使用条件键 - 亚马逊 ElastiCache (Redis OSS)
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

使用条件键

您可以指定决定 IAM policy 如何生效的条件。在中 ElastiCache,您可以使用 JSON 策略的Condition元素将请求上下文中的密钥与您在策略中指定的密钥值进行比较。有关更多信息,请参阅 IAM JSON 策略元素:条件

要查看 ElastiCache 条件密钥列表,请参阅《服务授权参考》 ElastiCache中的 Amazon 条件密钥

有关全局条件键的列表,请参阅 Amazon 全局条件上下文键

指定条件:使用条件键

要实现精细控制,您需要编写 IAM 权限策略,用于指定控制某些请求上单独参数集的条件。然后,将该策略应用于您使用 IAM 控制台创建的 IAM 用户、组或角色。

要应用条件,请将条件信息添加到 IAM policy 语句。在以下示例中,您指定了条件,为创建的所有自行设计缓存群集使用节点类型 cache.r5.large

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*", "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "StringEquals": { "elasticache:CacheNodeType": [ "cache.r5.large" ] } } } ] }

有关更多信息,请参阅基于标签的访问控制策略示例

有关使用策略条件运算符的更多信息,请参阅 ElastiCache API 权限:操作、资源和条件参考

策略示例:使用条件实现精细参数控制

本节显示了对前面列出的 ElastiCache 参数实施细粒度访问控制的策略示例。

  1. elasticacheMaximumDataStorage:: 指定无服务器缓存的最大数据存储空间。使用提供的条件,客户不能创建存储超过特定数量数据的缓存。

    { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowDependentResources", "Effect": "Allow", "Action": [ "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:serverlesscachesnapshot:*", "arn:aws:elasticache:*:*:snapshot:*", "arn:aws:elasticache:*:*:usergroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:serverlesscache:*" ], "Condition": { "NumericLessThanEquals": { "elasticache:MaximumDataStorage": "30" }, "StringEquals": { "elasticache:DataStorageUnit": "GB" } } } ] }
  2. ElastiCache: maximumeCPU PerSecond:指定无服务器缓存每秒的最大 ECPU 值。使用提供的条件,客户不能创建每秒执行的 ECPU 数超过特定数量的缓存。

    { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowDependentResources", "Effect": "Allow", "Action": [ "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:serverlesscachesnapshot:*", "arn:aws:elasticache:*:*:snapshot:*", "arn:aws:elasticache:*:*:usergroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:serverlesscache:*" ], "Condition": { "NumericLessThanEquals": { "elasticache:MaximumECPUPerSecond": "100000" } } } ] }
  3. elasticacheCacheNodeType:: 指定用户可以创建哪 NodeType些。使用提供的条件,客户可以为节点类型指定单个值或范围值。

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*", "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "StringEquals": { "elasticache:CacheNodeType": [ "cache.t2.micro", "cache.t2.medium" ] } } } ] }
  4. elasticacheNumNodeGroups:: 创建节点组少于 20 个的复制组。

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "NumericLessThanEquals": { "elasticache:NumNodeGroups": "20" } } } ] }
  5. elasticacheReplicasPerNodeGroup:: 指定每个节点的副本数在 5 到 10 之间。

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "NumericGreaterThanEquals": { "elasticache:ReplicasPerNodeGroup": "5" }, "NumericLessThanEquals": { "elasticache:ReplicasPerNodeGroup": "10" } } } ] }
  6. elasticache:EngineVersion: 指定引擎版本 5.0.6 的用法。

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*", "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "StringEquals": { "elasticache:EngineVersion": "5.0.6" } } } ] }
  7. elasticache:EngineType: 仅使用 Redis OSS 引擎进行指定。

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*", "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "StringEquals": { "elasticache:EngineType": "redis" } } } ] }
  8. elasticacheAtRestEncryptionEnabled:: 指定只有在启用加密的情况下才能创建复制组。

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:AtRestEncryptionEnabled": "true" } } } ] }
  9. 弹性疼痛:TransitEncryptionEnabled

    1. CreateReplicationGroup操作的elasticache:TransitEncryptionEnabled条件键设置为,以指定只有在不使用 TLS 时才能创建复制组:false

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:TransitEncryptionEnabled": "false" } } } ] }

      CreateReplicationGroup操作策略false中将elasticache:TransitEncryptionEnabled条件键设置为时,只有在未使用 TLS 的情况下(也就是说,请求中不包含设置为的TransitEncryptionEnabled参数true或设置为的TransitEncryptionMode参数),才允许请求requiredCreateReplicationGroup

