Creating a Custom DEW Policy

Custom policies can be created as a supplement to the system policies of DEW. For details about the actions supported by custom policies, see Permissions Policies and Supported Actions.

You can create custom policies in either of the following ways:

Visual editor: You can select policy configurations without the need to know policy syntax.
Custom KMS policy parameters:
- Select service: Select Key Management Service.
- Select action: Set it as required.
- (Optional) Select resource: Set Resources to Specific and KeyId to Specify resource path. In the dialog box that is displayed, set Path to the ID generated when the key was created. For details about how to obtain the ID, see "Viewing a CMK".
JSON: Edit JSON policies from scratch or based on an existing policy. For details about how to create custom policies, see Creating a Custom Policy. This section describes typical DEW custom policies.

Example Custom Policies of DEW

Example: authorizing users to create and import keys

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:cmk:create",
                "kms:cmk:getMaterial",
                "kms:cmkTag:create",
                "kms:cmkTag:batch",
                "kms:cmk:importMaterial"
            ]
        }
    ]
}

Example: denying deletion of key tags
A deny policy must be used in conjunction with other policies to take effect. If the permissions assigned to a user contain both Allow and Deny actions, the Deny actions take precedence over the Allow actions.

The following method can be used if you need to assign permissions of the KMS Administrator policy to a user but also forbid the user from deleting key tags (kms:cmkTag:delete). Create a custom policy with the action to delete key tags, set its Effect to Deny, and assign both this and the KMS Administrator policies to the group the user belongs to. Then the user can perform all operations except deleting key tags. The following is a policy for denying key pair tags.
```
{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "kms:cmkTag:delete"
            ]
        }
    ]
}
```

Example: authorizing users to use keys

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:dek:crypto",
                "kms:cmk:get",
                "kms:cmk:crypto",
                "kms:cmk:generate",
                "kms:cmk:list"
            ]
        }
    ]
}

Example: multi-action policy

A custom policy can contain actions of multiple services that are all of the global or project-level type. The following is a policy with multiple statements:

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds:task:list"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:dek:crypto",
                "kms:cmk:get",
                "kms:cmk:crypto",
                "kms:cmk:generate",
                "kms:cmk:list"
            ]
        }
    ]
}

Parent topic: Permission Control

Previous topic: Creating a User and Authorizing the User the Permission to Access DEW

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel