This topic describes sample custom policies.
Replace ${region} and ${account} with your actual region and Alibaba Cloud account. You can also narrow the scope of resources based on your business requirements.
Policy that allows you to access all KMS resources
To ensure data security, we recommend that you do not configure policies that allow access to all Key Management Service (KMS) resources.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:*"
],
"Resource": [
"*"
]
}
]
} Policy that allows specific CIDR blocks or IP addresses to access all KMS resources
In the following sample code, the CIDR block 192.168.0.0/16 and the IP address 172.16.215.218 can access all KMS resources.
{
"Version": "1",
"Statement": [{
"Effect": "Allow",
"Action": [
"kms:*"
],
"Resource": [
"*"
],
"Condition": {
"IpAddress": {
"acs:SourceIp": [
"192.168.0.0/16",
"172.16.215.218"
]
}
}
}]
}Policy that allows you to manage keys in KMS
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:List*",
"kms:Describe*",
"kms:Create*",
"kms:Enable*",
"kms:Disable*",
"kms:Get*",
"kms:Set*",
"kms:Update*",
"kms:Delete*",
"kms:Cancel*",
"kms:TagResource",
"kms:UntagResource",
"kms:TagResources",
"kms:UntagResources",
"kms:ImportKeyMaterial",
"kms:ScheduleKeyDeletion"
],
"Resource": [
"acs:kms:${region}:${account}:key",
"acs:kms:${region}:${account}:key/*",
"acs:kms:${region}:${account}:alias",
"acs:kms:${region}:${account}:alias/*"
]
}
]
}Policy that allows you to query a list of keys and the metadata of keys
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:List*",
"kms:Describe*"
],
"Resource": [
"acs:kms:${region}:${account}:key",
"acs:kms:${region}:${account}:key/*"
]
}
]
}Policy that allows you to use keys to encrypt data, decrypt data, and generate data keys
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"acs:kms:${region}:${account}:key/*",
"acs:kms:${region}:${account}:alias/*"
]
}
]
}If you use a key alias to identify a key in cryptographic operations, you must configure the alias in the resource element.
Policy that allows you to use keys with specific tags to implement envelope encryption, decryption, and data key generation
In the following sample code, a key whose tag key is Project and tag value is Apollo is used.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"acs:kms:${region}:${account}:key/*"
],
"Condition": {
"StringEqualsIgnoreCase": {
"kms:tag/Project": [
"Apollo"
]
}
}
}
]
} Policy that allows you to use asymmetric keys for encryption and decryption
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:AsymmetricEncrypt",
"kms:AsymmetricDecrypt",
],
"Resource": [
"acs:kms:${region}:${account}:key/*",
"acs:kms:${region}:${account}:alias/*"
]
}
]
}If you use a key alias to identify a key in cryptographic operations, you must configure the alias in the resource element.
Policy that allows you to use asymmetric keys for signing and verification
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:AsymmetricSign",
"kms:AsymmetricVerify"
],
"Resource": [
"acs:kms:${region}:${account}:key/*",
"acs:kms:${region}:${account}:alias/*"
]
}
]
}If you use a key alias to identify a key in cryptographic operations, you must configure the alias in the resource element.
Policy that allows you to manage secrets in KMS
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:List*",
"kms:Describe*",
"kms:PutSecretValue",
"kms:Update*",
"kms:DeleteSecret",
"kms:RestoreSecret",
"kms:RotateSecret",
"kms:TagResource",
"kms:UntagResource",
"kms:TagResources",
"kms:UntagResources"
],
"Resource": [
"acs:kms:${region}:${account}:secret",
"acs:kms:${region}:${account}:secret/*",
"acs:kms:${region}:${account}:alias",
"acs:kms:${region}:${account}:alias/*"
]
}
]
} Policy that allows you to query a list of secrets and the metadata of secrets
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:List*",
"kms:Describe*"
],
"Resource": [
"acs:kms:${region}:${account}:secret",
"acs:kms:${region}:${account}:secret/*",
"acs:kms:${region}:${account}:alias",
"acs:kms:${region}:${account}:alias/*"
]
}
]
} Policy that allows you to retrieve the secret value
In the following sample code, the example-secret secret is used and the secret is encrypted by using a key whose key ID is keyId-example.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "kms:GetSecretValue",
"Resource": "acs:kms:${region}:${account}:secret/example-secret"
},
{
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "acs:kms:${region}:${account}:key/keyId-example"
}
]
}