DDoS高防
云服务在IAM预置了常用授权项,称为系统身份策略。如果IAM系统身份策略无法满足授权要求,管理员可以根据各服务支持的授权项,创建IAM自定义身份策略来进行精细的访问控制,IAM自定义身份策略是对系统身份策略的扩展和补充。
除IAM服务外,Organizations服务中的服务控制策略(Service Control Policy,以下简称SCP)也可以使用这些授权项元素设置访问控制策略。
SCP不直接进行授权,只划定权限边界。将SCP绑定到组织单元或者成员账号时,并没有直接对组织单元或成员账号授予操作权限,而是规定了成员账号或组织单元包含的成员账号的授权范围。IAM身份策略授予权限的有效性受SCP限制,只有在SCP允许范围内的权限才能生效。
IAM服务与Organizations服务在使用这些元素进行访问控制时,存在着一些区别,详情请参见:IAM服务与Organizations服务权限访问控制的区别。
本章节介绍IAM服务身份策略授权场景中自定义身份策略和组织服务中SCP使用的元素,这些元素包含了操作(Action)、资源(Resource)和条件(Condition)。
操作(Action)
操作(Action)即为身份策略中支持的授权项。
- “访问级别”列描述如何对操作进行分类(List、Read和Write等)。此分类可帮助您了解在身份策略中相应操作对应的访问级别。
- “资源类型”列指每个操作是否支持资源级权限。
- 资源类型支持通配符号*表示所有。如果此列没有值(-),则必须在身份策略语句的Resource元素中指定所有资源类型(“*”)。
- 如果该列包含资源类型,则必须在具有该操作的语句中指定该资源的URN。
- 资源类型列中必需资源在表中用星号(*)标识,表示使用此操作必须指定该资源类型。
关于AAD定义的资源类型的详细信息请参见资源类型(Resource)。
- “条件键”列包括了可以在身份策略语句的Condition元素中支持指定的键值。
- 如果该授权项资源类型列存在值,则表示条件键仅对列举的资源类型生效。
- 如果该授权项资源类型列没有值(-),则表示条件键对整个授权项生效。
- 如果此列条件键没有值(-),表示此操作不支持指定条件键。
关于AAD定义的条件键的详细信息请参见条件(Condition)。
- “别名”列包括了可以在身份策略中配置的策略授权项。通过这些授权项,可以控制支持策略授权的API访问。详细信息请参见身份策略兼容性说明。
您可以在身份策略语句的Action元素中指定以下AAD的相关操作。
授权项 | 描述 | 访问级别 | 资源类型(*为必须) | 条件键 | 别名 |
|---|---|---|---|---|---|
aad:alarmConfig:create | 授予创建告警设置的权限。 | Write | alarmConfig * | - | - |
aad:alarmConfig:put | 授予修改告警设置的权限。 | Write | alarmConfig * | - | - |
aad:alarmConfig:get | 授予查询告警设置的权限。 | Read | alarmConfig * | - | - |
aad:alarmConfig:delete | 授予删除告警设置的权限。 | Write | alarmConfig * | - | - |
aad:certificate:delete | 授予删除证书的权限。 | Write | certificate * | - | - |
aad:certificate:list | 授予查询证书列表的权限。 | List | certificate * | - | - |
aad:certificate:set | 授予修改域名对应证书的权限。 | Write | certificate * | - | - |
domain * | |||||
aad:dashboard:delete | 授予删除报表日志配置的权限。 | Write | - | - | - |
aad:dashboard:get | 授予获取报表数据和日志配置的权限。 | Read | - | - | - |
aad:dashboard:set | 授予修改报表日志配置的权限。 | Write | - | - | - |
aad:domain:create | 授予添加防护域名的权限。 | Write | domain * | - | |
aad:domain:delete | 授予删除防护域名的权限。 | Write | domain * | - | |
aad:domain:get | 授予查询防护域名详情的权限。 | Read | domain * | - | |
aad:domain:list | 授予查询域名列表的权限。 | List | domain * | - | |
aad:domain:put | 授予修改域名防护属性的权限。 | Write | domain * | - | |
aad:forwardingRule:create | 授予添加转发规则的权限。 | Write | forwardingRule * | - | |
aad:forwardingRule:delete | 授予删除转发规则的权限。 | Write | forwardingRule * | - | |
aad:forwardingRule:get | 授予查询转发规则的权限。 | Read | forwardingRule * | - | |
aad:forwardingRule:list | 授予导出转发规则的权限。 | List | forwardingRule * | - | |
aad:forwardingRule:put | 授予修改转发规则中的回源IP的权限。 | Write | forwardingRule * | - | |
aad:instance:create | 授予创建实例的权限。 | Write | instance * | - | |
aad:instance:get | 授予查询实例属性的权限。 | Read | instance * | - | |
aad:instance:list | 授予查询实例列表的权限。 | List | instance * | - | |
aad:instance:put | 授予修改实例属性的权限。 | Write | instance * | - | |
aad:policy:create | 授予添加防护规则的权限。 | Write | policy * | - | |
aad:policy:delete | 授予删除防护规则的权限。 | Write | policy * | - | |
aad:policy:get | 授予查询防护规则详情的权限。 | Read | policy * | - | |
aad:policy:list | 授予查询防护规则列表的权限。 | List | policy * | - | |
aad:policy:put | 授予修改防护规则的权限。 | Write | policy * | - | |
