tencent cloud

PrevNext

피드백

키워드를 검색하세요

Recent Pages

문서
Cloud Access Management
    문서
    Download PDF

    Policy Analyzer

    마지막 업데이트 시간:2024-08-26 16:47:48
    PDF 다운로드
      Policy Analyzer is used to analyze the JSON statements of your created policies, and perform validation checks on the policies, including errors, warnings, and recommendations. It helps you write policies that align better with the Security Practice Tutorial.

      version

      1. Errors - Missing Version

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Errors - Missing version. The version describes the policy syntax version (version), and this element is mandatory.
      Resolve the error: Version describes the policy syntax version. This element is mandatory. Currently, only the values "2.0" or "3.0" (Version 3.0 User Guide) are allowed. To use all available policy features, the following Version element must be included before the Statement element in all policies. Only one version element is allowed for each policy.
      Related Document References: Element Reference Overview.

      2. Errors - Invalid Version

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Errors - Invalid version. The version describes the policy syntax version (version), and this element is mandatory. Currently, only the values "2.0" or "3.0" are allowed.
      Resolve the error: Version describes the policy syntax version. This element is mandatory. Currently, only the values "2.0" or "3.0" (Version 3.0 User Guide) are allowed. To use all available policy features, the following Version element must be included before the Statement element in all policies. Only one version element is allowed for each policy.
      Related Document References: Element Reference Overview.

      3. Error - Redundant Version

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Redundant version. The version describes the policy syntax version (version), and this element is mandatory. Only one version value is allowed for each policy.
      Resolve the error: Version describes the policy syntax version. This element is mandatory. Currently, only the values "2.0" or "3.0" (Version 3.0 User Guide) are allowed. To use all available policy features, the following Version element must be included before the Statement element in all policies. Only one version element is allowed for each policy.
      Related Document References: Element Reference Overview.

      statement

      4. Error - Missing Statement

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Missing statement. The statement describes the details of one or more permissions.
      Resolve the error: The statement describes the details of one or more permissions. This element includes permissions or a permission set defined by other elements such as principal, action, resource, condition, and effect. One policy has only one statement element.
      Related Document References: Element Reference Overview.

      5. Error - Invalid Statement

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Invalid statement. The statement includes permissions or a permission set defined by other elements such as principal, action, resource, condition, and effect.
      Resolve the error: The statement describes the details of one or more permissions. This element includes permissions or a permission set defined by other elements such as principal, action, resource, condition, and effect. One policy has only one statement element.
      Related Document References: Element Reference Overview.

      6. Error - Redundant Statement

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Redundant statement. The statement describes the details of one or more permissions, and one policy has only one statement element.
      Resolve the error: The statement describes the details of one or more permissions. This element includes permissions or a permission set defined by other elements such as principal, action, resource, condition, and effect. One policy has only one statement element.
      Related Document References: Element Reference Overview.

      effect

      7. Error - Missing Effect

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Missing effect. The effect describes whether the result produced by the statement is "allow" or "deny".
      Resolve the error: The effect describes whether the result produced by the statement is "allow" or "deny". Including allow (allow) and deny (deny). This element is mandatory.
      Related Document References: Element Reference Overview.

      8. Error - Invalid Effect

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Invalid effect. This element is mandatory. The effect only includes allow (allow) and deny (deny).
      Resolve the error: The effect describes whether the result produced by the statement is "allow" or "deny". Including allow (allow) and deny (deny). This element is mandatory.
      Related Document References: Element Reference Overview.

      principal

      9. Error - Missing Principal

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Missing principal. The principal describes the entity authorized by the policy. Resource-based policies must include the principal element.
      Resolve the error: The principal describes the entity authorized by the policy. Including users (main account, sub account, roles, federated users, and other entities). Resource-based policies must include the principal element.
      Related Document References: Element Reference Overview.

      10. Error - Invalid Principal

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Invalid principal. The principal describes the entity authorized by the policy.
      Resolve the error: The principal describes the entity authorized by the policy. Including users (root account, sub-account, roles, federated users, and other entities). This element is only supported in resource-based policies.
      Example: 
      "principal": {
      "qcs": [
      "qcs::cam::uin/100000000001:uin/100000000002"
      ]
      }
      Related Document References: Element Reference Overview.

