AliyunServiceRolePolicyForSasCspm

AliyunServiceRolePolicyForSasCspm 是专用于服务关联角色的授权策略,会在创建服务关联角色 AliyunServiceRoleForSasCspm 时自动授权,以允许服务关联角色代您访问其他云服务。本策略由对应的阿里云服务按需更新,请勿将本策略授权给服务关联角色之外的 RAM 身份使用。

策略详情

  • 类型:系统策略

  • 创建时间:2022-11-02 02:46:42

  • 更新时间:2024-11-05 08:56:12

  • 当前版本:v52

策略内容

{
  "Version": "1",
  "Statement": [
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "cspm.sas.aliyuncs.com"
        }
      }
    },
    {
      "Action": [
        "actiontrail:DescribeTrails",
        "actiontrail:GetTrailStatus",
        "actiontrail:CreateServiceTrail",
        "actiontrail:DeleteServiceTrail"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "cdn:Describe*",
        "cdn:BatchSetCdnDomainConfig",
        "cdn:CreateRepoTagScanTask"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "cms:Describe*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "cr:Get*",
        "cr:List*",
        "cr:UpdateRepository",
        "cr:CreateRepoTagScanTask",
        "cr:CreateInstanceEndpointAclPolicy",
        "cr:DeleteInstanceEndpointAclPolicy",
        "cr:PutScan"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "cs:GetClusters",
        "cs:Describe*",
        "cs:ModifyCluster",
        "cs:UpgradeCluster"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "dds:Describe*",
        "dds:ModifyInstanceVpcAuthMode",
        "dds:ModifySecurityIps",
        "dds:ModifyDBInstanceSSL",
        "dds:ModifyBackupPolicy",
        "dds:ReleasePublicNetworkAddress",
        "dds:ModifyDBInstanceTDE",
        "dds:ModifyAuditPolicy"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:Describe*",
        "ecs:RevokeSecurityGroup",
        "ecs:ModifySecurityGroupRule",
        "ecs:AuthorizeSecurityGroup"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "gpdb:Describe*",
        "gpdb:ModifyBackupPolicy",
        "gpdb:ModifySecurityIps"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "kvstore:Describe*",
        "kvstore:ModifyInstanceVpcAuthMode",
        "kvstore:ModifyBackupPolicy",
        "kvstore:ModifyInstanceSSL",
        "kvstore:ModifyInstanceTDE",
        "kvstore:ModifyInstanceConfig",
        "kvstore:ModifyAuditLogConfig",
        "kvstore:ModifySecurityIps",
        "kvstore:ReleaseInstancePublicConnection"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "oss:GetBucket*",
        "oss:ListBucketInventory",
        "oss:ListBuckets",
        "oss:PutBucketEncryption",
        "oss:PutBucketLogging",
        "oss:PutBucketReferer",
        "oss:PutBucketVersioning"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "polardb:Describe*",
        "polardb:ModifyDBClusterAuditLogCollector",
        "polardb:ModifyDBClusterSSL",
        "polardb:ModifyDBClusterTDE",
        "polardb:ModifyBackupPolicy",
        "polardb:ModifyDBClusterAccessWhitelist"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ram:ListUsers",
        "ram:GetUser",
        "ram:GetLoginProfile",
        "ram:ListPolicies",
        "ram:GetPolicy",
        "ram:ListGroupsForUser",
        "ram:ListEntitiesForPolicy",
        "ram:ListGroups",
        "ram:ListRoles",
        "ram:GetAccountAlias",
        "ram:ListAccessKeys",
        "ram:GetUserSsoSettings",
        "ram:GetUserMFAInfo",
        "ram:GetSecurityPreference",
        "ram:GetPasswordPolicy",
        "ram:GetAccountSecurityPracticeReport",
        "ram:GetAccessKeyLastUsed",
        "ram:ListPoliciesForUser",
        "ram:ListPoliciesForRole",
        "ram:GetRole",
        "ram:ListPoliciesForGroup",
        "ims:GetAccountMFAInfo"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "rds:Describe*",
        "rds:ModifyBackupPolicy",
        "rds:ModifyDBInstanceConnectionString",
        "rds:ModifyDBInstanceDeletionProtection",
        "rds:ModifyDBInstanceSSL",
        "rds:ModifyDBInstanceTDE",
        "rds:ModifyInstanceCrossBackupPolicyz",
        "rds:ModifyParameter",
        "rds:ModifySQLCollectorPolicy",
        "rds:ModifySecurityIps",
        "rds:ReleaseInstancePublicConnection",
        "rds:CreateAccount",
        "rds:CreateBackup",
        "rds:DeleteAccount",
        "rds:DeleteBackup"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "resourcemanager:GetResourceDirectory",
        "resourcemanager:ListAccounts",
        "resourcemanager:GetAccount",
        "resourcemanager:ListPolicyAttachments"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "slb:Describe*",
        "slb:StopListener",
        "slb:StartListener",
        "slb:StopLoadBalancerListener",
        "slb:StartLoadBalancerListener",
        "slb:AddEntriesToAcl",
        "slb:AddAccessControlListEntry",
        "slb:RemoveEntriesFromAcl",
        "slb:RemoveAccessControlListEntry",
        "alb:List*",
        "alb:Get*",
        "alb:StopListener",
        "alb:StartListener"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "yundun-high:DescribeBackSourceCidr",
        "yundun-ddoscoo:Describe*",
        "yundun-ddoscoo:ModifyWebAIProtectMode",
        "yundun-ddoscoo:ModifyWebAIProtectSwitch",
        "yundun-ddoscoo:EnableWebCC",
        "yundun-ddoscoo:DisableWebCC"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "yundun-aegis:Describe*",
        "yundun-sas:Describe*",
        "yundun-sas:List*",
