AliyunServiceRolePolicyForGovernance

AliyunServiceRolePolicyForGovernance 是专用于服务关联角色的授权策略,会在创建服务关联角色 AliyunServiceRoleForGovernance 时自动授权,以允许服务关联角色代您访问其他云服务。本策略由对应的阿里云服务按需更新,请勿将本策略授权给服务关联角色之外的 RAM 身份使用。

策略详情

  • 类型:系统策略

  • 创建时间:2021-04-11 02:59:48

  • 更新时间:2023-08-31 03:34:09

  • 当前版本:v26

策略内容

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "resourcemanager:GetResourceDirectory",
        "resourcemanager:InitResourceDirectory",
        "resourcemanager:ListResources",
        "resourcemanager:ListFoldersForParent",
        "resourcemanager:ListAccountsForParent",
        "resourcemanager:ListAccounts",
        "resourcemanager:CreateFolder",
        "resourcemanager:CreateResourceAccount",
        "resourcemanager:GetFolder",
        "resourcemanager:GetAccount",
        "resourcemanager:UpdateFolder",
        "resourcemanager:DeleteFolder",
        "resourcemanager:MoveAccount",
        "resourcemanager:UpdateAccount",
        "resourcemanager:ListHandshakesForResourceDirectory",
        "resourcemanager:GetPayerForAccount",
        "resourcemanager:EnableControlPolicy",
        "resourcemanager:CreateControlPolicy",
        "resourcemanager:AttachControlPolicy",
        "resourcemanager:UpdateControlPolicy",
        "resourcemanager:GetControlPolicy",
        "resourcemanager:ListControlPolicyAttachmentsForTarget",
        "resourcemanager:ListControlPolicies",
        "resourcemanager:InviteAccountToResourceDirectory",
        "resourcemanager:GetHandshake",
        "resourcemanager:ListTagResources",
        "resourcemanager:TagResources",
        "resourcemanager:UntagResources",
        "resourcemanager:RegisterDelegatedAdministrator",
        "resourcemanager:ListDelegatedAdministrators",
        "resourcemanager:DeregisterDelegatedAdministrator",
        "resourcemanager:DeleteControlPolicy",
        "resourcemanager:DetachControlPolicy"
      ],
      "Resource": "*"
    },
    {
      "Action": [
        "ecs:DescribeInstances",
        "cen:DescribeCenBandwidthPackages",
        "ecs:DescribeDisks",
        "ecs:DescribeSnapshots",
        "ecs:DescribeImages",
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitches",
        "cen:DescribeCens",
        "oss:ListBuckets",
        "elasticsearch:ListInstance",
        "eci:DescribeContainerGroups",
        "dds:DescribeDBInstances",
        "kvstore:DescribeInstances",
        "polardb:DescribeDBClusters",
        "alb:ListLoadBalancers",
        "slb:DescribeLoadBalancers",
        "rocketmq:ListInstances",
        "polardbx:DescribeDBInstances",
        "cs:GetClusters",
        "cs:GetClustersByUid",
        "rds:DescribeDBInstances",
        "drds:DescribeDrdsInstances",
        "log:ListLogstore",
        "vpc:DescribeBandwidthPackages",
        "vpc:DescribeCommonBandwidthPackages",
        "vpc:DescribeEipAddresses",
        "vpc:DescribeNatGateways",
        "log:ListProject",
        "mq:OnsInstanceList",
        "mq:ListInstance",
        "yundun-bastionhost:DescribeInstanceBastionhost",
        "arms:ListPrometheusInstance",
        "arms:ListPrometheusInstanceByTagAndResourceGroupId"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "governance.aliyuncs.com"
        }
      }
    },
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Resource": "acs:ram::*:role/aliyungovernance*"
    },
    {
      "Action": [
        "actiontrail:CreateTrail",
        "actiontrail:DescribeTrails",
        "actiontrail:UpdateTrail",
        "actiontrail:DeleteTrail",
        "actiontrail:StartLogging",
        "actiontrail:LookupEvents",
        "config:PutDeliveryChannel",
        "config:DescribeDeliveryChannels",
        "config:CreateAggregator",
        "config:UpdateAggregator",
        "config:ListAggregators",
        "config:GetAggregator",
        "config:StartConfigurationRecorder",
        "config:DescribeConfigurationRecorder",
        "config:PutConfigurationRecorder",
        "config:ListAggregateCompliancePacks",
        "config:GetAggregateCompliancePack",
        "config:CreateAggregateCompliancePack",
        "config:UpdateAggregateCompliancePack",
        "config:DeleteAggregateCompliancePacks",
        "config:GetAggregateConfigRuleComplianceByPack",
        "config:GetConfigRule",
        "config:UpdateConfigRule",
        "config:CreateCompliancePack",
        "config:UpdateCompliancePack",
        "config:GetCompliancePack",
        "config:DeleteCompliancePacks",
        "config:GetAggregateResourceCountsGroupByRegion",
        "config:GetAggregateResourceCountsGroupByResourceType",