      11. Error - SCP Does Not Support Principal

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Organizations Service Control Policy (SCP) does not support Principal.
      Resolve the error: Organizations Service Control Policy (SCP) does not support the Principal element. Please remove the Principal element.
      Reference Documentation: Element Reference Overview,Service Control Policy.

      12. Recommendation - Principal Is Empty

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Recommendation - Principal not specified.
      Resolve the error: The Principal element needs to be used in the role's Trust Policy and Resource-based Policy. A resource-based policy is directly embedded in the resource. When the Principal element of the statement is empty, it does not affect the policy, but Tencent recommends specifying the principal.
      Related Document References: Element Reference Overview.

      resource

      13. Error - Missing Resource

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Missing resource. The resource is specific data that describes the authorization.
      Resolve the error: The resource is specific data that describes the authorization. The resource is described in a six-segment method. This element is mandatory. Detailed resource definitions vary by product.
      Related Document References: Element Reference Overview,Resource Description Method.

      14. Error - Resource Is Empty

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Resource is empty. The resource is specific data that describes the authorization. This element is mandatory.
      Resolve the error: The resource is specific data that describes the authorization. The resource is described in a six-segment method. This element is mandatory. Detailed resource definitions vary by product.
      Related Document References: Element Reference Overview,Resource Description Method.

      15. Error - First Segment Error of Six-Segment Resource Description

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - First segment error of six-segment resource description. The prefix of the six-segment resource description is fixed as qcs.
      Resolve the error: The prefix of the six-segment resource description is fixed as qcs, which stands for qcloud service, indicating that it is a Tencent Cloud resource. Six-segment resource description: qcs:project_id:service_type:region:account:resource.
      Related Document References: Element Reference Overview,Resource Description Method.

      16. Error - Second Segment Error of Six-Segment Resource Description

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Second segment error of six-segment resource description.
      Resolve the error: Second segment error of six-segment resource description. The second segment of the six-segment resource description describes project information, which is only compatible with legacy CAM logic. It cannot be entered in the current policy syntax and can be left empty.
      Related Document References: Element Reference Overview,Resource Description Method.

      17. Error - Third Segment Invalid Service of Six-Segment Resource Description

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Third segment invalid service of six-segment resource description.
      Resolve the error: The third segment of the six-segment resource description describes the product abbreviation. For more details, see "Abbreviation in CAM" under Products that support CAM.
      Related Document References: Element Reference Overview,Resource Description Method,Products that support CAM.

      18. Error - Fourth Segment Invalid Region of Six-Segment Resource Description

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Fourth segment invalid region of six-segment resource description.
      Resolve the error: The fourth segment of the six-segment resource description describes region information. If this value is empty, it indicates all regions.
      Related Document References: Element Reference Overview,Resource Description Method.

      19. Error - Fifth Segment Invalid uin of Six-Segment Resource Description

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Fifth segment invalid uin of six-segment resource description.
      Resolve the error: The fifth segment of six-segment resource description describes the main account information of the resource owner. Currently, two methods are supported: uin and uid. The uin method, which is the account ID of the main account, is represented as uin/${uin}. The uid method, which is the APPID of the main account, is represented as uid/${appid} and is used only for COS and CAS service resource owners. If this value is empty, it indicates the main account of the CAM user who created the policy.
      Related Document References: Element Reference Overview,Resource Description Method.

      20. Error - Fifth Segment Invalid uid of Six-Segment Resource Description

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Fifth segment invalid uid of six-segment resource description.
      Resolve the error: The fifth segment of six-segment resource description describes the main account information of the resource owner. Currently, two methods are supported: uin and uid. The uin method, which is the account ID of the main account, is represented as uin/${uin}. The uid method, which is the APPID of the main account, is represented as uid/${appid} and is used only for COS and CAS service resource owners. If the value is empty, it indicates the main account of the CAM user who created the policy.
      Related Document References: Element Reference Overview,Resource Description Method.

      21. Error - Fifth Segment Invalid Account Format of Six-Segment Resource Description

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Fifth segment invalid account format of six-segment resource description.
      Resolve the error: The fifth segment of six-segment resource description describes the main account information of the resource owner. Currently, two methods are supported: uin and uid. The uin method, which is the account ID of the main account, is represented as uin/${uin}. The uid method, which is the APPID of the main account, is represented as uid/${appid} and is used only for COS and CAS service resource owners. If the value is empty, it indicates the main account of the CAM user who created the policy.
      Related Document References: Element Reference Overview,Resource Description Method.

