Updated on 2022-02-22 GMT+08:00

Creating a Custom Policy

Custom policies can be created as a supplement to the system policies of KMS. For the actions that can be added to custom policies, see "Permissions Policies and Supported Actions".

You can create custom policies in either of the following two ways:

  • Visual editor: Select cloud services, actions, resources, and request conditions without the need to know policy syntax.
    Custom KMS policy parameters:
    • Select service: Select Key Management Service.
    • Select action: Set it as required.
    • (Optional) Select resource: Set Resources to Specific and KeyId to Specify resource path. In the dialog box that is displayed, set Path to the ID generated when the key was created. For details about how to obtain the ID, see "Viewing a CMK".
  • JSON: Edit JSON policies from scratch or based on an existing policy.

For details, see Creating a Custom Policy. The following section contains examples of common DEW custom policies.

Example Custom Policies

  • Example 1: authorizing users to create and import keys
    {
            "Version": "1.1",
            "Statement": [
                    {
                            "Effect": "Allow",
                            "Action": [
                                    "ecs:serverKMS:create"
                                                           ]
                    }
            ]
    }
  • Example 2: forbidding users from deleting account key pairs

    A deny policy must be used in conjunction with other policies to take effect. If the permissions assigned to a user contain both Allow and Deny actions, the Deny actions take precedence over the Allow actions.

    The following method can be used if you need to assign permissions of the KMS Administrator policy to a user but also forbid the user from deleting key pairs (ecs:serverKeypairs:delete). Create a custom policy with the action to delete key pairs, set its Effect to Deny, and assign both this and the KMS Administrator policies to the group the user belongs to. Then the user can perform all operations on key pairs except deleting them. The following is a policy for denying key pair deletion.

    {
            "Version": "1.1",
            "Statement": [
                    {
                            "Effect": "Deny",
                            "Action": [
                                    "ecs:serverKeypairs:delete"                                
                            ]
                    },
            ]
    }
  • Multi-action policy

    A custom policy can contain actions of multiple services that are all of the global or project-level type. The following is a policy with multiple statements:

    {
            "Version": "1.1",
            "Statement": [
                    {
                            "Effect": "Allow",
                            "Action": [
                                    "ecs:serverKeypairs:create"
                            ]
                    },
                   {
                            "Effect": "Allow",
                            "Action": [
                                    "kms:cmk:*",
                                    "kms:dek:*",
                                    "kms:grant:*",
                                    "kms:tag:*"
                            ]
                    }
            ]
    }