    2. CreateReplicationGroup操作elasticache:TransitEncryptionEnabled的条件键设置为,以指定只有在使用 TLS 时才能创建复制组:true

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:TransitEncryptionEnabled": "true" } } } ] }

      CreateReplicationGroup操作策略true中将elasticache:TransitEncryptionEnabled条件键设置为时,只有在CreateReplicationGroup请求中包含设置为的参数true和设置为的TransitEncryptionEnabled参数时,TransitEncryptionMode才允许请求required

    3. 针对 ModifyReplicationGroup 操作将 elasticache:TransitEncryptionEnabled 设置为 true,以指定只有在使用 TLS 时才能修改复制组:

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:ModifyReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "BoolIfExists": { "elasticache:TransitEncryptionEnabled": "true" } } } ] }

      ModifyReplicationGroup操作策略true中将elasticache:TransitEncryptionEnabled条件键设置为时,只有当ModifyReplicationGroup请求包含设置为的TransitEncryptionMode参数时,才允许请求required。也可以选择包含设置为 trueTransitEncryptionEnabled 参数,但在这种情况下,该设置并不是启用 TLS 所必需的。

  10. elasticacheAutomaticFailoverEnabled:: 指定只有在启用自动故障转移的情况下才能创建复制组。

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:AutomaticFailoverEnabled": "true" } } } ] }
  11. elasticache:MultiAZEnabled:指定不能在已禁用多可用区的情况下创建复制组。

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Deny", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*", "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:MultiAZEnabled": "false" } } } ] }
  12. elasticacheClusterModeEnabled:: 指定只有在启用集群模式的情况下才能创建复制组。

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:ClusterModeEnabled": "true" } } } ] }
  13. elasticacheAuthTokenEnabled:: 指定只有在启用身份验证令牌的情况下才能创建复制组。

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*", "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:AuthTokenEnabled": "true" } } } ] }
  14. elasticacheSnapshotRetentionLimit:: 指定保存快照的天数(或最小/最大)。以下策略强制将备份存储至少 30 天。

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup", "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*", "arn:aws:elasticache:*:*:replicationgroup:*", "arn:aws:elasticache:*:*:serverlesscache:*" ], "Condition": { "NumericGreaterThanEquals": { "elasticache:SnapshotRetentionLimit": "30" } } } ] }
  15. elasticache:KmsKeyId: 指定客户托管的 Amazon KMS 密钥的使用情况。

    { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowDependentResources", "Effect": "Allow", "Action": [ "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:serverlesscachesnapshot:*", "arn:aws:elasticache:*:*:snapshot:*", "arn:aws:elasticache:*:*:usergroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:serverlesscache:*" ], "Condition": { "StringEquals": { "elasticache:KmsKeyId": "my-key" } } } ] }
  16. elasticacheCacheParameterGroupName:: 指定一个非默认参数组,其中包含来自集群上某个组织的特定参数。您还可以为参数组指定命名模式,或阻止删除特定参数组名称。以下是限制仅使用 “my-org-param-group” 的示例。

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*", "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "StringEquals": { "elasticache:CacheParameterGroupName": "my-org-param-group" } } } ] }
  17. elasticacheCreateCacheCluster:: 如果请求标签Project缺失或不等于DevQA或,则拒绝CreateCacheCluster执行操作。Prod

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*", "arn:aws:elasticache:*:*:securitygroup:*", "arn:aws:elasticache:*:*:replicationgroup:*" ] }, { "Effect": "Deny", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" ], "Condition": { "Null": { "aws:RequestTag/Project": "true" } } }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:AddTagsToResource" ], "Resource": "arn:aws:elasticache:*:*:cluster:*", "Condition": { "StringEquals": { "aws:RequestTag/Project": [ "Dev", "Prod", "QA" ] } } } ] }
  18. elasticache:CacheNodeType: 允许CreateCacheCluster使用 cache .r5.large 或 cacheNodeType cache.r6g.4xlarge 和 tag。Project=XYZ

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" ], "Condition": { "StringEqualsIfExists": { "elasticache:CacheNodeType": [ "cache.r5.large", "cache.r6g.4xlarge" ] }, "StringEquals": { "aws:RequestTag/Project": "XYZ" } } } ] }
注意

在创建策略以将标签和其他条件键一起强制执行时,由于使用 --tags 参数创建请求的额外 elasticache:AddTagsToResource 策略要求,条件键元素可能需要条件 IfExists