Amazon 托管策略 - Amazon Private Certificate Authority
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon 托管策略

Amazon 私有 CA 包括一组适用于 Amazon 管理 Amazon 私有 CA 员、用户和审计员的预定义托管策略。了解这些策略可以帮助您实施 客户托管策略

选择下面列出的任何策略,以查看详细信息和示例策略代码。

授予不受限制的管理控制。

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "acm-pca:*" ], "Resource":"*" } ] }

授予限于只读 API 操作的访问权限。

{ "Version":"2012-10-17", "Statement":{ "Effect":"Allow", "Action":[ "acm-pca:DescribeCertificateAuthority", "acm-pca:DescribeCertificateAuthorityAuditReport", "acm-pca:ListCertificateAuthorities", "acm-pca:GetCertificateAuthorityCsr", "acm-pca:GetCertificateAuthorityCertificate", "acm-pca:GetCertificate", "acm-pca:GetPolicy", "acm-pca:ListPermissions", "acm-pca:ListTags" ], "Resource":"*" } }

授予颁发和吊销 CA 证书的功能。此策略没有其他管理功能,不能颁发终端实体证书。权限与User 策略相互排斥。

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "acm-pca:IssueCertificate" ], "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*", "Condition":{ "ArnLike":{ "acm-pca:TemplateArn":[ "arn:aws:acm-pca:*:*:template/*CACertificate*/V*" ] } } }, { "Effect":"Deny", "Action":[ "acm-pca:IssueCertificate" ], "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*", "Condition":{ "ArnNotLike":{ "acm-pca:TemplateArn":[ "arn:aws:acm-pca:*:*:template/*CACertificate*/V*" ] } } }, { "Effect":"Allow", "Action":[ "acm-pca:RevokeCertificate", "acm-pca:GetCertificate", "acm-pca:ListPermissions" ], "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*" }, { "Effect":"Allow", "Action":[ "acm-pca:ListCertificateAuthorities" ], "Resource":"*" } ] }

授予颁发和吊销终端实体证书的功能。此策略没有管理功能,不能颁发 CA 证书。权限与PrivilegedUser策略相互排斥。

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "acm-pca:IssueCertificate" ], "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*", "Condition":{ "ArnLike":{ "acm-pca:TemplateArn":[ "arn:aws:acm-pca:*:*:template/EndEntityCertificate/V*" ] } } }, { "Effect":"Deny", "Action":[ "acm-pca:IssueCertificate" ], "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*", "Condition":{ "ArnNotLike":{ "acm-pca:TemplateArn":[ "arn:aws:acm-pca:*:*:template/EndEntityCertificate/V*" ] } } }, { "Effect":"Allow", "Action":[ "acm-pca:RevokeCertificate", "acm-pca:GetCertificate", "acm-pca:ListPermissions" ], "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*" }, { "Effect":"Allow", "Action":[ "acm-pca:ListCertificateAuthorities" ], "Resource":"*" } ] }

授予对只读 API 操作的访问权限和生成 CA 审计报告的权限。

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "acm-pca:CreateCertificateAuthorityAuditReport", "acm-pca:DescribeCertificateAuthority", "acm-pca:DescribeCertificateAuthorityAuditReport", "acm-pca:GetCertificateAuthorityCsr", "acm-pca:GetCertificateAuthorityCertificate", "acm-pca:GetCertificate", "acm-pca:GetPolicy", "acm-pca:ListPermissions", "acm-pca:ListTags" ], "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*" }, { "Effect":"Allow", "Action":[ "acm-pca:ListCertificateAuthorities" ], "Resource":"*" } ] }

为 Kubernetes Amazon Private CA 连接器授予基本权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "acm-pca:DescribeCertificateAuthority", "acm-pca:GetCertificate", "acm-pca:IssueCertificate" ], "Resource": "arn:aws:acm-pca:*:*:certificate-authority/*" } ] }

的托 Amazon 管策略更新 Amazon 私有 CA

在下表中,查看自服务开始跟踪这些更改以 Amazon 私有 CA 来的 Amazon 托管策略更新的详细信息。要获得有关所有更改的自动提醒 Amazon 私有 CA,请订阅文档历史记录页面上的 RSS feed。

托管式策略更改
更改 描述 日期

新政策: AWSPrivateCAConnectorForKubernetesPolicy

引入了新的托管策略,用于适用于 Kubernetes 的 Amazon Private CA 连接器。

2025 年 5 月 19 日

AWSPrivateCAPrivileged用户和 AWSPrivate CAUser -更新了政策

StringLike替换为ArnLikeStringNotLikeArnNotLike

更新了模板 arn 以包含通配符arn:aws:acm-pca:::templatearn:aws:acm-pca:*:*:template

2025 年 1 月 22 日

新策略名称:

  • AWSPrivateCAFullAccess

  • AWSPrivateCAReadOnly

  • AWSPrivateCAPrivilegedUser

  • AWSPrivateCAAuditor

  • AWSPrivateCAUser

策略名称前缀已从 AWSCertificateManagerPrivateCA 更改为 AWSPrivateCA

功能保持不变。

2023 年 2 月 13 日