Data Encryption Workshop
The Organizations service provides Service Control Policies (SCPs) to set access control policies.
SCPs do not actually grant any permissions to an entity. They only set the permission boundary for the entity. When SCPs are attached to an organizational unit (OU) or a member account, the SCPs do not directly grant permissions to the OU or member account. Instead, the SCPs only determine what permissions are available for the member account or the member accounts under the OU.
This section describes the elements used by Organizations SCPs, which include actions, resources, and conditions.
For details about how to use these elements to create a custom SCP, see Creating an SCP.
Action
Actions are specific operations that are allowed in a policy.
- The Access Level column describes how the action is classified (List, Read, or Write). This helps you understand the level of access that an action grants when you use it in a policy.
- The Resource Type column indicates whether the action supports resource-level permissions.
- You can use a wildcard (*) to indicate all resource types. If this column does not contain any value (-), you must specify all resources (*) in your SCP statements.
- If resource types are specified for this column, specify the resource URN in the statement that contains the action.
- Required resources are marked with asterisks (*) in the table.
For details about resource types defined by DEW, see Resources.
- The Condition Key column contains keys that you can specify in the Condition element of an SCP statement.
- If the Resource Type column has values for an action, the condition key only takes effect only for the listed resource types.
- If the Resource Type column is empty (-) for an action, the condition key takes effect for all resource types that action supports.
- If the Condition Key column is empty (-) for an action, the action does not support any condition keys.
For details about condition keys defined by DEW, see Conditions.
The following table describes the actions that you can define in SCP statements for DEW.
Action |
Description |
Access Level |
Resource Type (* required) |
Condition Key |
|---|---|---|---|---|
kms:cmk:create |
Grant the permission to create KMS keys. |
write |
cmk * |
|
- |
g:EnterpriseProjectId |
|||
kms:cmk:list |
Grant the permission to view all KMS keys of a user. |
list |
cmk * |
- |
- |
g:EnterpriseProjectId |
|||
kms:cmk:enable |
Grant the permission to enable KMS keys. |
write |
cmk * |
|
kms:cmk:disable |
Grant the permission to disable KMS keys. |
write |
cmk * |
|
kms:cmk:get |
Grant the permission to view details about KMS keys. |
read |
cmk * |
|
kms:cmk:createDataKey |
Grant the permission to use KMS keys to generate data keys. |
write |
cmk * |
|
- |
kms:RecipientAttestation |
|||
kms:cmk:createDataKeyWithoutPlaintext |
Grant the permission to use KMS keys to generate data keys that do not contain plaintext versions. |
write |
cmk * |
|
kms:cmk:encryptDataKey |
Grant the permission to encrypt data keys. |
write |
cmk * |
|
kms:cmk:decryptDataKey |
Grant the permission to decrypt data keys. |
write |
cmk * |
|
- |
kms:RecipientAttestation |
|||
kms:cmk:encryptData |
Grant the permission to use a specified KMS key to encrypt small volumes of data. |
write |
cmk * |
|
- |
kms:EncryptionAlgorithm |
|||
kms:cmk:decryptData |
Grant the permission to use a specified KMS key to decrypt data. |
write |
cmk * |
|
- |
|
|||
kms::generateRandom |
Grant the permission to generate secure random strings. |
write |
- |
kms:RecipientAttestation |
kms:cmk:sign |
Grant the permission to generate digital signatures. |
write |
cmk * |
|
- |
|
|||
kms:cmk:verify |
Grant the permission to use a specified KMS key to verify digital signatures. |
write |
cmk * |
|
- |
|
|||
kms:cmk:generateMac |
Grant the permission to generate message verification codes. |
write |
cmk * |
|
- |
kms:MacAlgorithm |
|||
kms:cmk:verifyMac |
Grant the permission to use a specified KMS key to verify message verification codes. |
write |
cmk * |
|
- |
kms:MacAlgorithm |
|||
kms:cmk:getPublicKey |