        "yundun-sas:Get*",
        "yundun-sas:OperateSuspiciousOverallConfig",
        "yundun-sas:OperateCommonOverallConfig",
        "yundun-sas:CreateServiceLinkedRole"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "yundun-waf:Describe*",
        "yundun-waf:ModifyProtectionModuleStatus",
        "yundun-waf:ModifyLogServiceStatus",
        "yundun-waf:ModifyProtectionModuleMode",
        "yundun-waf:SetDomainRuleGroup"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:Describe*",
        "vpc:DeleteForwardEntry",
        "vpc:CreateNetworkAcl",
        "vpc:CreateNetworkAcl",
        "vpc:ReleaseEipAddress",
        "vpc:DeleteNetworkAcl"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "yundun-sddp:DescribeUserStatus",
        "yundun-sddp:DescribeOssObjects",
        "yundun-sddp:DescribeOssObjectDetail",
        "yundun-sddp:DescribeInstances",
        "yundun-sddp:DescribeInstanceSources"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "mse:List*",
        "mse:Query*",
        "mse:Get*",
        "mse:UpdateConfig",
        "mse:UpdateBlackWhiteList",
        "mse:AddBlackWhiteList"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "nas:Describe*",
        "nas:CreateLogAnalysis",
        "nas:DeleteLogAnalysis",
        "hbr:Describe*",
        "hbr:CreateBackupPlan",
        "hbr:DeleteBackupPlan"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "eipanycast:ListAnycastEipAddresses",
        "eipanycast:DescribeAnycastEipAddress"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "apigateway:Describe*",
        "apigateway:ModifyInstanceAttribute"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "eiam:ListRegions",
        "eiam:ListInstances",
        "eiam:GetForgetPasswordConfiguration",
        "eiam:GetPasswordComplexityConfiguration",
        "eiam:GetSecondFactorAuthentication",
        "eiam:GetLoginConfiguration",
        "eiam:GetPasswordExpirationConfiguration",
        "eiam:ListAuthenticationSources",
        "eiam:GetPasswordHistoryConfiguration",
        "eiam:SetPasswordComplexityConfiguration",
        "eiam:SetLoginConfiguration",
        "eiam:SetPasswordExpirationConfiguration",
        "eiam:SetPasswordHistoryConfiguration",
        "eiam:SetForgetPasswordConfiguration"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "elasticsearch:List*",
        "elasticsearch:Describe*",
        "elasticsearch:ModifyWhiteIps",
        "elasticsearch:UpdatePublicWhiteIps",
        "elasticsearch:UpdatePrivateNetworkWhiteIps",
        "elasticsearch:CloseHttps",
        "elasticsearch:OpenHttps",
        "elasticsearch:UpdateSnapshotSetting",
        "elasticsearch:TriggerNetwork"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "polardbx:Describe*",
        "polardbx:CreateAccount",
        "polardbx:UpdateDBInstanceTDE",
        "polardbx:UpdateDBInstanceSSL",
        "polardbx:UpdateBackupPolicy",
        "polardbx:ModifySecurityIps",
        "polardbx:ReleaseInstancePublicConnection",
        "polardbx:DeleteAccount"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "rdc:ListOrganizationSecurityScores",
        "rdc:ListOrganizations"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "yundun-cert:DescribeUserCertificateList",
        "yundun-cert:DescribeUserCertificateDetail",
        "yundun-cert:ListUserCertificateOrder"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:ListProject",
        "log:GetProject",
        "log:ListLogStores",
        "log:GetLogStore"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "adb:Describe*",
        "adb:ReleaseClusterPublicConnection",
        "adb:ModifyAuditLogConfig",
        "adb:ModifyBackupPolicy",
        "adb:ModifyDBClusterAccessWhiteList",
        "adb:RevokeOperatorPermission",
        "adb:GrantOperatorPermission"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "hbr:DescribeBackupPlans"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "dataworks:ListProjects",
        "dataworks:GetProject",
        "dataworks:GetProjectDetail"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "odps:ListProjects",
        "odps:GetProject",
        "odps:UpdateProjectIpWhiteList"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "dms:List*",
        "dms:Get*",
        "dms:ModifyInstance",
        "dms:AddDesensitizationRule",
        "dms:CreateProxy",
        "dms:CreateStandardGroup",
        "dms:DeleteStandardGroup"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "yundun-bastionhost:DescribeInstances",
        "yundun-bastionhost:GetInstanceTwoFactor",
        "yundun-bastionhost:DescribeInstanceAttribute",
        "yundun-bastionhost:DescribeInstanceBastionhost",
        "yundun-bastionhost:ConfigInstanceWhiteList",
        "yundun-bastionhost:ModifyInstanceTwoFactor"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "oceanbase:Describe*",
        "oceanbase:DeleteTenantUsers",
        "oceanbase:ModifyDatabaseUserRoles",
        "oceanbase:ModifySecurityIps"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "yundun-cloudfirewall:Describe*",
        "yundun-cloudfirewall:PutEnableFwSwitch",
        "yundun-cloudfirewall:PutDisableFwSwitch"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "kms:ListKeys",
        "kms:ListSecrets",
