Creating a Custom DEW Policy

Custom policies can be created as a supplement to the system policies of . For details about the actions supported by custom policies, see "Permissions Policies" in Data Encryption Workshop API Reference.

You can create custom policies in either of the following ways:

• Visual editor: You can select policy configurations without the need to know policy syntax.
  Custom KMS policy parameters:

  • Select service: Select Key Management Service.
  • Select action: Set it as required.
  • (Optional) Select resource: Set Resources to Specific and KeyId to Specify resource path. In the dialog box that is displayed, set Path to the ID generated when the key was created. For details about how to obtain the ID, see "Viewing a CMK".
• JSON: Edit JSON policies from scratch or based on an existing policy. For details about how to create custom policies, see . This section describes typical DEW custom policies.

• Example: authorizing users to use keys

  {
      "Version": "1.1",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "kms:dek:crypto",
                  "kms:cmk:get",
                  "kms:cmk:crypto",
                  "kms:cmk:generate",
                  "kms:cmk:list"
              ]
          }
      ]
  }

• Example: multi-action policy

  A custom policy can contain actions of multiple services that are all of the global or project-level type. The following is a policy with multiple statements:

  {
      "Version": "1.1",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "rds:task:list"
              ]
          },
          {
              "Effect": "Allow",
              "Action": [
                  "kms:dek:crypto",
                  "kms:cmk:get",
                  "kms:cmk:crypto",
                  "kms:cmk:generate",
                  "kms:cmk:list"
              ]
          }
      ]
  }