aad:quotas:get | 授予查询防护规格的权限。 | Read | - | - | - |
aad:whiteBlackIpRule:create | 授予添加防护黑白名单的权限。 | Write | whiteBlackIpRule * | - | |
aad:whiteBlackIpRule:delete | 授予删除防护黑白名单的权限。 | Write | whiteBlackIpRule * | - | |
aad:whiteBlackIpRule:list | 授予查询防护黑白名单列表的权限。 | List | whiteBlackIpRule * | - | |
aad:protectedIp:put | 授予修改防护对象标签的权限。 | Write | - | - | - |
aad:protectedIp:list | 授予查询防护对象列表的权限。 | List | - | - | - |
aad:package:put | 授予修改防护包的权限。 | Write | package * | - | - |
aad:package:list | 授予查询防护包列表的权限。 | List | package * | - | - |
aad:block:put | 授予解封IP的权限。 | Write | - | - | - |
aad:block:list | 授予查询封堵ip列表的权限。 | List | - | - | - |
aad:block:get | 授予查询封堵和解封信息的权限。 | Read | - | - | - |
AAD的API通常对应着一个或多个授权项。表2展示了API与授权项的关系,以及该API需要依赖的授权项。
API | 对应的授权项 | 依赖的授权项 |
|---|---|---|
POST /v1/{project_id}/cad/alart/config | aad:alarmConfig:create | - |
POST /v1/cnad/alarm-config | aad:alarmConfig:put | - |
DELETE /v1/cnad/alarm-config | aad:alarmConfig:delete | - |
GET /v1/{project_id}/cad/alart/list | aad:alarmConfig:get | - |
GET /v1/cnad/alarm-config | aad:alarmConfig:get | - |
DELETE /v1/aad/certificate/del | aad:certificate:delete | - |
GET /v1/{project_id}/cad/domains/certificatelist | aad:certificate:list | - |
GET /v1/aad/certificate-details | aad:certificate:list | - |
POST /v1/{project_id}/cad/domains/certificate | aad:certificate:set | - |
POST /v1/aad/configs/lts/delete | aad:dashboard:delete | - |
GET /v1/{project_id}/cad/ddosinfo/events_type | aad:dashboard:get | - |
GET /v1/aad/configs/lts_region | aad:dashboard:get | - |
GET /v1/aad/configs/lts | aad:dashboard:get | - |
GET /v1/{project_id}/waf/event/timeline | aad:dashboard:get | - |
GET /v1/{project_id}/waf/event/request/peak | aad:dashboard:get | - |
GET /v1/{project_id}/waf/event/attack/type | aad:dashboard:get | - |
GET /v1/{project_id}/waf/event/attack/source/num | aad:dashboard:get | - |
GET /v1/{project_id}/waf/event/attack/source | aad:dashboard:get | - |
GET /v1/{project_id}/cad/instances/flow_pps | aad:dashboard:get | - |
GET /v1/{project_id}/cad/instances/flow_bps | aad:dashboard:get | - |
GET /v1/{project_id}/cad/instances/events | aad:dashboard:get | - |
GET /v1/{project_id}/cad/ddosinfo/peak | aad:dashboard:get | - |
POST /v1/aad/configs/lts | aad:dashboard:set | - |
POST /v1/{project_id}/aad/domains | aad:domain:create | - |
POST /v1/{project_id}/cad/domains/del | aad:domain:delete | - |
GET /v1/{project_id}/aad/domains/{domain_id}/service-config | aad:domain:get | - |
GET /v1/{project_id}/cad/domains/ports | aad:domain:list | - |
GET /v1/{project_id}/cad/domains/name | aad:domain:get | - |
GET /v1/{project_id}/cad/domains/line/{enterprise_project_id} | aad:domain:list | - |
GET /v1/{project_id}/cad/domains/instances | aad:domain:get | - |
GET /v1/{project_id}/cad/domains/brief | aad:domain:get | - |
GET /v1/{project_id}/aad/domains/waf-list | aad:domain:list | - |
GET /v1/{project_id}/cad/domains | aad:domain:list | - |
POST /v1/{project_id}/aad/domains/{domain_id}/service-config | aad:domain:put | - |
POST /v1/{project_id}/cad/domains/switch | aad:domain:put | - |