Grant the permission to query the public key of KMS keys. |
read |
cmk * |
|
kms::getVersions |
Grant the permission to query the service version. |
read |
- |
- |
kms::getVersion |
Grant the permission to query the API version of a service key. |
read |
- |
- |
kms::getInstance |
Grant the permission to query the number of key instances of a user. |
read |
- |
- |
kms::getQuota |
Grant the permission to query user quotas. |
read |
- |
- |
kms:cmk:scheduleKeyDeletion |
Grant the permission to periodically delete KMS keys. |
write |
cmk * |
|
kms:cmk:cancelKeyDeletion |
Grant the permission to cancel the scheduled deletion of KMS keys. |
write |
cmk * |
|
kms:cmk:updateKeyAlias |
Grant the permission to change the alias of a key. |
write |
cmk * |
|
kms:cmk:updateKeyDescription |
Grant the permission to change the key description. |
write |
cmk * |
|
kms:cmk:createGrant |
Grant the permission to create grants for a specified key. |
permission_management |
cmk * |
|
- |
|
|||
kms:cmk:listGrants |
Grant the permission to query the grant list of a specified key. |
list |
cmk * |
|
kms::listRetirableGrants |
Grant the permission to query the retirable grant list of CMKs. |
list |
- |
- |
kms:cmk:retireGrant |
Permission granted to retire a grant for a specified CMK. |
permission_management |
cmk * |
g:ResourceTag/<tag-key> |
kms:cmk:revokeGrant |
Grant the permission to cancel the grants of a specified key. |
permission_management |
cmk * |
|
kms:cmk:getMaterial |
Grant the permission to obtain key import parameters. |
read |
cmk * |
|
- |
kms:WrappingAlgorithm |
|||
kms:cmk:importMaterial |
Grant the permission to import key materials. |
write |
cmk * |
|
- |
kms:ExpirationTime |
|||
kms:cmk:deleteMaterial |
Grant the permission to delete key materials. |
write |
cmk * |
|
kms:cmk:enableRotation |
Grant the permission to enable rotation for a specified key. |
write |
cmk * |
|
kms:cmk:updateRotation |
Grant the permission to change the rotation period of a specified key. |
write |
cmk * |
|
kms:cmk:disableRotation |
Grant the permission to disable rotation for a key. |
write |
cmk * |
|
kms:cmk:getRotation |
Grant the permission to query the rotation status of a specified key. |
read |
cmk * |
|
kms:cmk:createTag |
Grant the permission to add tags to a specified key. |
tagging |
cmk * |
|
- |
|
|||
kms:cmk:createTags |
Grant the permission to add or delete tags of a specified key in batches. |
tagging |
cmk * |
|
- |
|
|||
kms:cmk:listKeysByTag |
Grant the permission to query a specified key instance. |
list |
cmk * |
- |
kms:cmk:deleteTag |
Grant the permission to delete a specified key tag. |
tagging |
cmk * |
|
- |
g:TagKeys |
|||
kms:cmk:getTags |
Grant the permission to query a specified key tag. |
read |
cmk * |
|
kms::listAllTags |
Grant the permission to query the tags of a specified key project. |
list |
- |
- |
Action |
Description |
Access Level |
Resource Type (* required) |
Condition Key |
|---|---|---|---|---|
csms:secret:create |
Grant the permission to create and restore secrets. |
write |
secret * |
csms:Type |
- |
g:EnterpriseProjectId |
|||
csms:secret:delete |
Grant the permission to delete secrets immediately. |
write |
secret * |
|
csms:secret:update |
Grant the permission to update secret metadata information. |
write |
secret * |
|
csms:secret:get |
Grant the permission to query and download secret information. |
read |
secret * |
|
csms:secret:list |
Grant the permission to query all secrets created by the current user in the current project. |
list |
secret * |
g:EnterpriseProjectId |
csms:secret:createVersion |
Grants the permission to create a new secret version in a specified secret. |
write |
secret * |
|
csms:secret:getVersion |
Grants permission to query the version information about a specified secret and its plaintext secret values. |
read |
secret * |
|
csms:secret:listVersion |
Grants the permission to query the version list of a specified secret. |
list |
secret * |
|
csms:secret:createStage |
Grant the permission to create secret version status. |
write |
secret * |
|
csms:secret:getStage |
Grant the permission to use the secret version status to query version information. |
read |
secret * |
|
csms:secret:updateStage |
Grant the permission to update the secret version status. |
write |
secret * |
|
csms:secret:deleteStage |
Grant the permission to delete the state of a specified secret version. |
write |
secret * |
|
csms::getSecretQuota |
Grant the permission to query the secret quota of a specified project. |
read |
- |
- |
csms:secret:scheduleDeletion |
Grant the permission to create a scheduled secret deletion task. |
write |
secret * |
|
csms:secret:restoreSecret |
Grant the permission to cancel a scheduled secret deletion task. |
write |
secret * |
|
csms:secret:rotate |
Grant the permission to rotate a secret. |
write |
secret * |
|
csms:secret:getSecretsByTag |
Grant the permission to return the secret list through tag filtering. |
list |
secret * |
- |
csms:secret:batchCreateOrDeleteTags |
Grant the permission to add or delete secret tags in batches. |
tagging |
secret * |
|
- |
|
|||
csms:secret:createTag |
Grant the permission to add secret tags. |
tagging |
secret * |
|
- |
|
|||
csms:secret:deleteTag |
Grant the permission to delete secret tags. |
tagging |
secret * |
|
- |
g:TagKeys |
|||
csms:secret:listTags |
Grant the permission to query secret tags. |
list |
secret * |
|
csms::listProjectTags |
Grant the permission to query all secret tag sets of a user in a specified project. |
list |
- |
- |
csms:secret:updateVersion |
Grant the permission to update the validity period of a secret version. |
write |
secret * |
|
csms::createEvent |
Grant the permission to create secret events. |
write |
- |
- |
csms::listEvents |
Grant the permission to query all event notifications created by the current user in a project. |
list |
- |
- |
csms::getEvent |
Grant the permission to query specified event notification information. |
read |
- |
- |
csms::updateEvent |
Grant the permission to update the information of a specified event notification. |
write |
- |
- |
csms::deleteEvent |
Grant the permission to immediately delete a specified event notification. |
write |
- |
- |
csms::listNotificationRecords |
Grant the permission to query the triggered event notification records. |
list |
- |
- |
DEW APIs usually support one or more actions. Table 3 and Table 4 describe the actions and dependencies supported by APIs, as well as the actions on which the API depends.
API |
Action |
Dependent Permission |
|---|---|---|
POST /v1.0/{project_id}/kms/create-key |
kms:cmk:create |
- |
POST /v1.0/{project_id}/kms/list-keys |
kms:cmk:list |
- |
POST /v1.0/{project_id}/kms/enable-key |
kms:cmk:enable |
- |
POST /v1.0/{project_id}/kms/disable-key |
kms:cmk:disable |
- |
POST /v1.0/{project_id}/kms/describe-key |
kms:cmk:get |
- |
POST /v1.0/{project_id}/kms/create-datakey |
kms:cmk:createDataKey |
- |
POST /v1.0/{project_id}/kms/create-datakey-without-plaintext |
kms:cmk:createDataKeyWithoutPlaintext |
- |
POST /v1.0/{project_id}/kms/encrypt-datakey |
kms:cmk:encryptDataKey |
- |
POST /v1.0/{project_id}/kms/decrypt-datakey |
kms:cmk:decryptDataKey |
- |
POST /v1.0/{project_id}/kms/encrypt-data |
kms:cmk:encryptData |
- |
POST /v1.0/{project_id}/kms/decrypt-data |
kms:cmk:decryptData |
- |
POST /v1.0/{project_id}/kms/gen-random |
kms::generateRandom |
- |
POST /v1.0/{project_id}/kms/sign |
kms:cmk:sign |
- |
POST /v1.0/{project_id}/kms/verify |
kms:cmk:verify |
- |
POST /v1.0/{project_id}/kms/get-publickey |
kms:cmk:getPublicKey |
- |
GET / |
kms::getVersions |
- |
GET /{version_id} |
kms::getVersion |
- |
POST /v1.0/{project_id}/kms/schedule-key-deletion |
kms:cmk:scheduleKeyDeletion |
- |
POST /v1.0/{project_id}/kms/cancel-key-deletion |
kms:cmk:cancelKeyDeletion |
- |
GET /v1.0/{project_id}/kms/user-instances |
kms::getInstance |
- |
GET /v1.0/{project_id}/kms/user-quotas |
kms::getQuota |
- |
POST /v1.0/{project_id}/kms/update-key-alias |
kms:cmk:updateKeyAlias |
- |
POST /v1.0/{project_id}/kms/update-key-description |
kms:cmk:updateKeyDescription |
- |
POST /v1.0/{project_id}/kms/create-grant |
kms:cmk:createGrant |
- |
POST /v1.0/{project_id}/kms/list-grants |
kms:cmk:listGrants |
- |
POST /v1.0/{project_id}/kms/list-retirable-grants |
kms::listRetirableGrants |
- |
POST /v1.0/{project_id}/kms/retire-grant |
kms:cmk:retireGrant |
- |
POST /v1.0/{project_id}/kms/revoke-grant |
kms:cmk:revokeGrant |
- |
POST /v1.0/{project_id}/kms/get-parameters-for-import |
kms:cmk:getMaterial |
- |
POST /v1.0/{project_id}/kms/import-key-material |
kms:cmk:importMaterial |
- |
POST /v1.0/{project_id}/kms/delete-imported-key-material |
kms:cmk:deleteMaterial |
- |
POST /v1.0/{project_id}/kms/enable-key-rotation |
kms:cmk:enableRotation |
- |
POST /v1.0/{project_id}/kms/update-key-rotation-interval |
kms:cmk:updateRotation |
- |
POST /v1.0/{project_id}/kms/disable-key-rotation |
kms:cmk:disableRotation |
- |
POST /v1.0/{project_id}/kms/get-key-rotation-status |
kms:cmk:getRotation |
- |
POST /v1.0/{project_id}/kms/{key_id}/tags |
kms:cmk:createTag |
- |
POST /v1.0/{project_id}/kms/{key_id}/tags/action |
kms:cmk:createTags |
- |
POST /v1.0/{project_id}/kms/{resource_instances}/action |
kms:cmk:listKeysByTag |
- |
DELETE /v1.0/{project_id}/kms/{key_id}/tags/{key} |
kms:cmk:deleteTag |
- |
GET /v1.0/{project_id}/kms/{key_id}/tags |
kms:cmk:getTags |
- |
GET /v1.0/{project_id}/kms/tags |
kms::listAllTags |
- |
API |
Action |
Dependencies |
|---|---|---|
POST /v1/{project_id}/secrets |
csms:secret:create |
kms:cmk:createDataKey |
POST /v1/{project_id}/secrets/{secret_name}/backup |
csms:secret:get |
|
POST /v1/{project_id}/secrets/restore |
csms:secret:create |
kms:cmk:decryptDataKey |
DELETE /v1/{project_id}/secrets/{secret_name} |
csms:secret:delete |
- |
PUT /v1/{project_id}/secrets/{secret_name} |
csms:secret:update |
- |
GET /v1/{project_id}/secrets/{secret_name} |
csms:secret:get |
- |
GET /v1/{project_id}/secrets |
csms:secret:list |
- |
POST /v1/{project_id}/secrets/{secret_name}/versions |
csms:secret:createVersion |
kms:cmk:createDataKey |
GET /v1/{project_id}/secrets/{secret_name}/versions/{version_id} |
csms:secret:getVersion |
kms:cmk:decryptDataKey |
GET /v1/{project_id}/secrets/{secret_name}/versions |
csms:secret:listVersion |
- |
GET /v1/{project_id}/secrets/{secret_name}/stages/{stage_name} |
csms:secret:getStage |
- |
PUT /v1/{project_id}/secrets/{secret_name}/stages/{stage_name} |
csms:secret:updateStage |
- |
DELETE /v1/{project_id}/secrets/{secret_name}/stages/{stage_name} |
csms:secret:deleteStage |
- |
POST /v1/{project_id}/secrets/{secret_name}/scheduled-deleted-tasks/create |
csms:secret:scheduleDeletion |
- |
POST /v1/{project_id}/secrets/{secret_name}/scheduled-deleted-tasks/cancel |
csms:secret:restoreSecret |
- |
POST /v1/{project_id}/secrets/{secret_name}/rotate |
csms:secret:rotate |
|
POST /v1/{project_id}/csms/{resource_instances}/action |
csms:secret:getSecretsByTag |
- |
POST /v1/{project_id}/csms/{secret_id}/tags/action |
csms:secret:batchCreateOrDeleteTags |
- |
POST /v1/{project_id}/csms/{secret_id}/tags |
csms:secret:createTag |
- |
DELETE /v1/{project_id}/csms/{secret_id}/tags/{key} |
csms:secret:deleteTag |
- |
GET /v1/{project_id}/csms/{secret_id}/tags |
csms:secret:listTags |
- |
GET /v1/{project_id}/csms/tags |
csms::listProjectTags |
- |
PUT /v1/{project_id}/secrets/{secret_name}/versions/{version_id} |
csms:secret:updateVersion |
- |
POST /v1/{project_id}/csms/events |
csms::createEvent |
- |
GET /v1/{project_id}/csms/events |
csms::listEvents |
- |
GET /v1/{project_id}/csms/events/{event_name} |
csms::getEvent |
- |
PUT /v1/{project_id}/csms/events/{event_name} |
csms::updateEvent |
- |
DELETE /v1/{project_id}/csms/events/{event_name} |
csms::deleteEvent |
- |
GET /v1/{project_id}/csms/notification-records |
csms::listNotificationRecords |
- |
Resources
A resource type indicates the resources that an SCP policy applies to. Some actions describes in Table 5 can be restricted to specific resources. If you specify a resource URN in an SCP statement, the SCPs only applies to the specified resources. If no resource URN is specified, the value of Resource will be * by default, and the SCP will apply to all resources. You can also set conditions in an SCP to specify the resource type.
The following table lists the resource types that you can define in SCP statements for DEW.
Conditions
A Condition element lets you specify the conditions for an SCP to take effect. It contains condition keys and operators.
- The condition key you specify can be a global condition key or a service-specific condition key.
- Global condition keys (with the g: prefix) apply to all actions. Cloud services do not need to provide user identity information. Instead, IAM automatically obtains such information and authenticates users. For details, see Global Condition Keys.
- Service-specific condition keys (with the abbreviation of a service name plus a colon as the prefix, for example, DEW:) apply only to operations of the corresponding service. For details, see Table 6.
- The number of values associated with a condition key in the request context of an API call makes the condition key single-valued or multivalued. Single-valued condition keys have at most one value in the request context of an API call. Multivalued condition keys can have multiple values in the request context of an API call. For example, a request can originate from at most one VPC endpoint, so g:SourceVpce is a single-valued condition key. You can tag resources and include multiple tag key-value pairs in a request, so g:TagKeys is a multivalued condition key.
- A condition operator, condition key, and a condition value together constitute a complete condition statement. An SCP can be applied only when its request conditions are met. For supported condition operators, see Operators.
The following table lists the condition keys that you can define in SCPs for DEW. You can use the condition keys to set conditions for detailed SCP statements.
KPS does not support service-level condition keys in identity policies.
Service-specific Condition Key |
Type |
Single-valued/Multivalued |
Description |
|---|---|---|---|
kms:EncryptionAlgorithm |
string |
Single-valued |
Search for the encryption and decryption operations based on the value of encryption and decryption algorithms in the request. |
kms:GranteePrincipalType |
string |
Single-valued |
Search for the CreateGrant operations based on the authorization subject type in the request. |
kms:GrantOperations |
string |
Multivalued |
Search for the CreateGrant operations based on the operations that need to be authorized. |
kms:GranteePrincipal |
string |
Single-valued |
Search for the CreateGrant operations based on the authorized subjects in the authorization. |
kms:KeyOrigin |
string |
Single-valued |
Search for the API operations based on the origin attribute of the created or used KMS key. |
kms:KeySpec |
string |
Single-valued |
Search for the API operations based on the key_spec attribute of the created or used KMS key. |
kms:KeyUsage |
string |
Single-valued |
Search for the API operations based on the key_usage attribute of the created or used KMS key. |
kms:MessageType |
string |
Single-valued |
Search for the signing and signature verification operations based on the value of message_type in the request. |
kms:RetiringPrincipal |
string |
Single-valued |
Search for the CreateGrant operations based on value of retiring_principal in the grant. |
kms:SigningAlgorithm |
string |
Single-valued |
Search for the signing and verification operations based on the value of signing_algorithm in the request. |
kms:ExpirationTime |
date |
Single-valued |
Search for the ImportKeyMaterial operations based on the value of expiration_time in the request. |
kms:WrappingAlgorithm |
string |
Single-valued |
Search for the CreateParametersForImport operations based on the value of wrapping_algorithm in the request. |
kms:RecipientAttestation |
string |
Single-valued |
Search for the CreateDatakey, DecryptData, DecryptDatakey, and CreateRandom operations based on the value of platform configuration register (PCR) of the proof document in the request. |
kms:MacAlgorithm |
string |
Single-valued |
Search for the message authentication code generation or verification operations based on the value of mac_algorithm in the request. |
csms:Type |
string |
Single-valued |
Search for access permissions by secret type. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
