AliyunServiceRolePolicyForResourceGroup

AliyunServiceRolePolicyForResourceGroup 是专用于服务关联角色的授权策略,会在创建服务关联角色 AliyunServiceRoleForResourceGroup 时自动授权,以允许服务关联角色代您访问其他云服务。本策略由对应的阿里云服务按需更新,请勿将本策略授权给服务关联角色之外的 RAM 身份使用。

策略详情

  • 类型:系统策略

  • 创建时间:2023-01-10 02:38:37

  • 更新时间:2023-01-10 02:38:37

  • 当前版本:v1

策略内容

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:JoinResourceGroup",
                "vpc:MoveResourceGroup"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "actiontrail:CreateServiceTrail",
                "actiontrail:DeleteServiceTrail",
                "actiontrail:GetServiceTrail",
                "actiontrail:GetServiceTrailDeliveryStatus",
                "oos:ListExecutions",
                "vpc:DescribeEipAddresses",
                "ecs:DescribeSnapshots",
                "ecs:DescribeNetworkInterfaces",
                "ecs:DescribeDisks"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "config:StartConfigurationRecorder",
                "config:GetConfigurationRecorder",
                "config:CreateConfigRule",
                "config:ActiveConfigRules",
                "config:GetConfigRule",
                "config:ListConfigRules",
                "config:UpdateConfigRule",
                "config:DryRunConfigRule",
                "config:CreateRemediation",
                "config:ListRemediations",
                "config:GetRemediationTemplate",
                "config:StartConfigRuleEvaluation",
                "config:DeactiveConfigRules",
                "config:DeleteConfigRules",
                "config:GetResourceComplianceByConfigRule"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "config:ServiceChannel": "ResourceGroup"
                }
            }
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "acs:ram:*:*:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "rmc.resourcemanager.aliyuncs.com",
                        "config.aliyuncs.com",
                        "remediation.config.aliyuncs.com"
                    ]
                }
            }
        },
        {
            "Action": "resourcecenter:EnableResourceCenter",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "resourcegroup.resourcemanager.aliyuncs.com"
                }
            }
        }
    ]
}

相关文档