Amazon Route 53 API 权限:操作、资源和条件参考
在设置 访问控制 和编写您可附加到 IAM 身份的权限策略(基于身份的策略)时,可以使用以下列表作为参考。这些列表包含每个 Amazon Route 53 API 操作、您必须授予访问权限的操作以及您必须授予访问权限的 Amazon 资源。您可以在策略的 Action
字段中指定这些操作,并在策略的 Resource
字段中指定资源值。
您可以在 Route 53 策略中使用 Amazon 范围的条件键来表示条件。有关 Amazon 范围内的键的完整列表,请参阅 《IAM 用户指南》中的可用键。
授予访问权限时,托管区域和 Amazon VPC 必须属于相同分区。分区是一组 Amazon Web Services 区域。每个 Amazon Web Services 账户 的作用域为一个分区。
以下是支持的分区:
aws
- Amazon Web Services 区域aws-cn
– 中国区域aws-us-gov
- Amazon GovCloud (US) Region
有关更多信息,请参阅《Amazon 一般参考》中的访问权限管理。
要指定操作,请在 API 操作名称之前使用相应前缀(route53
、route53domains
或 route53resolver
),例如:
-
route53:CreateHostedZone
-
route53domains:RegisterDomain
-
route53resolver:CreateResolverEndpoint
主题
对公有托管区域执行操作所需的权限
- CreateHostedZone
-
所需权限(API 操作):
route53:CreateHostedZone
资源:
*
- DeleteHostedZone
-
所需权限(API 操作):
route53:DeleteHostedZone
资源:
*
- GetHostedZone
-
所需权限(API 操作):
route53:GetHostedZone
资源:
*
- GetHostedZoneCount
-
所需权限(API 操作):
route53:GetHostedZoneCount
资源:
*
- ListHostedZones
-
所需权限(API 操作):
route53:ListHostedZones
资源:
*
- ListHostedZonesByName
-
所需权限(API 操作):
route53:ListHostedZonesByName
资源:
*
- UpdateHostedZoneComment
-
所需权限(API 操作):
route53:UpdateHostedZoneComment
资源:
*
对私有托管区域执行操作所需的权限
- CreateHostedZone
-
所需权限 (API 操作):
route53:CreateHostedZone
、ec2:DescribeVpcs
、ec2:DescribeRegions
资源:
*
、arn:aws:ec2::
optional account id
:* - DeleteHostedZone
-
所需权限(API 操作):
route53:DeleteHostedZone
资源:
*
- AssociateVPCWithHostedZone
-
所需权限 (API 操作):
route53:AssociateVPCWithHostedZone
、ec2:DescribeVpcs
资源:
*
、arn:aws:ec2::
optional account id
:* - CreateVPCAssociationAuthorization
-
所需权限(API 操作):
route53:CreateVPCAssociationAuthorization
资源:
*
- DeleteVPCAssociationAuthorization
-
所需权限(API 操作):
route53:DeleteVPCAssociationAuthorization
资源:
*
- DisassociateVPCFromHostedZone
-
所需权限 (API 操作):
route53:DisassociateVPCFromHostedZone
、ec2:DescribeVpcs
资源:
*
、arn:aws:ec2::
optional account id
:* - GetHostedZone
-
所需权限(API 操作):
route53:GetHostedZone
资源:
*
- GetHostedZoneCount
-
所需权限(API 操作):
route53:GetHostedZoneCount
资源:
*
- ListHostedZones
-
所需权限(API 操作):
route53:ListHostedZones
资源:
*
- ListHostedZonesByName
-
所需权限(API 操作):
route53:ListHostedZonesByName
资源:
*
- UpdateHostedZoneComment
-
所需权限(API 操作):
route53:UpdateHostedZoneComment
资源:
*
对可重用委托集执行操作所需的权限
- CreateReusableDelegationSet
-
所需权限(API 操作):
route53:CreateReusableDelegationSet
资源:
*
- DeleteReusableDelegationSet
-
所需权限(API 操作):
route53:DeleteReusableDelegationSet
资源:
*
- GetReusableDelegationSet
-
所需权限(API 操作):
route53:GetReusableDelegationSet
资源:
*
- ListReusableDelegationSets
-
所需权限(API 操作):
route53:ListReusableDelegationSets
资源:
*
对记录执行操作所需的权限
- ChangeResourceRecordSets
-
所需权限(API 操作):
route53:ChangeResourceRecordSets
资源:
arn:aws:route53:::hostedzone/
hosted zone ID
- GetChange
-
所需权限(API 操作):
route53:GetChange
资源:
*
- GetGeoLocation
-
所需权限 (API 操作):无
资源:无
Route 53 不会对此 API 执行授权,因为它会检索已向公众提供的信息。
- ListGeoLocations
-
所需权限 (API 操作):无
资源:无
Route 53 不会对此 API 执行授权,因为它会检索已向公众提供的信息。
- ListResourceRecordSets
-
所需权限(API 操作):
route53:ListResourceRecordSets
资源:
arn:aws:route53:::hostedzone/
hosted zone ID
对流量策略执行操作所需的权限
- CreateTrafficPolicy
-
所需权限(API 操作):
route53:CreateTrafficPolicy
资源:
*
- CreateTrafficPolicyVersion
-
所需权限(API 操作):
route53:CreateTrafficPolicyVersion
资源:
*
- DeleteTrafficPolicy
-
所需权限(API 操作):
route53:DeleteTrafficPolicy
资源:
*
- GetTrafficPolicy
-
所需权限(API 操作):
route53:GetTrafficPolicy
资源:
*
- ListTrafficPolicies
-
所需权限(API 操作):
route53:ListTrafficPolicies
资源:
*
- ListTrafficPolicyVersions
-
所需权限(API 操作):
route53:ListTrafficPolicyVersions
资源:
*
- UpdateTrafficPolicyComment
-
所需权限(API 操作):
route53:UpdateTrafficPolicyComment
资源:
*
对流量策略实例执行操作所需的权限
- CreateTrafficPolicyInstance
-
所需权限(API 操作):
route53:CreateTrafficPolicyInstance
资源:
*
- DeleteTrafficPolicyInstance
-
所需权限(API 操作):
route53:DeleteTrafficPolicyInstance
资源:
*
- GetTrafficPolicyInstance
-
所需权限(API 操作):
route53:GetTrafficPolicyInstance
资源:
*
- GetTrafficPolicyInstanceCount
-
所需权限(API 操作):
route53:GetTrafficPolicyInstanceCount
资源:
*
- ListTrafficPolicyInstances
-
所需权限(API 操作):
route53:ListTrafficPolicyInstances
资源:
*
- ListTrafficPolicyInstancesByHostedZone
-
所需权限(API 操作):
route53:ListTrafficPolicyInstancesByHostedZone
资源:
*
- ListTrafficPolicyInstancesByPolicy
-
所需权限(API 操作):
route53:ListTrafficPolicyInstancesByPolicy
资源:
*
- UpdateTrafficPolicyInstance
-
所需权限(API 操作):
route53:UpdateTrafficPolicyInstance
资源:
*
对运行状况检查执行操作所需的权限
- CreateHealthCheck
-
所需权限(API 操作):
route53:CreateHealthCheck
资源:
*
- DeleteHealthCheck
-
所需权限(API 操作):
route53:DeleteHealthCheck
资源:
*
、arn:aws:route53:::healthcheck/
health check ID
- GetCheckerIpRanges
-
所需权限 (API 操作):无
资源:
*
Route 53 不会对此 API 执行授权,因为它会检索已向公众提供的信息。
- GetHealthCheck
-
所需权限(API 操作):
route53:GetHealthCheck
资源:
*
、arn:aws:route53:::healthcheck/
health check ID
- GetHealthCheckCount
-
所需权限(API 操作):
route53:GetHealthCheckCount
资源:
*
- GetHealthCheckLastFailureReason
-
所需权限(API 操作):
route53:GetHealthCheckLastFailureReason
资源:
*
、arn:aws:route53:::healthcheck/
health check ID
- GetHealthCheckStatus
-
所需权限(API 操作):
route53:GetHealthCheckStatus
资源:
*
、arn:aws:route53:::healthcheck/
health check ID
- ListHealthChecks
-
所需权限(API 操作):
route53:ListHealthChecks
资源:
*
- UpdateHealthCheck
-
所需权限(API 操作):
route53:UpdateHealthCheck
资源:
*
、arn:aws:route53:::healthcheck/
health check ID
对域注册执行操作所需的权限
- AcceptDomainTransferFromAnotherAwsAccount
-
所需权限(API 操作):
route53domains:AcceptDomainTransferFromAnotherAwsAccount
资源:
*
- AddDnssec (仅限于控制台)
-
所需权限(API 操作):
route53domains:AddDnssec
资源:
*
- CancelDomainTransferToAnotherAwsAccount
-
所需权限(API 操作):
route53domains:CancelDomainTransferToAnotherAwsAccount
资源:
*
- CheckDomainAvailability
-
所需权限(API 操作):
route53domains:CheckDomainAvailability
资源:
*
- DeleteDomain (仅限于控制台)
-
所需权限(API 操作):
route53domains:DeleteDomain
资源:
*
- DisableDomainAutoRenew
-
所需权限(API 操作):
route53domains:ChangeAutoRenew
资源:
*
- DisableDomainTransferLock
-
所需权限(API 操作):
route53domains:DisableDomainTransferLock
资源:
*
- EnableDomainAutoRenew
-
所需权限(API 操作):
route53domains:ChangeAutoRenew
资源:
*
- EnableDomainTransferLock
-
所需权限(API 操作):
route53domains:EnableDomainTransferLock
资源:
*
- GetContactReachabilityStatus
-
所需权限(API 操作):
route53domains:ListDomains
资源:
*
- GetDomainDetail
-
所需权限(API 操作):
route53domains:GetDomainDetail
资源:
*
- GetDomainSuggestions
-
所需权限(API 操作):
route53domains:ListDomains
资源:
*
- GetOperationDetail
-
所需权限(API 操作):
route53domains:GetOperationDetail
资源:
*
- ListDnssec (仅限于控制台)
-
所需权限(API 操作):
route53domains:ListDnssec
资源:
*
- ListDomains
-
所需权限(API 操作):
route53domains:ListDomains
资源:
*
- ListOperations
-
所需权限(API 操作):
route53domains:ListOperations
资源:
*
- RegisterDomain
-
所需权限(API 操作):
route53domains:RegisterDomain
资源:
*
- RejectDomainTransferFromAnotherAwsAccount
-
所需权限(API 操作):
route53domains:RejectDomainTransferFromAnotherAwsAccount
资源:
*
- RemoveDnssec (仅限于控制台)
-
所需权限(API 操作):
route53domains:RemoveDnssec
资源:
*
- RenewDomain
-
所需权限(API 操作):
route53domains:RegisterDomain
资源:
*
- ResendContactReachabilityEmail
-
所需权限(API 操作):
route53domains:ListDomains
资源:
*
- RetrieveDomainAuthCode
-
所需权限(API 操作):
route53domains:RetrieveDomainAuthCode
资源:
*
- TransferDomain
-
所需权限(API 操作):
route53domains:TransferDomain
资源:
*
- TransferDomainToAnotherAwsAccount
-
所需权限(API 操作):
route53domains:TransferDomainToAnotherAwsAccount
资源:
*
- UpdateDomainContact
-
所需权限(API 操作):
route53domains:UpdateDomainContact
资源:
*
- UpdateDomainContactPrivacy
-
所需权限(API 操作):
route53domains:UpdateDomainContactPrivacy
资源:
*
- UpdateDomainNameservers
-
所需权限(API 操作):
route53domains:UpdateDomainNameservers
资源:
*
- ViewBilling
-
所需权限(API 操作):
route53domains:ViewBilling
资源:
*
Route 53 Resolver 操作所需的权限
- AssociateResolverEndpointIpAddress
-
所需权限(API 操作):
route53resolver:AssociateResolverEndpointIpAddress
、ec2:CreateNetworkInterfacePermission
、ec2:DescribeAvailabilityZones
、ec2:DescribeNetworkInterfaces
、ec2:DescribeSubnets
资源:
*
- AssociateResolverQueryLogConfig
-
所需权限(API 操作):
route53resolver:AssociateResolverQueryLogConfig
、logs:DescribeResourcePolicies
、logs:DescribeLogGroups
、logs:GetLogDelivery
、logs:ListLogDeliveries
、logs:PutResourcePolicy
、logs:UpdateLogDelivery
资源:
*
- AssociateResolverRule
-
所需权限 (API 操作):
route53resolver:AssociateResolverRule
、ec2:DescribeVpcs
资源:
*
- CreateResolverEndpoint
-
所需权限 (API 操作):
route53resolver:CreateResolverEndpoint
、ec2:DescribeSubnets
、ec2:CreateNetworkInterface
、ec2:DescribeNetworkInterfaces
