本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Amazon 托管策略
Amazon 私有 CA 包括一组适用于 Amazon 管理 Amazon 私有 CA 员、用户和审计员的预定义托管策略。了解这些策略可以帮助您实施 客户托管策略。
选择下面列出的任何策略,以查看详细信息和示例策略代码。
授予不受限制的管理控制。
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "acm-pca:*" ], "Resource":"*" } ] }
授予限于只读 API 操作的访问权限。
{ "Version":"2012-10-17", "Statement":{ "Effect":"Allow", "Action":[ "acm-pca:DescribeCertificateAuthority", "acm-pca:DescribeCertificateAuthorityAuditReport", "acm-pca:ListCertificateAuthorities", "acm-pca:GetCertificateAuthorityCsr", "acm-pca:GetCertificateAuthorityCertificate", "acm-pca:GetCertificate", "acm-pca:GetPolicy", "acm-pca:ListPermissions", "acm-pca:ListTags" ], "Resource":"*" } }
授予颁发和吊销 CA 证书的功能。此策略没有其他管理功能,不能颁发终端实体证书。权限与User 策略相互排斥。
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "acm-pca:IssueCertificate" ], "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*", "Condition":{ "ArnLike":{ "acm-pca:TemplateArn":[ "arn:aws:acm-pca:*:*:template/*CACertificate*/V*" ] } } }, { "Effect":"Deny", "Action":[ "acm-pca:IssueCertificate" ], "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*", "Condition":{ "ArnNotLike":{ "acm-pca:TemplateArn":[ "arn:aws:acm-pca:*:*:template/*CACertificate*/V*" ] } } }, { "Effect":"Allow", "Action":[ "acm-pca:RevokeCertificate", "acm-pca:GetCertificate", "acm-pca:ListPermissions" ], "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*" }, { "Effect":"Allow", "Action":[ "acm-pca:ListCertificateAuthorities" ], "Resource":"*" } ] }
授予颁发和吊销终端实体证书的功能。此策略没有管理功能,不能颁发 CA 证书。权限与PrivilegedUser策略相互排斥。
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "acm-pca:IssueCertificate" ], "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*", "Condition":{ "ArnLike":{ "acm-pca:TemplateArn":[ "arn:aws:acm-pca:*:*:template/EndEntityCertificate/V*" ] } } }, { "Effect":"Deny", "Action":[ "acm-pca:IssueCertificate" ], "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*", "Condition":{ "ArnNotLike":{ "acm-pca:TemplateArn":[ "arn:aws:acm-pca:*:*:template/EndEntityCertificate/V*" ] } } }, { "Effect":"Allow", "Action":[ "acm-pca:RevokeCertificate", "acm-pca:GetCertificate", "acm-pca:ListPermissions" ], "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*" }, { "Effect":"Allow", "Action":[ "acm-pca:ListCertificateAuthorities" ], "Resource":"*" } ] }
授予对只读 API 操作的访问权限和生成 CA 审计报告的权限。
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "acm-pca:CreateCertificateAuthorityAuditReport", "acm-pca:DescribeCertificateAuthority", "acm-pca:DescribeCertificateAuthorityAuditReport", "acm-pca:GetCertificateAuthorityCsr", "acm-pca:GetCertificateAuthorityCertificate", "acm-pca:GetCertificate", "acm-pca:GetPolicy", "acm-pca:ListPermissions", "acm-pca:ListTags" ], "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*" }, { "Effect":"Allow", "Action":[ "acm-pca:ListCertificateAuthorities" ], "Resource":"*" } ] }
为 Kubernetes Amazon Private CA 连接器授予基本权限。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "acm-pca:DescribeCertificateAuthority", "acm-pca:GetCertificate", "acm-pca:IssueCertificate" ], "Resource": "arn:aws:acm-pca:*:*:certificate-authority/*" } ] }
的托 Amazon 管策略更新 Amazon 私有 CA
在下表中,查看自服务开始跟踪这些更改以 Amazon 私有 CA 来的 Amazon 托管策略更新的详细信息。要获得有关所有更改的自动提醒 Amazon 私有 CA,请订阅文档历史记录页面上的 RSS feed。
| 更改 | 描述 | 日期 |
|---|---|---|
|
新政策: AWSPrivateCAConnectorForKubernetesPolicy |
引入了新的托管策略,用于适用于 Kubernetes 的 Amazon Private CA 连接器。 |
2025 年 5 月 19 日 |
|
AWSPrivateCAPrivileged用户和 AWSPrivate CAUser -更新了政策 |
更新了模板 arn 以包含通配符 |
2025 年 1 月 22 日 |
|
新策略名称:
|
策略名称前缀已从 功能保持不变。 |
2023 年 2 月 13 日 |