POST /v1/{project_id}/cad/domains/cnameDispatchSwitch | aad:domain:put | - |
POST /v1/{project_id}/cad/domains/cname/switch | aad:domain:put | - |
POST /v1/{project_id}/cad/instances/protocol_rule | aad:forwardingRule:create | - |
POST /v1/{project_id}/cad/instances/protocol_rule/import | aad:forwardingRule:create | - |
DELETE /v1/{project_id}/cad/instances/protocol_rule/{rule_id} | aad:forwardingRule:delete | - |
POST /v1/{project_id}/cad/instances/protocol_rule/batchdel | aad:forwardingRule:delete | - |
GET /v1/{project_id}/cad/instances/rules | aad:forwardingRule:get | - |
GET /v1/{project_id}/cad/instances/protocol_rule/export | aad:forwardingRule:list | - |
PUT /v1/{project_id}/cad/instances/protocol_rule/{rule_id} | aad:forwardingRule:put | - |
POST /v1/{project_id}/cad/instances/cad_open | aad:instance:create | - |
GET /v1/{project_id}/cad/products | aad:instance:create | - |
GET /v1/{project_id}/{resource_type}/{resource_id}/tags | aad:instance:get | - |
GET /v1/{project_id}/cad/upgradeproducts/{instance_id} | aad:instance:get | - |
GET /v1/{project_id}/cad/instances/detail/{instance_id} | aad:instance:get | - |
GET /v1/{project_id}/aad/instances/brief-list | aad:instance:list | - |
GET /v1/{project_id}/cad/sourceip | aad:instance:list | - |
GET /v1/{project_id}/cad/instances | aad:instance:list | - |
POST /v1/{project_id}/{resource_type}/{resource_id}/tags/action | aad:instance:put | - |
POST /v1/{project_id}/cad/instances/cad_spec_upgrade | aad:instance:put | - |
PUT /v1/{project_id}/cad/instances/{instance_id}/name | aad:instance:put | - |
PUT /v1/{project_id}/cad/instances/{instance_id}/elastic/{ip_id} | aad:instance:put | - |
POST /v1/{project_id}/aad/policies/waf/cc | aad:policy:create | - |
POST /v1/cnad/policies | aad:policy:create | - |
DELETE /v1/{project_id}/aad/policies/waf/cc/{rule_id} | aad:policy:delete | - |
DELETE /v1/cnad/policies/{policy_id} | aad:policy:delete | - |
GET /v1/{project_id}/cad/flowblock | aad:policy:get | - |
GET /v1/cnad/policies/{policy_id} | aad:policy:get | - |
GET /v1/{project_id}/aad/policies/waf/cc | aad:policy:list | - |
GET /v1/cnad/policies | aad:policy:list | - |
PUT /v1/{project_id}/aad/policies/waf/cc/{rule_id} | aad:policy:put | - |
POST /v1/{project_id}/cad/flowblock/udp | aad:policy:put | - |
POST /v1/{project_id}/cad/flowblock/foreign | aad:policy:put | - |
POST /v1/cnad/policies/{policy_id}/ip-list/add | aad:policy:put | - |
POST /v1/cnad/policies/{policy_id}/bind | aad:policy:put | - |
POST /v1/cnad/policies/{policy_id}/ip-list/delete | aad:policy:put | - |
POST /v1/cnad/policies/{policy_id}/unbind | aad:policy:put | - |
PUT /v1/cnad/policies/{policy_id} | aad:policy:put | - |
GET /v1/{project_id}/aad/quotas/domain-port | aad:quotas:get | - |
GET /v1/{project_id}/scc/waf/quota | aad:quotas:get | - |
GET /v1/{project_id}/cad/quotas | aad:quotas:get | - |
GET /v1/{project_id}/cad/ip/quotas | aad:quotas:get | - |
GET /v1/{project_id}/cad/bwlist/quota | aad:quotas:get | - |
GET /v1/{project_id}/aad/user-configs | aad:quotas:get | - |
