本文介紹自訂權限原則樣本。
說明
如果樣本中有${region}和${account},請替換為您實際的地區和阿里雲帳號,您也可以根據需求縮小資源範圍。
允許訪問所有的KMS資源
重要
為保障資料安全,不推薦您配置允許訪問KMS所有資源的權限原則。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:*"
],
"Resource": [
"*"
]
}
]
} 允許指定的IP位址區段或IP地址訪問KMS所有資源
以下代碼以192.168.0.0/16、172.16.215.218為例。
{
"Version": "1",
"Statement": [{
"Effect": "Allow",
"Action": [
"kms:*"
],
"Resource": [
"*"
],
"Condition": {
"IpAddress": {
"acs:SourceIp": [
"192.168.0.0/16",
"172.16.215.218"
]
}
}
}]
}管理KMS中的密鑰
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:List*",
"kms:Describe*",
"kms:Create*",
"kms:Enable*",
"kms:Disable*",
"kms:Get*",
"kms:Set*",
"kms:Update*",
"kms:Delete*",
"kms:Cancel*",
"kms:TagResource",
"kms:UntagResource",
"kms:TagResources",
"kms:UntagResources",
"kms:ImportKeyMaterial",
"kms:ScheduleKeyDeletion"
],
"Resource": [
"acs:kms:${region}:${account}:key",
"acs:kms:${region}:${account}:key/*",
"acs:kms:${region}:${account}:alias",
"acs:kms:${region}:${account}:alias/*"
]
}
]
}列舉密鑰、查看密鑰屬性(中繼資料)
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:List*",
"kms:Describe*"
],
"Resource": [
"acs:kms:${region}:${account}:key",
"acs:kms:${region}:${account}:key/*"
]
}
]
}使用密鑰進行加密、解密和產生資料密鑰
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"acs:kms:${region}:${account}:key/*",
"acs:kms:${region}:${account}:alias/*"
]
}
]
}說明
如果您在密碼運算等操作中使用密鑰別名來標識一個密鑰,需要在資源元素中配置相應的別名資源。
允許使用含有指定標籤的密鑰進行信封加密、解密和產生資料密鑰
以下代碼以標籤鍵為Project、標籤值為Apollo為例。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"acs:kms:${region}:${account}:key/*"
],
"Condition": {
"StringEqualsIgnoreCase": {
"kms:tag/Project": [
"Apollo"
]
}
}
}
]
} 使用非對稱金鑰進行加密和解密
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:AsymmetricEncrypt",
"kms:AsymmetricDecrypt",
],
"Resource": [
"acs:kms:${region}:${account}:key/*",
"acs:kms:${region}:${account}:alias/*"
]
}
]
}說明
如果您在密碼運算等操作中使用密鑰別名來標識一個密鑰,需要在資源元素中配置相應的別名資源。
使用非對稱金鑰進行數位簽章和驗簽
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:AsymmetricSign",
"kms:AsymmetricVerify"
],
"Resource": [
"acs:kms:${region}:${account}:key/*",
"acs:kms:${region}:${account}:alias/*"
]
}
]
}說明
如果您在密碼運算等操作中使用密鑰別名來標識一個密鑰,需要在資源元素中配置相應的別名資源。
管理KMS中的憑據
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:List*",
"kms:Describe*",
"kms:PutSecretValue",
"kms:Update*",
"kms:DeleteSecret",
"kms:RestoreSecret",
"kms:RotateSecret",
"kms:TagResource",
"kms:UntagResource",
"kms:TagResources",
"kms:UntagResources"
],
"Resource": [
"acs:kms:${region}:${account}:secret",
"acs:kms:${region}:${account}:secret/*",
"acs:kms:${region}:${account}:alias",
"acs:kms:${region}:${account}:alias/*"
]
}
]
} 列舉憑據、讀取憑據屬性(中繼資料)
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:List*",
"kms:Describe*"
],
"Resource": [
"acs:kms:${region}:${account}:secret",
"acs:kms:${region}:${account}:secret/*",
"acs:kms:${region}:${account}:alias",
"acs:kms:${region}:${account}:alias/*"
]
}
]
} 擷取指定憑據名稱的憑據值
以下代碼以憑據名稱是example-secret為例,並且該憑據通過密鑰ID為keyId-example的祕密金鑰加密。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "kms:GetSecretValue",
"Resource": "acs:kms:${region}:${account}:secret/example-secret"
},
{
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "acs:kms:${region}:${account}:key/keyId-example"
}
]
}僅允許建立指定地區的KMS執行個體
以僅允許在新加坡和馬來西亞(吉隆坡)建立KMS執行個體為例。該權限原則僅適用於擁有AliyunKMSFullAccess許可權的RAM使用者、RAM使用者組和RAM角色。如何授權,請參見為RAM使用者授權、為RAM使用者組授權和為RAM角色授權。
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"bss:CreateInstance",
"bss:ModifyInstance"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"bssapi:ProductCode": [
"kms"
]
},
"StringNotLike": {
"Resource": [
"acs:kms:ap-southeast-1:*:*",
"acs:kms:ap-southeast-3:*:*"
]
}
}
},
{
"Effect": "Deny",
"Action": "kms:CreateInstance",
"Resource": "*"
}
]
}