        "kms:DescribeSecret",
        "kms:DescribeKey",
        "kms:ListKmsInstances",
        "kms:GetKmsInstance",
        "kms:UpdateRotationPolicy"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecd:Describe*",
        "ecd:SetOfficeSiteSsoStatus",
        "ecd:ModifyOfficeSiteMfaEnabled",
        "ecd:ModifyOfficeSiteAttribute",
        "ecd:ModifyPolicyGroup",
        "ecd:UpdateFotaTask"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ess:Describe*",
        "ess:ModifyScalingConfiguration",
        "ess:ModifyEciScalingConfiguration",
        "ess:ModifyScalingGroup",
        "ess:SetGroupDeletionProtection",
        "ess:EnableScalingGroup",
        "ess:DisableScalingGroup",
        "ess:AttachLoadBalancers",
        "ess:DetachLoadBalancers",
        "ess:DeleteScalingGroup"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "fc:GetService",
        "fc:List*",
        "fc:UpdateService",
        "fc:UpdateTrigger",
        "fc:UpdateCustomDomain"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ga:GetAcl",
        "ga:GetHealthStatus",
        "ga:ListAccelerators",
        "ga:ListDomains",
        "ga:ListIpSets",
        "ga:ListListenerCertificates",
        "ga:ListListeners",
        "ga:DescribeListener",
        "ga:DescribeRegions"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "hbase:DescribeInstances",
        "hbase:DescribeRegions",
        "hbase:ModifyClusterDeletionProtection"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "lindorm:Get*",
        "lindorm:UpdateInstanceIpWhiteList"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "clickhouse:Describe*",
        "clickhouse:CheckMonitorAlert",
        "clickhouse:UpgradeMinorVersion",
        "clickhouse:ModifyDBClusterAccessWhiteList",
        "clickhouse:ReleaseClusterPublicConnection",
        "clickhouse:AllocateClusterPublicConnection",
        "clickhouse:CreateBackupPolicy",
        "clickhouse:CreateSQLAccount",
        "clickhouse:DeleteAccount",
        "clickhouse:CreateOSSStorage"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "selectdb:Describe*",
        "selectdb:UpgradeDBInstanceEngineVersion",
        "selectdb:ModifySecurityIPList",
        "selectdb:ReleaseInstancePublicConnection",
        "selectdb:AllocateInstancePublicConnection"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "hologram:ListInstances",
        "hologram:GetInstance",
        "hologram:EnableHiveAccess",
        "hologram:DisableHiveAccess",
        "hologram:UpdateInstanceNetworkType"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "alikafka:ListInstance",
        "alikafka:UpdateAllowedIp",
        "alikafka:UpdateInstance"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "domain:QueryCommonInfo",
        "domain:QueryDomainList"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "alidns:Describe*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "arms:List*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "cen:Describe*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "cloudsso:List*",
        "cloudsso:Get*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "dbs:Describe*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "dcdn:Describe*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "dfs:List*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "eci:Describe*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "gdb:Describe*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "mq:List*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "oos:List*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "opensearch:List*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ots:List*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "privatelink:List*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "pvtz:Describe*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ros:List*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "paiworkspace:List*",
        "paidataset:List*",
        "paimodel:List*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "live:Describe*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "fnf:List*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "swas-open:List*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "eventbridge:List*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "dhs:List*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "dts:Describe*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "dysms:Query*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ebs:Describe*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "edas:ReadCluster"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "eflo:List*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "mns:List*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vod:Describe*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "stream:Describe*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "emr:List*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "r-kvstore.aliyuncs.com"
        }
      }
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "elasticsearch.aliyuncs.com"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": [
            "logdelivery.nas.aliyuncs.com"
          ]
        }
      }
    }
  ]
}

相关文档