AliyunServiceRolePolicyForSasCspm 是专用于服务关联角色的授权策略,会在创建服务关联角色 AliyunServiceRoleForSasCspm 时自动授权,以允许服务关联角色代您访问其他云服务。本策略由对应的阿里云服务按需更新,请勿将本策略授权给服务关联角色之外的 RAM 身份使用。
策略详情
类型:系统策略
创建时间:2022-11-02 02:46:42
更新时间:2024-11-05 08:56:12
当前版本:v52
策略内容
{
"Version": "1",
"Statement": [
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "cspm.sas.aliyuncs.com"
}
}
},
{
"Action": [
"actiontrail:DescribeTrails",
"actiontrail:GetTrailStatus",
"actiontrail:CreateServiceTrail",
"actiontrail:DeleteServiceTrail"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cdn:Describe*",
"cdn:BatchSetCdnDomainConfig",
"cdn:CreateRepoTagScanTask"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cms:Describe*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cr:Get*",
"cr:List*",
"cr:UpdateRepository",
"cr:CreateRepoTagScanTask",
"cr:CreateInstanceEndpointAclPolicy",
"cr:DeleteInstanceEndpointAclPolicy",
"cr:PutScan"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cs:GetClusters",
"cs:Describe*",
"cs:ModifyCluster",
"cs:UpgradeCluster"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dds:Describe*",
"dds:ModifyInstanceVpcAuthMode",
"dds:ModifySecurityIps",
"dds:ModifyDBInstanceSSL",
"dds:ModifyBackupPolicy",
"dds:ReleasePublicNetworkAddress",
"dds:ModifyDBInstanceTDE",
"dds:ModifyAuditPolicy"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecs:Describe*",
"ecs:RevokeSecurityGroup",
"ecs:ModifySecurityGroupRule",
"ecs:AuthorizeSecurityGroup"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"gpdb:Describe*",
"gpdb:ModifyBackupPolicy",
"gpdb:ModifySecurityIps"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"kvstore:Describe*",
"kvstore:ModifyInstanceVpcAuthMode",
"kvstore:ModifyBackupPolicy",
"kvstore:ModifyInstanceSSL",
"kvstore:ModifyInstanceTDE",
"kvstore:ModifyInstanceConfig",
"kvstore:ModifyAuditLogConfig",
"kvstore:ModifySecurityIps",
"kvstore:ReleaseInstancePublicConnection"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"oss:GetBucket*",
"oss:ListBucketInventory",
"oss:ListBuckets",
"oss:PutBucketEncryption",
"oss:PutBucketLogging",
"oss:PutBucketReferer",
"oss:PutBucketVersioning"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"polardb:Describe*",
"polardb:ModifyDBClusterAuditLogCollector",
"polardb:ModifyDBClusterSSL",
"polardb:ModifyDBClusterTDE",
"polardb:ModifyBackupPolicy",
"polardb:ModifyDBClusterAccessWhitelist"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ram:ListUsers",
"ram:GetUser",
"ram:GetLoginProfile",
"ram:ListPolicies",
"ram:GetPolicy",
"ram:ListGroupsForUser",
"ram:ListEntitiesForPolicy",
"ram:ListGroups",
"ram:ListRoles",
"ram:GetAccountAlias",
"ram:ListAccessKeys",
"ram:GetUserSsoSettings",
"ram:GetUserMFAInfo",
"ram:GetSecurityPreference",
"ram:GetPasswordPolicy",
"ram:GetAccountSecurityPracticeReport",
"ram:GetAccessKeyLastUsed",
"ram:ListPoliciesForUser",
"ram:ListPoliciesForRole",
"ram:GetRole",
"ram:ListPoliciesForGroup",
"ims:GetAccountMFAInfo"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"rds:Describe*",
"rds:ModifyBackupPolicy",
"rds:ModifyDBInstanceConnectionString",
"rds:ModifyDBInstanceDeletionProtection",
"rds:ModifyDBInstanceSSL",
"rds:ModifyDBInstanceTDE",
"rds:ModifyInstanceCrossBackupPolicyz",
"rds:ModifyParameter",
"rds:ModifySQLCollectorPolicy",
"rds:ModifySecurityIps",
"rds:ReleaseInstancePublicConnection",
"rds:CreateAccount",
"rds:CreateBackup",
"rds:DeleteAccount",
"rds:DeleteBackup"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"resourcemanager:GetResourceDirectory",
"resourcemanager:ListAccounts",
"resourcemanager:GetAccount",
"resourcemanager:ListPolicyAttachments"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"slb:Describe*",
"slb:StopListener",
"slb:StartListener",
"slb:StopLoadBalancerListener",
"slb:StartLoadBalancerListener",
"slb:AddEntriesToAcl",
"slb:AddAccessControlListEntry",
"slb:RemoveEntriesFromAcl",
"slb:RemoveAccessControlListEntry",
"alb:List*",
"alb:Get*",
"alb:StopListener",
"alb:StartListener"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-high:DescribeBackSourceCidr",
"yundun-ddoscoo:Describe*",
"yundun-ddoscoo:ModifyWebAIProtectMode",
"yundun-ddoscoo:ModifyWebAIProtectSwitch",
"yundun-ddoscoo:EnableWebCC",
"yundun-ddoscoo:DisableWebCC"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-aegis:Describe*",
"yundun-sas:Describe*",
"yundun-sas:List*",
"yundun-sas:Get*",
"yundun-sas:OperateSuspiciousOverallConfig",
"yundun-sas:OperateCommonOverallConfig",
"yundun-sas:CreateServiceLinkedRole"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-waf:Describe*",