POST /v1/{project_id}/cad/bwlist | aad:whiteBlackIpRule:create | - |
POST /v1/{project_id}/cad/bwlist/delete | aad:whiteBlackIpRule:delete | - |
GET /v1/{project_id}/cad/bwlist | aad:whiteBlackIpRule:list | - |
PUT /v1/cnad/protected-ips/tags | aad:protectedIp:put | - |
GET /v1/cnad/protected-ips | aad:protectedIp:list | - |
POST /v1/cnad/packages/{package_id}/protected-ips | aad:package:put | - |
PUT /v1/cnad/packages/{package_id}/name | aad:package:put | - |
GET /v1/cnad/packages | aad:package:list | - |
GET /v1/cnad/packages/{package_id}/unbound-protected-ips | aad:package:list | - |
POST /v1/unblockservice/{domain_id}/unblock | aad:block:put | - |
GET /v1/unblockservice/{domain_id}/block-list | aad:block:list | - |
GET /v1/unblockservice/{domain_id}/unblock-quota-statistics | aad:block:get | - |
GET /v1/unblockservice/{domain_id}/block-statistics | aad:block:get | - |
GET /v1/unblockservice/{domain_id}/unblock-record | aad:block:get | - |
GET /v1/{project_id}/cad/instances/{instance_id}/elastic_count/{ip_id} | aad:instance:get | - |
GET /v1/{project_id}/cad/instances/{data_center}/elastic/{line}/{ip_id} | aad:instance:get | - |
GET /v1/aad/remain-vip-number | aad:quotas:get | - |
GET /v1/aad/instance/connection-num | aad:dashboard:get | - |
PUT /v1/{project_id}/cad/instances/{instance_id}/pp-switch | aad:instance:put | - |
GET /v1/aad-service/ces/{domain_id}/dims-info | aad:instance:list | - |
GET /v1/aad-service/ces/v2/{domain_id}/instances | aad:instance:list | - |
GET /v1/{project_id}/cad/instances/security-statistics | aad:instance:list | - |
GET /v1/aad/domain/instances/rules | aad:domain:list | - |
POST /v1/aad/policy/modify | aad:policy:put | - |
POST /v1/aad/geoip | aad:policy:put | - |
GET /v1/aad/geoip | aad:policy:get | - |
DELETE /v1/aad/geoip/{ruleId} | aad:policy:delete | - |
PUT /v1/aad/geoip/{ruleId} | aad:policy:put | - |
POST /v1/aad/whiteip | aad:policy:put | - |
GET /v1/aad/whiteip | aad:policy:get | - |
DELETE /v1/aad/whiteip | aad:policy:delete | - |
POST /v1/aad/custom | aad:policy:put | - |
GET /v1/aad/custom | aad:policy:get | - |
PUT /v1/aad/custom/{ruleId} | aad:policy:put | - |
DELETE /v1/aad/custom/{ruleId} | aad:policy:delete | - |
GET /v1/aad/policy/details | aad:policy:get | - |
POST /v1/aad/cc/intelligent/modify | aad:policy:put | - |
GET /v1/aad/geoip/map | aad:policy:get | - |
资源类型(Resource)
资源类型(Resource)表示身份策略所作用的资源。如表3中的某些操作指定了可以在该操作指定的资源类型,则必须在具有该操作的身份策略语句中指定该资源的URN,身份策略仅作用于此资源;如未指定,Resource默认为“*”,则身份策略将应用到所有资源。您也可以在身份策略中设置条件,从而指定资源类型。
AAD定义了以下可以在自定义身份策略的Resource元素中使用的资源类型。
资源类型 | URN |
|---|---|
forwardingRule | aad::<account-id>:forwardingRule:<forwarding-rule-id> |
package | aad::<account-id>:package:<package-id> |
policy | aad::<account-id>:policy:<policy-id> |
alarmConfig | aad::<account-id>:alarmConfig:<alarm-config-id> |
domain | aad::<account-id>:domain:<domain-id> |
certificate | aad::<account-id>:certificate:<certificate-id> |
instance | aad::<account-id>:instance:<instance-id> |
whiteBlackIpRule | aad::<account-id>:whiteBlackIpRule:<white-black-ip-rule-id> |