      22. Error - Sixth Segment Invalid Resource Format of Six-Segment Resource Description

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Sixth segment invalid resource format of six-segment resource description.
      Resolve the error: The sixth segment of the six-segment resource description describes the specific resource details of each product. Currently, two methods are supported: resource_type/${resourceid} and <resource_type>/<resource_path>.
      resource_type/${resourceid}: resourcetype is the resource prefix, describing the resource type. For details, see the six-segment resource description of the products in Service Interfaces that Support CAM; ${resourceid} is the specific resource ID, which can be viewed in each product console. When the value is *, it represents all resources of that type.
      <resource_type>/<resource_path>: resourcetype is the resource prefix, describing the resource type; <resource_path> is the resource path. In this method, directory-level prefix matching is supported. For details, see the six-segment resource description of the products in Service Interfaces that Support CAM.
      Related Document References: Element Reference Overview,Resource Description Method,Service Interfaces that Support CAM.

      23. Error - Sixth Segment Wildcard Error of Six-Segment Resource Description

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Sixth segment wildcard error of six-segment resource description.
      Resolve the error: The sixth segment of six-segment resource description describes the specific resource details of each product and does not support the formats qcs::ckafka:bj:check:/ckafka-37zqnevtest or qcs::ckafka:bj:check:/*.
      Related Document References: Element Reference Overview,Resource Description Method.

      24. Error - If the Six Segment of Six-Segment Resource Description Has a Prefix, the Third Segment Service Cannot Be Empty

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - If the sixth segment of six-segment resource description has a prefix, the third segment service cannot be empty.
      Resolve the error: The sixth segment of six-segment resource description describes the specific resource details of each product. When the sixth segment of six-segment resource description has a prefix, the third segment must be filled with the corresponding service abbreviation.
      Related Document References: Element Reference Overview,Resource Description Method.

      25. Error - Format Error of Six-Segment Resource Description

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Format error of six-segment resource description.
      Resolve the error: The six-segment resource description must contain 6 fields and the following structure: qcs:project_id:service_type:region:account:resource.
      Related Document References: Element Reference Overview,Resource Description Method.

      26. Error - Six - Length Exceeding the Limit of Six-Segment Resource Description

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Length exceeding the limit of six-segment resource description.
      Resolve the error: The maximum length if six-segment resource description is 500 characters.
      Related Document References: Element Reference Overview,Resource Description Method.

      27. Suggestion - Resource Redundancy

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Suggestion - Resource redundancy.
      Resolve the error: The specified resource and resource wildcard "*" are redundant.
      Example:
      "Resource": [            
                    "qcs::cam::uin/111122223333:rolename/admin",            
                    "qcs::cam::uin/1111122223333:rolename/readonly",
                    "qcs::cam::uin/1111122223333:rolename/*"        
                  ]
      In the example, the third six-segment resource description has already described all rolename resources. Other roles like admin and readonly are included in the wildcard "*".
      Related Document References: Element Reference Overview,Resource Description Method.

      action

      28. Error - Missing Action

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Missing action. The action describes the allowed or denied operation.
      Resolve the error: The action describes the allowed or denied operation. An action can be an API (prefixed with name) or a feature set (a group of specific APIs prefixed with actionName). This element is mandatory.
      Example:
      {
        "version": "2.0",
        "statement": [
          {
            "effect": "allow",
            "action": [
              "ES:CreateServerlessSpace",
              "ES:CreateServerlessInstance",
              "ES:DescribeServerlessInstances",
              "ES:CreateServerlessInstanceUser",
              "ES:DescribeServerlessInstanceUsers",
              "ES:CreateServerlessDi",
              "ES:DescribeServerlessDi",
              "ES:DeleteServerlessInstanceUser",
              "ES:DeleteServerlessDi",
              "ES:DeleteServerlessInstance",
              "ES:DescribeServerlessSpaces",
              "ES:SearchServerlessData"
            ],
            "resource": [
              "*"
            ]
          }
        ]
      }
      Related Document References: Element Reference Overview.

      29. Error - Invalid Action

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Invalid action.
      Resolve the error: The action describes the allowed or denied operation. The input action is invalid, please check the action prefix and action name you entered.
      Related Document References: Service Interfaces that Support CAM.

