全部產品
Search
文件中心

Key Management Service:自訂權限原則樣本

更新時間:Jul 06, 2024

本文介紹自訂權限原則樣本。

說明

如果樣本中有${region}${account},請替換為您實際的地區和阿里雲帳號,您也可以根據需求縮小資源範圍。

允許訪問所有的KMS資源

重要

為保障資料安全,不推薦您配置允許訪問KMS所有資源的權限原則。

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:*"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}               

允許指定的IP位址區段或IP地址訪問KMS所有資源

以下代碼以192.168.0.0/16、172.16.215.218為例。

{
  "Version": "1",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "kms:*"
    ],
    "Resource": [
      "*"
    ],
    "Condition": {
      "IpAddress": {
        "acs:SourceIp": [
          "192.168.0.0/16",
          "172.16.215.218"
        ]
      }
    }
  }]
}

管理KMS中的密鑰

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
                "kms:List*",
                "kms:Describe*",
                "kms:Create*",
                "kms:Enable*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Set*",
                "kms:Update*",
                "kms:Delete*",
                "kms:Cancel*",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:TagResources",
                "kms:UntagResources",
                "kms:ImportKeyMaterial",
                "kms:ScheduleKeyDeletion"
      ],
      "Resource": [
        "acs:kms:${region}:${account}:key",
        "acs:kms:${region}:${account}:key/*",
        "acs:kms:${region}:${account}:alias",
        "acs:kms:${region}:${account}:alias/*"
      ]
    }
  ]
}

列舉密鑰、查看密鑰屬性(中繼資料)

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:List*",
        "kms:Describe*"
      ],
      "Resource": [
        "acs:kms:${region}:${account}:key",
        "acs:kms:${region}:${account}:key/*"
      ]
    }
  ]
}

使用密鑰進行加密、解密和產生資料密鑰

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": [
         "acs:kms:${region}:${account}:key/*",
         "acs:kms:${region}:${account}:alias/*"
     ]
    }
  ]
}
說明

如果您在密碼運算等操作中使用密鑰別名來標識一個密鑰,需要在資源元素中配置相應的別名資源。

允許使用含有指定標籤的密鑰進行信封加密、解密和產生資料密鑰

以下代碼以標籤鍵為Project、標籤值為Apollo為例。

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt", 
                "kms:Decrypt", 
                "kms:GenerateDataKey"
            ],
            "Resource": [
                "acs:kms:${region}:${account}:key/*"
            ],
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "kms:tag/Project": [
                        "Apollo"
                    ]
                }
            }
        }
    ]
}               

使用非對稱金鑰進行加密和解密

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
            "kms:AsymmetricEncrypt",  
            "kms:AsymmetricDecrypt", 
      ],
      "Resource": [
        "acs:kms:${region}:${account}:key/*",
        "acs:kms:${region}:${account}:alias/*"
      ]
    }
  ]
}
說明

如果您在密碼運算等操作中使用密鑰別名來標識一個密鑰,需要在資源元素中配置相應的別名資源。

使用非對稱金鑰進行數位簽章和驗簽

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
                "kms:AsymmetricSign", 
                "kms:AsymmetricVerify"
      ],
      "Resource": [
        "acs:kms:${region}:${account}:key/*",
        "acs:kms:${region}:${account}:alias/*"
      ]
    }
  ]
}
說明

如果您在密碼運算等操作中使用密鑰別名來標識一個密鑰,需要在資源元素中配置相應的別名資源。

管理KMS中的憑據

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:List*",
                "kms:Describe*",
                "kms:PutSecretValue",
                "kms:Update*",
                "kms:DeleteSecret",
                "kms:RestoreSecret",
                "kms:RotateSecret",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:TagResources",
                "kms:UntagResources"
            ],
            "Resource": [
                "acs:kms:${region}:${account}:secret",
                "acs:kms:${region}:${account}:secret/*",
                "acs:kms:${region}:${account}:alias",
                "acs:kms:${region}:${account}:alias/*"
            ]
        }
    ]
}      

列舉憑據、讀取憑據屬性(中繼資料)

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:List*",
                "kms:Describe*"
            ],
            "Resource": [
                "acs:kms:${region}:${account}:secret",
                "acs:kms:${region}:${account}:secret/*",
                "acs:kms:${region}:${account}:alias",
                "acs:kms:${region}:${account}:alias/*"
            ]
        }
    ]
}      

擷取指定憑據名稱的憑據值

以下代碼以憑據名稱是example-secret為例,並且該憑據通過密鑰ID為keyId-example的祕密金鑰加密。

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "kms:GetSecretValue",
            "Resource": "acs:kms:${region}:${account}:secret/example-secret"
        },
        {
            "Effect": "Allow",
            "Action": "kms:Decrypt",
            "Resource": "acs:kms:${region}:${account}:key/keyId-example"
        }
    ]
}