"yundun-waf:ModifyProtectionModuleStatus",
"yundun-waf:ModifyLogServiceStatus",
"yundun-waf:ModifyProtectionModuleMode",
"yundun-waf:SetDomainRuleGroup"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:Describe*",
"vpc:DeleteForwardEntry",
"vpc:CreateNetworkAcl",
"vpc:CreateNetworkAcl",
"vpc:ReleaseEipAddress",
"vpc:DeleteNetworkAcl"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-sddp:DescribeUserStatus",
"yundun-sddp:DescribeOssObjects",
"yundun-sddp:DescribeOssObjectDetail",
"yundun-sddp:DescribeInstances",
"yundun-sddp:DescribeInstanceSources"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"mse:List*",
"mse:Query*",
"mse:Get*",
"mse:UpdateConfig",
"mse:UpdateBlackWhiteList",
"mse:AddBlackWhiteList"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"nas:Describe*",
"nas:CreateLogAnalysis",
"nas:DeleteLogAnalysis",
"hbr:Describe*",
"hbr:CreateBackupPlan",
"hbr:DeleteBackupPlan"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"eipanycast:ListAnycastEipAddresses",
"eipanycast:DescribeAnycastEipAddress"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"apigateway:Describe*",
"apigateway:ModifyInstanceAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"eiam:ListRegions",
"eiam:ListInstances",
"eiam:GetForgetPasswordConfiguration",
"eiam:GetPasswordComplexityConfiguration",
"eiam:GetSecondFactorAuthentication",
"eiam:GetLoginConfiguration",
"eiam:GetPasswordExpirationConfiguration",
"eiam:ListAuthenticationSources",
"eiam:GetPasswordHistoryConfiguration",
"eiam:SetPasswordComplexityConfiguration",
"eiam:SetLoginConfiguration",
"eiam:SetPasswordExpirationConfiguration",
"eiam:SetPasswordHistoryConfiguration",
"eiam:SetForgetPasswordConfiguration"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"elasticsearch:List*",
"elasticsearch:Describe*",
"elasticsearch:ModifyWhiteIps",
"elasticsearch:UpdatePublicWhiteIps",
"elasticsearch:UpdatePrivateNetworkWhiteIps",
"elasticsearch:CloseHttps",
"elasticsearch:OpenHttps",
"elasticsearch:UpdateSnapshotSetting",
"elasticsearch:TriggerNetwork"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"polardbx:Describe*",
"polardbx:CreateAccount",
"polardbx:UpdateDBInstanceTDE",
"polardbx:UpdateDBInstanceSSL",
"polardbx:UpdateBackupPolicy",
"polardbx:ModifySecurityIps",
"polardbx:ReleaseInstancePublicConnection",
"polardbx:DeleteAccount"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"rdc:ListOrganizationSecurityScores",
"rdc:ListOrganizations"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-cert:DescribeUserCertificateList",
"yundun-cert:DescribeUserCertificateDetail",
"yundun-cert:ListUserCertificateOrder"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"log:ListProject",
"log:GetProject",
"log:ListLogStores",
"log:GetLogStore"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"adb:Describe*",
"adb:ReleaseClusterPublicConnection",
"adb:ModifyAuditLogConfig",
"adb:ModifyBackupPolicy",
"adb:ModifyDBClusterAccessWhiteList",
"adb:RevokeOperatorPermission",
"adb:GrantOperatorPermission"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"hbr:DescribeBackupPlans"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dataworks:ListProjects",
"dataworks:GetProject",
"dataworks:GetProjectDetail"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"odps:ListProjects",
"odps:GetProject",
"odps:UpdateProjectIpWhiteList"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dms:List*",
"dms:Get*",
"dms:ModifyInstance",
"dms:AddDesensitizationRule",
"dms:CreateProxy",
"dms:CreateStandardGroup",
"dms:DeleteStandardGroup"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-bastionhost:DescribeInstances",
"yundun-bastionhost:GetInstanceTwoFactor",
"yundun-bastionhost:DescribeInstanceAttribute",
"yundun-bastionhost:DescribeInstanceBastionhost",
"yundun-bastionhost:ConfigInstanceWhiteList",
"yundun-bastionhost:ModifyInstanceTwoFactor"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"oceanbase:Describe*",
"oceanbase:DeleteTenantUsers",
"oceanbase:ModifyDatabaseUserRoles",
"oceanbase:ModifySecurityIps"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-cloudfirewall:Describe*",
"yundun-cloudfirewall:PutEnableFwSwitch",
"yundun-cloudfirewall:PutDisableFwSwitch"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"kms:ListKeys",
"kms:ListSecrets",
"kms:DescribeSecret",
"kms:DescribeKey",
"kms:ListKmsInstances",
"kms:GetKmsInstance",
"kms:UpdateRotationPolicy"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecd:Describe*",
"ecd:SetOfficeSiteSsoStatus",
