使用条件键
您可以指定决定 IAM 策略如何生效的条件。在 ElastiCache 中,您可以使用 JSON 策略的 Condition
元素将请求上下文中的键与您在策略中指定的键值进行比较。有关更多信息,请参阅 IAM JSON 策略元素:条件。有关全局条件键的列表,请参阅 Amazon 全局条件上下文键。
指定条件:使用条件键
要实现精细控制,您需要编写 IAM 权限策略,用于指定控制某些请求上单独参数集的条件。然后,将该策略应用于您使用 IAM 控制台创建的 IAM 用户、组或角色。
要应用条件,请将条件信息添加到 IAM 策略语句。在以下示例中,指定的条件为,所创建的任何缓存集群都将是 cache.r5.large
节点类型。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" ], "Condition": { "StringEquals": { "elasticache:CacheNodeType": [ "cache.r5.large" ] } } } ] }
下表显示了适用于 ElastiCache 的、服务特定的条件键以及使用它们的操作。
键名称 | 描述 | DataType | 使用者 | 受影响的资源类型(* 如果标有星号,则只有此资源在请求中出现时才会受到影响。) |
---|---|---|---|---|
elasticache:CacheNodeType |
按请求中存在的 cacheNodeType 参数筛选访问。此键可用于限制可在集群创建或扩展操作中使用的缓存节点类型。 |
String |
|
|
|
| |||
|
| |||
|
| |||
|
|
|||
elasticache:NumNodeGroups |
按请求中指定的 NumNodeGroups 或 NodeGroupCount 参数筛选访问。此键可用于限制创建或扩展操作后集群可以拥有的节点组(分区)的数量。 |
Number |
|
|
|
| |||
|
| |||
|
|
|||
elasticache:ReplicasPerNodeGroup |
按创建或扩展请求中指定的每个节点组(分区)的副本数筛选访问。 |
Number |
|
|
|
| |||
|
| |||
|
| |||
elasticache:EngineVersion |
按创建或集群修改请求中存在的 |
String |
|
|
|
| |||
|
| |||
|
| |||
|
|
|||
elasticache:EngineType |
按创建请求中存在的引擎类型筛选访问。对于创建复制组,如果参数不存在,则使用默认引擎“redis”作为键。 |
String |
|
|
|
| |||
elasticache:AutomaticFailoverEnabled |
按请求中存在的 |
Bool |
|
|
|
| |||
|
|
|||
elasticache:AtRestEncryptionEnabled |
按请求中存在的 |
Bool |
|
|
elasticache:TransitEncryptionEnabled |
按请求中存在的 |
Bool |
|
|
elasticache:MultiAZEnabled |
按 |
Bool |
|
|
|
| |||
|
| |||
|
| |||
|
|
|||
elasticache:ClusterModeEnabled |
按请求中存在的 |
Bool |
|
|
elasticache:AuthTokenEnabled |
按请求中是否存在非空 |
Bool |
|
|
|
| |||
|
| |||
|
| |||
|
|
|||
elasticache:SnapshotRetentionLimit |
按请求中的 |
Number |
|
|
|
| |||
|
| |||
|
| |||
|
|
|||
elasticache:KmsKeyId |
按请求中的 |
String |
|
|
|
| |||
|
|
|||
elasticache:CacheParameterGroupName |
按请求中的 |
String |
|
|
|
| |||
|
| |||
|
| |||
|
| |||
|
| |||
|
| |||
|
|
有关更多信息,请参阅基于标签的访问控制策略示例。
有关使用策略条件运算符的更多信息,请参阅 ElastiCache API 权限:操作、资源和条件参考。
策略示例:使用条件实现精细参数控制
此部分介绍对之前列出的 ElastiCache 参数实现精细访问控制的示例策略。
elasticache:CacheNodeType:指定用户可以创建哪些 NodeType。使用提供的条件,客户可以为节点类型指定单个值或范围值。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" ], "Condition": { "StringEquals": { "elasticache:CacheNodeType": [ "cache.t2.micro", "cache.t2.medium" ] } } } ] }
elasticache:NumNodeGroups:创建节点组少于 20 个的复制组。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "NumericLessThanEquals": { "elasticache:NumNodeGroups": "20" } } } ] }
elasticache:ReplicasPerNodeGroup:将每个节点的副本数指定为介于 5 到 10 之间。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "NumericGreaterThanEquals": { "elasticache:ReplicasPerNodeGroup": "5" }, "NumericLessThanEquals": { "elasticache:ReplicasPerNodeGroup": "10" } } } ] }
elasticache:EngineVersion:指定引擎版本 5.0.6 的使用情况。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" ], "Condition": { "StringEquals": { "elasticache:EngineVersion": "5.0.6" } } } ] }
elasticache:EngineType:指定仅使用 Redis 引擎。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" ], "Condition": { "StringEquals": { "elasticache:EngineType": "redis" } } } ] }
elasticache:AtRestEncryptionEnabled:指定仅在已启用加密的情况下创建复制组。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:AtRestEncryptionEnabled": "true" } } } ] }
elasticache:TransitEncryptionEnabled:指定仅在将此值设置为
false
的情况下创建复制组。{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:TransitEncryptionEnabled": "false" } } } ] }
elasticache:AutomaticFailoverEnabled:指定仅在已启用自动故障转移的情况下创建复制组。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:AutomaticFailoverEnabled": "true" } } } ] }
elasticache:MultiAZEnabled:指定不能在已禁用多可用区的情况下创建复制组。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Deny", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:MultiAZEnabled": "false" } } } ] }
elasticache:ClusterModeEnabled:指定仅在已启用集群模式的情况下创建复制组。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:ClusterModeEnabled": "true" } } } ] }
elasticache:AuthTokenEnabled:指定仅在已启用 AUTH 令牌的情况下创建复制组。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:AuthTokenEnabled": "true" } } } ] }
elasticache:SnapshotRetentionLimit:指定保留快照的天数(或最少/最多天数)。以下策略强制将备份存储至少 30 天。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "NumericGreaterThanEquals": { "elasticache:SnapshotRetentionLimit": "30" } } } ] }
elasticache:KmsKeyId:指定客户托管式 Amazon KMS 密钥的使用情况。此密钥将补充静态加密密钥。
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "StringEquals": { "elasticache:KmsKeyId": "my-key" } } } ] }
elasticache:CacheParameterGroupName:使用集群上某个企业的特定参数,指定非默认参数组。您还可以为参数组指定命名模式,或阻止删除特定参数组名称。以下是限制使用仅“my-org-param-group”的示例。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" ], "Condition": { "StringEquals": { "elasticache:CacheParameterGroupName": "my-org-param-group" } } } ] }
elasticache:createcachecluster:允许具有
cacheNodeType
cache.r5.large 或 cache.r6g.4xlarge 和 标签Project=XYZ
的CreateCacheCluster
。{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" ], "Condition": { "StringEqualsIfExists": { "elasticache:CacheNodeType": [ "cache.r5.large", "cache.r6g.4xlarge" ] }, "StringEquals": { "aws:RequestTag/Project": "XYZ" } } } ] }
在创建策略以将标签和其他条件键一起强制执行时,由于使用 --tags
参数创建请求的额外 elasticache:AddTagsToResource
策略要求,条件键元素可能需要条件 IfExists
。