、ec2:CreateNetworkInterfacePermission
、ec2:DescribeSecurityGroups
另请参阅 示例 4:允许创建入站和出站 Route 53 Resolver 终端节点。
资源:
*
- CreateResolverQueryLogConfig
-
所需权限(API 操作):
route53resolver:CreateResolverQueryLogConfig
、ec2:DescribeVpcs
、logs:DescribeResourcePolicies
、logs:DescribeLogGroups
、logs:CreateLogDelivery
、logs:DeleteLogDelivery
logs:GetLogDelivery
、logs:ListLogDeliveries
、logs:UpdateLogDelivery
、iam:CreateServiceLinkedRole
资源:
*
- CreateResolverRule
-
所需权限(API 操作):
route53resolver:CreateResolverRule
资源:
*
- DeleteResolverEndpoint
-
所需权限 (API 操作):
route53resolver:DeleteResolverEndpoint
、ec2:DeleteNetworkInterface
、ec2:DescribeNetworkInterface
资源:
*
- DeleteResolverQueryLogConfig
-
所需权限(API 操作):
route53resolver:DeleteResolverQueryLogConfig
、logs:DescribeResourcePolicies
、logs:DescribeLogGroups
、logs:DeleteLogDelivery
logs:GetLogDelivery
、logs:ListLogDeliveries
、logs:UpdateLogDelivery
资源:
*
- DeleteResolverRule
-
所需权限(API 操作):
route53resolver:DeleteResolverRule
资源:
*
- DisassociateResolverEndpointIpAddress
-
所需权限 (API 操作):
route53resolver:DisassociateResolverEndpointIpAddress
、ec2:DeleteNetworkInterface
资源:
*
- DisassociateResolverQueryLogConfig
-
所需权限(API 操作):
route53resolver:DisassociateResolverQueryLogConfig
、logs:DescribeResourcePolicies
、logs:DescribeLogGroups
、logs:GetLogDelivery
、logs:ListLogDeliveries
、logs:PutResourcePolicy
、logs:UpdateLogDelivery
资源:
*
- DisassociateResolverRule
-
所需权限(API 操作):
route53resolver:DisassociateResolverRule
资源:
*
- GetResolverEndpoint
-
所需权限(API 操作):
route53resolver:GetResolverEndpoint
资源:
*
- GetResolverQueryLogConfig
-
所需权限(API 操作):
route53resolver:GetResolverQueryLogConfig
、logs:DescribeResourcePolicies
、logs:DescribeLogGroups
、logs:GetLogDelivery
、logs:ListLogDeliveries
资源:
*
- GetResolverQueryLogConfigAssociation
-
所需权限(API 操作):
route53resolver:GetResolverQueryLogConfigAssociation
、logs:DescribeResourcePolicies
、logs:DescribeLogGroups
、logs:GetLogDelivery
、logs:ListLogDeliveries
资源:
*
- GetResolverQueryLogConfigPolicy
-
所需权限(API 操作):
route53resolver:GetResolverQueryLogConfigPolicy
、logs:DescribeResourcePolicies
、logs:DescribeLogGroups
、logs:GetLogDelivery
、logs:ListLogDeliveries
资源:
*
- GetResolverRule
-
所需权限(API 操作):
route53resolver:GetResolverRule
资源:
*
- GetResolverRuleAssociation
-
所需权限 (API 操作):
route53resolver:GetResolverRuleAssociation
、ec2:DescribeVpcs
资源:
*
- GetResolverRulePolicy
-
所需权限(API 操作):
route53resolver:GetResolverRulePolicy
资源:
*
- ListResolverEndpointIpAddresses
-
所需权限(API 操作):
route53resolver:ListResolverEndpointIpAddresses
资源:
*
- ListResolverEndpoints
-
所需权限(API 操作):
route53resolver:ListResolverEndpoints
资源:
*
- ListResolverQueryLogConfigAssociations
-
所需权限(API 操作):
route53resolver:ListResolverQueryLogConfigAssociations
、logs:DescribeResourcePolicies
、logs:DescribeLogGroups
、logs:GetLogDelivery
