Amazon 托管策略 - Amazon Private Certificate Authority
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon 托管策略

Amazon 私有 CA 包括一组适用于 Amazon 管理 Amazon 私有 CA 员、用户和审计员的预定义托管策略。了解这些策略可以帮助您实施 客户托管策略

选择下面列出的任何策略,以查看详细信息和示例策略代码。

授予不受限制的管理控制。

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "acm-pca:*" ], "Resource":"*" } ] }

授予仅限于只读API操作的访问权限。

{ "Version":"2012-10-17", "Statement":{ "Effect":"Allow", "Action":[ "acm-pca:DescribeCertificateAuthority", "acm-pca:DescribeCertificateAuthorityAuditReport", "acm-pca:ListCertificateAuthorities", "acm-pca:GetCertificateAuthorityCsr", "acm-pca:GetCertificateAuthorityCertificate", "acm-pca:GetCertificate", "acm-pca:GetPolicy", "acm-pca:ListPermissions", "acm-pca:ListTags" ], "Resource":"*" } }

授予颁发和吊销 CA 证书的功能。此策略没有其他管理功能,不能颁发终端实体证书。权限与User 策略相互排斥。

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "acm-pca:IssueCertificate" ], "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*", "Condition":{ "StringLike":{ "acm-pca:TemplateArn":[ "arn:aws:acm-pca:::template/*CACertificate*/V*" ] } } }, { "Effect":"Deny", "Action":[ "acm-pca:IssueCertificate" ], "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*", "Condition":{ "StringNotLike":{ "acm-pca:TemplateArn":[ "arn:aws:acm-pca:::template/*CACertificate*/V*" ] } } }, { "Effect":"Allow", "Action":[ "acm-pca:RevokeCertificate", "acm-pca:GetCertificate", "acm-pca:ListPermissions" ], "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*" }, { "Effect":"Allow", "Action":[ "acm-pca:ListCertificateAuthorities" ], "Resource":"*" } ] }

授予颁发和吊销终端实体证书的功能。此策略没有管理功能,不能颁发 CA 证书。权限与PrivilegedUser策略相互排斥。

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "acm-pca:IssueCertificate" ], "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*", "Condition":{ "StringLike":{ "acm-pca:TemplateArn":[ "arn:aws:acm-pca:::template/EndEntityCertificate/V*" ] } } }, { "Effect":"Deny", "Action":[ "acm-pca:IssueCertificate" ], "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*", "Condition":{ "StringNotLike":{ "acm-pca:TemplateArn":[ "arn:aws:acm-pca:::template/EndEntityCertificate/V*" ] } } }, { "Effect":"Allow", "Action":[ "acm-pca:RevokeCertificate", "acm-pca:GetCertificate", "acm-pca:ListPermissions" ], "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*" }, { "Effect":"Allow", "Action":[ "acm-pca:ListCertificateAuthorities" ], "Resource":"*" } ] }

授予对只读API操作的访问权限和生成 CA 审计报告的权限。

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "acm-pca:CreateCertificateAuthorityAuditReport", "acm-pca:DescribeCertificateAuthority", "acm-pca:DescribeCertificateAuthorityAuditReport", "acm-pca:GetCertificateAuthorityCsr", "acm-pca:GetCertificateAuthorityCertificate", "acm-pca:GetCertificate", "acm-pca:GetPolicy", "acm-pca:ListPermissions", "acm-pca:ListTags" ], "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*" }, { "Effect":"Allow", "Action":[ "acm-pca:ListCertificateAuthorities" ], "Resource":"*" } ] }

的托 Amazon 管策略更新 Amazon 私有 CA

在下表中,查看自服务开始跟踪这些更改以 Amazon 私有 CA 来的 Amazon 托管策略更新的详细信息。要获得有关所有更改的自动提醒 Amazon 私有 CA,请订阅文档历史记录页面上的订阅RSS源。

托管式策略更改
更改 描述 日期

新策略名称:

  • AWSPrivateCAFullAccess

  • AWSPrivateCAReadOnly

  • AWSPrivateCAPrivilegedUser

  • AWSPrivateCAAuditor

  • AWSPrivateCAUser

策略名称前缀已从 AWSCertificateManagerPrivateCA 更改为 AWSPrivateCA

功能保持不变。

2023 年 2 月 13 日