本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
使用条件键
您可以指定决定 IAM policy 如何生效的条件。在中 ElastiCache,您可以使用 JSON 策略的Condition元素将请求上下文中的密钥与您在策略中指定的密钥值进行比较。有关更多信息,请参阅 IAM JSON 策略元素:条件。
要查看 ElastiCache 条件密钥列表,请参阅《服务授权参考》 ElastiCache中的 Amazon 条件密钥。
有关全局条件键的列表,请参阅 Amazon 全局条件上下文键。
指定条件:使用条件键
要实现精细控制,您需要编写 IAM 权限策略,用于指定控制某些请求上单独参数集的条件。然后,将该策略应用于您使用 IAM 控制台创建的 IAM 用户、组或角色。
要应用条件,请将条件信息添加到 IAM policy 语句。在以下示例中,您指定了条件,为创建的所有自行设计缓存群集使用节点类型 cache.r5.large。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*", "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "StringEquals": { "elasticache:CacheNodeType": [ "cache.r5.large" ] } } } ] }
有关更多信息,请参阅基于标签的访问控制策略示例。
有关使用策略条件运算符的更多信息,请参阅 ElastiCache API 权限:操作、资源和条件参考。
策略示例:使用条件实现精细参数控制
本节显示了对前面列出的 ElastiCache 参数实施细粒度访问控制的策略示例。
elasticacheMaximumDataStorage:: 指定无服务器缓存的最大数据存储空间。使用提供的条件,客户不能创建存储超过特定数量数据的缓存。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowDependentResources", "Effect": "Allow", "Action": [ "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:serverlesscachesnapshot:*", "arn:aws:elasticache:*:*:snapshot:*", "arn:aws:elasticache:*:*:usergroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:serverlesscache:*" ], "Condition": { "NumericLessThanEquals": { "elasticache:MaximumDataStorage": "30" }, "StringEquals": { "elasticache:DataStorageUnit": "GB" } } } ] }ElastiCache: maximumeCPU PerSecond:指定无服务器缓存每秒的最大 ECPU 值。使用提供的条件,客户不能创建每秒执行的 ECPU 数超过特定数量的缓存。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowDependentResources", "Effect": "Allow", "Action": [ "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:serverlesscachesnapshot:*", "arn:aws:elasticache:*:*:snapshot:*", "arn:aws:elasticache:*:*:usergroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:serverlesscache:*" ], "Condition": { "NumericLessThanEquals": { "elasticache:MaximumECPUPerSecond": "100000" } } } ] }elasticacheCacheNodeType:: 指定用户可以创建哪 NodeType些。使用提供的条件,客户可以为节点类型指定单个值或范围值。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*", "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "StringEquals": { "elasticache:CacheNodeType": [ "cache.t2.micro", "cache.t2.medium" ] } } } ] }elasticacheNumNodeGroups:: 创建节点组少于 20 个的复制组。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "NumericLessThanEquals": { "elasticache:NumNodeGroups": "20" } } } ] }elasticacheReplicasPerNodeGroup:: 指定每个节点的副本数在 5 到 10 之间。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "NumericGreaterThanEquals": { "elasticache:ReplicasPerNodeGroup": "5" }, "NumericLessThanEquals": { "elasticache:ReplicasPerNodeGroup": "10" } } } ] }elasticache:EngineVersion: 指定引擎版本 5.0.6 的用法。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*", "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "StringEquals": { "elasticache:EngineVersion": "5.0.6" } } } ] }elasticache:EngineType: 仅使用 Redis OSS 引擎进行指定。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*", "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "StringEquals": { "elasticache:EngineType": "redis" } } } ] }elasticacheAtRestEncryptionEnabled:: 指定只有在启用加密的情况下才能创建复制组。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:AtRestEncryptionEnabled": "true" } } } ] }-
弹性疼痛:TransitEncryptionEnabled
-
将CreateReplicationGroup操作的
elasticache:TransitEncryptionEnabled条件键设置为,以指定只有在不使用 TLS 时才能创建复制组:false{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:TransitEncryptionEnabled": "false" } } } ] }在CreateReplicationGroup操作策略
false中将elasticache:TransitEncryptionEnabled条件键设置为时,只有在未使用 TLS 的情况下(也就是说,请求中不包含设置为的TransitEncryptionEnabled参数true或设置为的TransitEncryptionMode参数),才允许请求required。CreateReplicationGroup -
将CreateReplicationGroup操作
elasticache:TransitEncryptionEnabled的条件键设置为,以指定只有在使用 TLS 时才能创建复制组:true{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:TransitEncryptionEnabled": "true" } } } ] }在CreateReplicationGroup操作策略