        "config:GetDiscoveredResourceCountsGroupByRegion",
        "config:GetDiscoveredResourceCountsGroupByResourceType",
        "config:DetachAggregateConfigRuleToCompliancePack",
        "config:AttachAggregateConfigRuleToCompliancePack",
        "config:GetAggregateConfigRule",
        "config:ListAggregateConfigRules",
        "config:CreateAggregateConfigRule",
        "config:UpdateAggregateConfigRule",
        "config:DeleteAggregateConfigRules",
        "config:GetManagedRule",
        "config:ListAggregateConfigRuleEvaluationResults",
        "config:ListAggregateDiscoveredResources",
        "config:GetAggregateResourceComplianceByConfigRule",
        "config:ListDiscoveredResources",
        "config:ListConfigRuleEvaluationResults",
        "config:GetResourceComplianceByConfigRule",
        "config:ListConfigRules",
        "config:StartAggregateConfigRuleEvaluation",
        "config:StartConfigRuleEvaluation",
        "config:ListCompliancePacks",
        "config:DetachConfigRuleToCompliancePack",
        "config:AttachConfigRuleToCompliancePack",
        "config:DeleteConfigRules",
        "config:CreateConfigRule",
        "config:CreateRemediation",
        "config:ListRemediations",
        "config:StartRemediation",
        "config:ListRemediationExecutions",
        "config:DeleteAggregateConfigDeliveryChannel",
        "config:ListAggregateConfigDeliveryChannels",
        "config:CreateAggregateConfigDeliveryChannel",
        "config:GetAggregateConfigDeliveryChannel",
        "config:UpdateAggregateConfigDeliveryChannel",
        "config:ListConfigDeliveryChannels",
        "config:ListManagedRules",
        "config:IgnoreEvaluationResults",
        "config:RevertEvaluationResults"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": [
            "actiontrail.aliyuncs.com",
            "config.aliyuncs.com",
            "cloudsso.aliyuncs.com",
            "cloudmonitor.aliyuncs.com"
          ]
        }
      }
    },
    {
      "Action": [
        "cms:CreateServiceLinkRoleForCloudMonitor",
        "cms:CheckRamRoleForCloudMonitor",
        "cms:CreateAnalysisSuit",
        "cms:DescribeAnalysisSuit",
        "cms:DescribeAnalysisTask",
        "cms:RestartAnalysisTask"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "arms:GetUserArmsPromClusterList",
        "arms:UseHighPriorityAlert",
        "arms:HighPriorityAlertClearRatio"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ram:GetSAMLProvider",
        "ram:CreateSAMLProvider",
        "ram:CreatePolicy",
        "ram:ListRoles",
        "ram:GetRole",
        "ram:ListPolicies",
        "ram:ListSAMLProviders"
      ],
      "Resource": [
        "acs:ram:*:*:policy/*",
        "acs:ram:*:*:saml-provider/*",
        "acs:ram:*:*:role/*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "ram:ListEntitiesForPolicy",
        "ram:ListPolicyVersions",
        "ram:DeletePolicyVersion",
        "ram:CreatePolicyVersion",
        "ram:DeletePolicy"
      ],
      "Resource": "acs:ram:*:*:policy/AliyunReservedGovernance*",
      "Effect": "Allow"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ram:UpdateSAMLProvider",
        "ram:DeleteSAMLProvider",
        "ram:AttachPolicyToRole",
        "ram:DetachPolicyFromRole",
        "ram:ListPoliciesForRole",
        "ram:CreateRole",
        "ram:UpdateRole",
        "ram:GetPolicy",
        "ram:DeleteRole"
      ],
      "Resource": [
        "acs:ram:*:*:saml-provider/AliyunReservedGovernance*",
        "acs:ram:*:*:role/aliyunreservedgovernance*",
        "acs:ram:*:system:policy/*",
        "acs:ram:*:*:policy/AliyunReservedGovernance*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "cloudsso:EnableService",
        "cloudsso:ListDirectories",
        "cloudsso:ListAccessConfigurations",
        "cloudsso:CreateDirectory",
        "cloudsso:SetMFAAuthenticationStatus",
        "cloudsso:SetExternalSAMLIdentityProvider",
        "cloudsso:GetDirectory",
        "cloudsso:GetMFAAuthenticationStatus",
        "cloudsso:GetSCIMSynchronizationStatus",
        "cloudsso:GetExternalSAMLIdentityProvider",
        "cloudsso:CreateAccessConfiguration",
        "cloudsso:GetAccessConfiguration",
        "cloudsso:ListPermissionPoliciesInAccessConfiguration",
        "cloudsso:RemovePermissionPolicyFromAccessConfiguration",
        "cloudsso:AddPermissionPolicyToAccessConfiguration",
        "cloudsso:ListAccessConfigurationProvisionings",
        "cloudsso:ProvisionAccessConfiguration",
        "cloudsso:GetTaskStatus",
