast-3:*:*"
]
}
}
},
{
"Effect": "Deny",
"Action": "kms:CreateInstance",
"Resource": "*"
}
]
}该文章对您有帮助吗?