、logs:ListLogDeliveries
资源:
*
- ListResolverQueryLogConfigs
-
所需权限(API 操作):
route53resolver:ListResolverQueryLogConfigs
、logs:DescribeResourcePolicies
、logs:DescribeLogGroups
、logs:GetLogDelivery
、logs:ListLogDeliveries
资源:
*
- ListResolverRuleAssociations
-
所需权限 (API 操作):
route53resolver:ListResolverRuleAssociations
、ec2:DescribeVpcs
资源:
*
- ListResolverRules
-
所需权限(API 操作):
route53resolver:ListResolverRules
资源:
*
- ListTagsForResource
-
所需权限(API 操作):
route53resolver:ListTagsForResource
资源:
arn:aws:route53resolver:::resolver-endpoint/*
、arn:aws:route53resolver:::resolver-rule/
- PutResolverQueryLogConfigPolicy
-
所需权限(API 操作):
route53resolver:PutResolverQueryLogConfigPolicy
、logs:DescribeResourcePolicies
、logs:DescribeLogGroups
、logs:GetLogDelivery
、logs:ListLogDeliveries
、logs:PutResourcePolicy
、logs:UpdateLogDelivery
资源:
*
- PutResolverRulePolicy
-
所需权限(API 操作):
route53resolver:PutResolverRulePolicy
资源:
*
- TagResource
-
所需权限(API 操作):
route53resolver:TagResource
资源:
arn:aws:route53resolver:::resolver-endpoint/*
、arn:aws:route53resolver:::resolver-rule/*
- UntagResource
-
所需权限(API 操作):
route53resolver:UntagResource
资源:
arn:aws:route53resolver:::resolver-endpoint/*
、arn:aws:route53resolver:::resolver-rule/*
- UpdateResolverEndpoint
-
所需权限(API 操作):
route53resolver:UpdateResolverEndpoint
资源:
*
- UpdateResolverRule
-
所需权限(API 操作):
route53resolver:UpdateResolverRule
资源:
*
Route 53 Resolver DNS 防火墙操作所需的权限
- AssociateFirewallRuleGroup
-
所需权限 (API 操作):
route53resolver:AssociateFirewallRuleGroup
、ec2:DescribeVpcs
可选的权限:
route53resolver:TagResource
(如果您提供标记参数,则为必需)资源:
*
- CreateFirewallDomainList
-
所需权限(API 操作):
route53resolver:CreateFirewallDomainList
可选的权限:
route53resolver:TagResource
(如果您提供标记参数,则为必需)资源:
*
- CreateFirewallRule
-
所需权限(API 操作):
route53resolver:CreateFirewallRule
资源:
*
- CreateFirewallRuleGroup
-
所需权限(API 操作):
route53resolver:CreateFirewallRuleGroup
可选的权限:
route53resolver:TagResource
(如果您提供标记参数,则为必需)资源:
*
- DeleteFirewallDomainList
-
所需权限(API 操作):
route53resolver:DeleteFirewallDomainList
资源:
*
- DeleteFirewallRule
-
所需权限(API 操作):
route53resolver:DeleteFirewallRule
资源:
*
- DeleteFirewallRuleGroup
-
所需权限(API 操作):
route53resolver:DeleteFirewallRuleGroup
资源:
*
- DisassociateFirewallRuleGroup
-
所需权限(API 操作):
route53resolver:DisassociateFirewallRuleGroup
资源:
*
- GetFirewallConfig
-
所需的权限(API 操作):
route53resolver:GetFirewallConfig
ec2:DescribeVpcs
资源:
*
- GetFirewallDomainList
-
所需权限(API 操作):
route53resolver:GetFirewallDomainList
资源:
*
- GetFirewallRuleGroup
-
所需权限(API 操作):
route53resolver:GetFirewallRuleGroup
资源:
*
- GetFirewallRuleGroupAssociation
-
所需权限(API 操作):
route53resolver:GetFirewallRuleGroupAssociation
资源:
*
- GetFirewallRuleGroupPolicy
-
所需权限(API 操作):
route53resolver:GetFirewallRuleGroupPolicy
资源:
*
- ImportFirewallDomains
-
所需权限(API 操作):