        "cloudsso:UpdateAccessConfiguration",
        "cloudsso:DeleteAccessConfiguration",
        "cloudsso:GetServiceStatus",
        "cloudsso:ListUsers",
        "cloudsso:ListAccessAssignments",
        "cloudsso:CreateAccessAssignment",
        "cloudsso:ListGroups"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "tag:ListTagResources",
        "tag:DescribeRegions",
        "tag:ListTagKeys",
        "tag:CheckCreatedByEnabled"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ram:GenerateGovernanceReport",
        "ram:GetGovernanceReportStatus",
        "ram:ListRecentGovernanceMetrics",
        "ram:GetGovernanceItemReport"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:ModifyImageSharePermission",
        "ecs:DescribeImageSharePermission"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ram:GenerateCredentialReport",
        "ram:GetCredentialReport",
        "ram:GetAccountSummary",
        "ram:ListPolicyAttachments",
        "config:GetApiStatisticData",
        "actiontrail:GetGovernanceMetrics"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "mscsub:ListSubscriptionItems",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "yundun-sas:GetModuleConfigStatus",
        "yundun-aegis:DescribeAccesskeyLeakList",
        "yundun-sas:DescribeGroupedVul",
        "yundun-sas:DescribeCheckWarningSummary",
        "yundun-sas:DescribeSuspEvents"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "bssapi:QuerySavingsPlansInstance"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ims:ListUserBasicInfos",
        "ims:ListAccessKeys",
        "actiontrail:GetAccessKeyLastUsedProducts",
        "actiontrail:GetAccessKeyLastUsedInfo"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "yundun-antiddosbag:DescribeInstanceSummary",
        "yundun-antiddosbag:DescribeInstanceList",
        "yundun-antiddosbag:DescribePackIpList",
        "yundun-ddoscoo:DescribeDomains",
        "yundun-ddoscoo:DescribeWebCcProtectSwitch"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "yundun-cloudfirewall:DescribeUserBuyVersion",
        "yundun-cloudfirewall:DescribeAssetStatistic",
        "yundun-cloudfirewall:DescribeUserBandwithDetail",
        "yundun-cloudfirewall:DescribeAssetList",
        "yundun-cloudfirewall:DescribeNatFirewallList",
        "yundun-cloudfirewall:DescribeVpcFirewallSummaryInfo",
        "yundun-cloudfirewall:DescribeDefaultIPSConfig",
        "yundun-cloudfirewall:DescribeAclStats",
        "yundun-cloudfirewall:DescribeControlPolicy",
        "yundun-cloudfirewall:DescribeLogStoreInfo",
        "yundun-cloudfirewall:DescribeVpcFirewallList",
        "yundun-cloudfirewall:DescribeVpcFirewallCenList",
        "yundun-cloudfirewall:DescribeTrFirewallsV2List",
        "yundun-cloudfirewall:DescribeVpcInstanceList",
        "yundun-cloudfirewall:DescribeTrFirewallsV2Detail"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "resourcecenter:ExecuteSQLQuery",
        "resourcecenter:SearchMultiAccountResources",
        "resourcecenter:GetMultiAccountResourceCenterServiceStatus",
        "resourcecenter:ExecuteMultiAccountSQLQuery",
        "resourcecenter:EnableMultiAccountResourceCenter",
        "resourcemanager:ListTrustedServiceStatus",
        "resourcemanager:ListMessageContacts",
        "resourcemanager:ListDelegatedAdministrators"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:EnableInsight",
        "ecs:DescribeInsightStatus",
        "ecs:DescribeInsightChecks",
        "ecs:DescribeInsightCheckItems",
        "ecs:DescribeInsightSummaries"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "accessanalyzer:CreateAnalyzer",
        "accessanalyzer:GetAnalyzer",
        "accessanalyzer:ListAnalyzers",
        "accessanalyzer:DeleteAnalyzer",
        "accessanalyzer:ListFindings",
        "accessanalyzer:GetFinding"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "dcdn:ListSites",
        "dcdn:ListSiteDeliveryTasks",
        "dcdn:ListWafRules",
        "dcdn:ListRecords",
        "dcdn:ListCertificatesByRecord",
        "dcdn:ListSiteFunctions"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "esa:ListSites",
        "esa:ListSiteDeliveryTasks",
        "esa:ListWafRules",
        "esa:ListRecords",
        "esa:ListCertificatesByRecord",
        "esa:ListSiteFunctions"
      ],
      "Resource": "*"
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "ecsinsight.aliyuncs.com"
        }
      }
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "accessanalyzer.aliyuncs.com"
        }
      }
    }
  ],
  "Version": "1"
}

相关文档