"ecd:ModifyOfficeSiteMfaEnabled",
"ecd:ModifyOfficeSiteAttribute",
"ecd:ModifyPolicyGroup",
"ecd:UpdateFotaTask"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ess:Describe*",
"ess:ModifyScalingConfiguration",
"ess:ModifyEciScalingConfiguration",
"ess:ModifyScalingGroup",
"ess:SetGroupDeletionProtection",
"ess:EnableScalingGroup",
"ess:DisableScalingGroup",
"ess:AttachLoadBalancers",
"ess:DetachLoadBalancers",
"ess:DeleteScalingGroup"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"fc:GetService",
"fc:List*",
"fc:UpdateService",
"fc:UpdateTrigger",
"fc:UpdateCustomDomain"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ga:GetAcl",
"ga:GetHealthStatus",
"ga:ListAccelerators",
"ga:ListDomains",
"ga:ListIpSets",
"ga:ListListenerCertificates",
"ga:ListListeners",
"ga:DescribeListener",
"ga:DescribeRegions"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"hbase:DescribeInstances",
"hbase:DescribeRegions",
"hbase:ModifyClusterDeletionProtection"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"lindorm:Get*",
"lindorm:UpdateInstanceIpWhiteList"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"clickhouse:Describe*",
"clickhouse:CheckMonitorAlert",
"clickhouse:UpgradeMinorVersion",
"clickhouse:ModifyDBClusterAccessWhiteList",
"clickhouse:ReleaseClusterPublicConnection",
"clickhouse:AllocateClusterPublicConnection",
"clickhouse:CreateBackupPolicy",
"clickhouse:CreateSQLAccount",
"clickhouse:DeleteAccount",
"clickhouse:CreateOSSStorage"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"selectdb:Describe*",
"selectdb:UpgradeDBInstanceEngineVersion",
"selectdb:ModifySecurityIPList",
"selectdb:ReleaseInstancePublicConnection",
"selectdb:AllocateInstancePublicConnection"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"hologram:ListInstances",
"hologram:GetInstance",
"hologram:EnableHiveAccess",
"hologram:DisableHiveAccess",
"hologram:UpdateInstanceNetworkType"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"alikafka:ListInstance",
"alikafka:UpdateAllowedIp",
"alikafka:UpdateInstance"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"domain:QueryCommonInfo",
"domain:QueryDomainList"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"alidns:Describe*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"arms:List*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cen:Describe*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cloudsso:List*",
"cloudsso:Get*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dbs:Describe*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dcdn:Describe*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dfs:List*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"eci:Describe*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"gdb:Describe*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"mq:List*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"oos:List*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"opensearch:List*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ots:List*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"privatelink:List*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"pvtz:Describe*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ros:List*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"paiworkspace:List*",
"paidataset:List*",
"paimodel:List*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"live:Describe*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"fnf:List*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"swas-open:List*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"eventbridge:List*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dhs:List*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dts:Describe*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dysms:Query*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ebs:Describe*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"edas:ReadCluster"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"eflo:List*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"mns:List*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vod:Describe*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"stream:Describe*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"emr:List*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "r-kvstore.aliyuncs.com"
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "elasticsearch.aliyuncs.com"
}
}
},
{
"Effect": "Allow",
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"logdelivery.nas.aliyuncs.com"
]
}
}
}
]
}