route53resolver:ImportFirewallRuleDomains
资源:
*
- ListFirewallConfigs
-
所需的权限(API 操作):
route53resolver:ListFirewallConfigs
ec2:DescribeVpcs
资源:
*
- ListFirewallDomainLists
-
所需权限(API 操作):
route53resolver:ListFirewallDomainLists
资源:
*
- ListFirewallDomains
-
所需权限(API 操作):
route53resolver:ListFirewallDomains
资源:
*
- ListFirewallRuleGroupAssociations
-
所需权限(API 操作):
route53resolver:ListFirewallRuleGroupAssociations
资源:
*
- ListFirewallRuleGroups
-
所需权限(API 操作):
route53resolver:ListFirewallRuleGroups
资源:
*
- ListFirewallRules
-
所需权限(API 操作):
route53resolver:ListFirewallRules
资源:
*
- PutFirewallRuleGroupPolicy
-
所需权限(API 操作):
route53resolver:PutFirewallRuleGroupPolicy
资源:
*
- UpdateFirewallConfig
-
所需的权限(API 操作):
route53resolver:UpdateFirewallConfig
ec2:DescribeVpcs
资源:
*
- UpdateFirewallDomains
-
所需权限(API 操作):
route53resolver:UpdateFirewallDomains
资源:
*
- UpdateFirewallRule
-
所需权限(API 操作):
route53resolver:UpdateFirewallRule
资源:
*
- UpdateFirewallRuleGroupAssociation
-
所需权限(API 操作):
route53resolver:UpdateFirewallRuleGroupAssociation
资源:
*
执行获取账户、托管区域和可重用委托集的限制的操作所需的权限
- GetAccountLimit
-
所需权限(API 操作):
route53:GetAccountLimit
资源:
*
- GetHostedZoneLimit
-
所需权限(API 操作):
route53:GetHostedZoneLimit
资源:
*
- GetReusableDelegationSetLimit
-
所需权限(API 操作):
route53:GetReusableDelegationSetLimit
资源:
*
对托管区域和运行状况检查标签执行操作所需的权限
- ChangeTagsForResource
-
所需权限(API 操作):
route53:ChangeTagsForResource
资源:
-
arn:aws:route53:::healthcheck/*
-
arn:aws:route53:::hostedzone/*
-
- ListTagsForResource
-
所需权限(API 操作):
route53:ListTagsForResource
资源:
-
arn:aws:route53:::healthcheck/*
-
arn:aws:route53:::hostedzone/*
-
- ListTagsForResources
-
所需权限(API 操作):
route53:ListTagsForResources
资源:
-
arn:aws:route53:::healthcheck/*
-
arn:aws:route53:::hostedzone/*
-
对域标签执行操作所需的权限
- DeleteTagsForDomain
-
所需权限(API 操作):
route53domains:DeleteTagsForDomain
资源:
*
- ListTagsForDomain
-
所需权限(API 操作):
route53domains:ListTagsForDomain
资源:
*
- UpdateTagsForDomain
-
所需权限(API 操作):
route53domains:UpdateTagsForDomain
资源:
*
DNSSEC 操作所需的权限
- GetDNSSEC
-
所需权限(API 操作):
route53domains:DeleteTagsForDomain
资源:
*
- CreateKeySigningKey
-
所需权限(API 操作):
route53:CreateKeySigningKey
、kms:DescribeKey
、kms:GetPublicKey
、kms:Sign
资源:
*
- DeleteKeySigningKey
-
所需权限(API 操作):
route53:DeleteKeySigningKey
、kms:DescribeKey
、kms:GetPublicKey
、kms:Sign
资源:
*
- ActivateKeySigningKey
-
所需权限(API 操作):
route53:ActivateKeySigningKey
、kms:DescribeKey
、kms:GetPublicKey
、kms:Sign
资源:
*
- DeactivateKeySigningKey
-
所需权限(API 操作):
route53:DeactivateKeySigningKey
、kms:DescribeKey
、kms:GetPublicKey
、kms:Sign
资源:
*
- EnableHostedZoneDNSSEC
-
所需权限(API 操作):
route53:EnableHostedZoneDNSSEC
、kms:DescribeKey
、kms:GetPublicKey
、kms:Sign
资源:
*
- DisableHostedZoneDNSSEC
-
所需权限(API 操作):
route53:DisableHostedZoneDNSSEC
、kms:DescribeKey
、kms:GetPublicKey
、kms:Sign
资源:
*