      30. Error - Invalid Service Prefix in Action

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Invalid service prefix in action.
      Resolve the error: The action describes the allowed or denied operation. The service prefix in the action is invalid, please check the action prefix you entered.
      Related Document References: Service Interfaces that Support CAM.

      31. Suggestion - Action Redundancy

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Suggestion - action redundancy.
      Resolve the error: The action has redundancy, the specified action and the wildcard "*" are redundant.
      Example:
      "Action": [
              "cam:Get*",        
              "cam:List*",        
              "cam:Getrole"    
              ],
      In the example, the wildcard "cam:Get*" already includes the Getrole permission.
      Related Document References: Element Reference Overview,Resource Description Method.

      condition

      32. Error - Data Type Msmatch

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Data type mismatch.
      Resolve the error: The input condition value does not match the data type required by the conditional operator and the conditional key.
      Related Document References: Conditional Keys and Conditional Operators.

      33. Error - Invalid Global Conditional Key

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Invalid conditional key.
      Resolve the error: Global conditional keys are conditional keys with the qcs: prefix. Currently, qcs:current_time, qcs:ip, qcs:resource_tag, and qcs:request_tag are supported as global conditional keys.
      Related Document References: Conditional Keys and Conditional Operators.

      34. Error - Invalid Service Conditional Key

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Invalid service conditional key.
      Resolve the error: Service conditional keys are prefixes with the service abbreviation, such as conditional keys with the vpc: prefix.
      Related Document References: Conditional Keys and Conditional Operators.

      35. Error - Multiple Boolean Values Are Not Supported

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Multiple Boolean values are not supported.
      Resolve the error: Boolean conditional operators support only one Boolean value.
      Related Document References: Conditional Keys and Conditional Operators.

      36. Error - Condition Length Exceeding the Limit

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Condition length exceeding the limit.
      Resolve the error: The maximum supported length for condition is 4095 characters.
      Related Document References: Conditional Keys and Conditional Operators.

      37. Error - Invalid Conditional Operator

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Invalid conditional operator.
      Resolve the error: The input conditional operator is invalid. See Conditional Keys and Conditional Operators.
      Related Document References: Conditional Keys and Conditional Operators.

      38. Recommendation - Conditional Keys and Conditional Operators Do Not Match

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Conditional keys and conditional operators do not match.
      Resolve the error: Conditional keys and conditional operators do not match. See Conditional Keys and Conditional Operators.
      Related Document References: Conditional Keys and Conditional Operators.

      Other

      39. Error - Invalid Policy Element

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Invalid policy element.
      Resolve the error: Policy statements support only the elements version, statement, principal, action, resource, condition, and effect.
      Related Document References: Element Reference Overview.

      40. Error - JSON Syntax Error

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - JSON syntax error.
      Resolve the error: Your policy contains syntax errors. Please check your JSON syntax.
      Related Document References: JSON Validator,Element Reference Overview.

      41. Error - Policy Length Exceeding the Limit

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Policy length exceeding the limit.
      Resolve the error: The policy length exceeds the limit. The maximum supported policy length is 6144.
      Related Document References: Element Reference Overview.

      42. Error - ACL Policy Length Exceeding the Limit

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - ACL policy length exceeding the limit.

      43. Error - Custom Policy Quantities Exceeding the Limit

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Custom policy quantities exceeding the limit.
      Resolve the error: The maximum number of custom policies for a Tencent Cloud account is 1,500.
      Related Document References: Element Reference Overview.

      44. Warning - Invalid Date Value

      In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Warning - Invalid date value.
      Resolve the warning: Unix Epoch time denotes the number of seconds that have elapsed since January 1, 1970, excluding leap seconds. Epoch time may not resolve to the precise moment you anticipate. Tencent Cloud recommends adhering to the W3C Date and Time Formats. For instance, you may specify a complete date such as YYYY-MMM-DD (1997-07-16), or append the time to the second, such as YYYY-MM-DDThh:mm:ssTZD (1997-07-16T19:20:30+01:00).
      Related Document References: W3C Date and Time Formats.
      
      문의하기

      고객의 업무에 전용 서비스를 제공해드립니다.

      문의하기
      기술 지원

      더 많은 도움이 필요하시면, 티켓을 통해 연락 바랍니다. 티켓 서비스는 연중무휴 24시간 제공됩니다.

      티켓 제출
      연중무휴 24시간 전화 지원
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      개인정보 처리방침서비스 약관쿠키 정책