Updated on 2024-05-15 GMT+08:00

Creating a Custom DEW Policy

Custom policies can be created as a supplement to the system policies of DEW. For details about the actions supported by custom policies, see Permissions Policies and Supported Actions.

You can create custom policies in either of the following ways:

  • Visual editor: You can select policy configurations without the need to know policy syntax.
    Custom KMS policy parameters:
    • Select service: Select Key Management Service.
    • Select action: Set it as required.
    • (Optional) Select resource: Set Resources to Specific and KeyId to Specify resource path. In the dialog box that is displayed, set Path to the ID generated when the key was created. For details about how to obtain the ID, see "Viewing a CMK".
  • JSON: Edit JSON policies from scratch or based on an existing policy. For details about how to create custom policies, see Creating a Custom Policy. This section describes typical DEW custom policies.

Example Custom Policies of DEW

  • Example: authorizing users to create and import keys
    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "kms:cmk:create",
                    "kms:cmk:getMaterial",
                    "kms:cmkTag:create",
                    "kms:cmkTag:batch",
                    "kms:cmk:importMaterial"
                ]
            }
        ]
    }
  • Example: denying deletion of key tags

    A deny policy must be used in conjunction with other policies to take effect. If the permissions assigned to a user contain both Allow and Deny actions, the Deny actions take precedence over the Allow actions.

    The following method can be used if you need to assign permissions of the KMS Administrator policy to a user but also forbid the user from deleting key tags (kms:cmkTag:delete). Create a custom policy with the action to delete key tags, set its Effect to Deny, and assign both this and the KMS Administrator policies to the group the user belongs to. Then the user can perform all operations except deleting key tags. The following is a policy for denying key pair tags.

    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Deny",
                "Action": [
                    "kms:cmkTag:delete"
                ]
            }
        ]
    }
  • Example: authorizing users to use keys
    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "kms:dek:crypto",
                    "kms:cmk:get",
                    "kms:cmk:crypto",
                    "kms:cmk:generate",
                    "kms:cmk:list"
                ]
            }
        ]
    }
  • Example: multi-action policy

    A custom policy can contain actions of multiple services that are all of the global or project-level type. The following is a policy with multiple statements:

    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "rds:task:list"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "kms:dek:crypto",
                    "kms:cmk:get",
                    "kms:cmk:crypto",
                    "kms:cmk:generate",
                    "kms:cmk:list"
                ]
            }
        ]
    }