true中将elasticache:TransitEncryptionEnabled条件键设置为时,只有在CreateReplicationGroup请求中包含设置为的参数true和设置为的TransitEncryptionEnabled参数时,TransitEncryptionMode才允许请求required。 -
针对
ModifyReplicationGroup操作将elasticache:TransitEncryptionEnabled设置为true,以指定只有在使用 TLS 时才能修改复制组:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:ModifyReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "BoolIfExists": { "elasticache:TransitEncryptionEnabled": "true" } } } ] }在ModifyReplicationGroup操作策略
true中将elasticache:TransitEncryptionEnabled条件键设置为时,只有当ModifyReplicationGroup请求包含设置为的TransitEncryptionMode参数时,才允许请求required。也可以选择包含设置为true的TransitEncryptionEnabled参数,但在这种情况下,该设置并不是启用 TLS 所必需的。
-
-
elasticacheAutomaticFailoverEnabled:: 指定只有在启用自动故障转移的情况下才能创建复制组。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:AutomaticFailoverEnabled": "true" } } } ] } elasticache:MultiAZEnabled:指定不能在已禁用多可用区的情况下创建复制组。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Deny", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*", "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:MultiAZEnabled": "false" } } } ] }elasticacheClusterModeEnabled:: 指定只有在启用集群模式的情况下才能创建复制组。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:ClusterModeEnabled": "true" } } } ] }elasticacheAuthTokenEnabled:: 指定只有在启用身份验证令牌的情况下才能创建复制组。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*", "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:AuthTokenEnabled": "true" } } } ] }elasticacheSnapshotRetentionLimit:: 指定保存快照的天数(或最小/最大)。以下策略强制将备份存储至少 30 天。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup", "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*", "arn:aws:elasticache:*:*:replicationgroup:*", "arn:aws:elasticache:*:*:serverlesscache:*" ], "Condition": { "NumericGreaterThanEquals": { "elasticache:SnapshotRetentionLimit": "30" } } } ] }elasticache:KmsKeyId: 指定客户托管的 Amazon KMS 密钥的使用情况。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowDependentResources", "Effect": "Allow", "Action": [ "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:serverlesscachesnapshot:*", "arn:aws:elasticache:*:*:snapshot:*", "arn:aws:elasticache:*:*:usergroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:serverlesscache:*" ], "Condition": { "StringEquals": { "elasticache:KmsKeyId": "my-key" } } } ] }elasticacheCacheParameterGroupName:: 指定一个非默认参数组,其中包含来自集群上某个组织的特定参数。您还可以为参数组指定命名模式,或阻止删除特定参数组名称。以下是限制仅使用 “my-org-param-group” 的示例。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*", "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "StringEquals": { "elasticache:CacheParameterGroupName": "my-org-param-group" } } } ] }-
elasticacheCreateCacheCluster:: 如果请求标签
Project缺失或不等于Dev、QA或,则拒绝CreateCacheCluster执行操作。Prod{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*", "arn:aws:elasticache:*:*:securitygroup:*", "arn:aws:elasticache:*:*:replicationgroup:*" ] }, { "Effect": "Deny", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" ], "Condition": { "Null": { "aws:RequestTag/Project": "true" } } }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:AddTagsToResource" ], "Resource": "arn:aws:elasticache:*:*:cluster:*", "Condition": { "StringEquals": { "aws:RequestTag/Project": [ "Dev", "Prod", "QA" ] } } } ] } elasticache:CacheNodeType: 允许
CreateCacheCluster使用 cache .r5.large 或cacheNodeTypecache.r6g.4xlarge 和 tag。Project=XYZ{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" ], "Condition": { "StringEqualsIfExists": { "elasticache:CacheNodeType": [ "cache.r5.large", "cache.r6g.4xlarge" ] }, "StringEquals": { "aws:RequestTag/Project": "XYZ" } } } ] }
注意
在创建策略以将标签和其他条件键一起强制执行时,由于使用 --tags 参数创建请求的额外 elasticache:AddTagsToResource 策略要求,条件键元素可能需要条件 IfExists。