S3 Vectors 基于身份的策略示例
IAM 基于身份的策略是附加到 IAM 用户、组或角色的 JSON 文档,用于定义他们可以对 S3 Vectors 资源执行的操作。这些策略是在发出请求的身份的上下文中进行评估的,并提供一种集中化的方法来管理整个 Amazon 环境中的权限。基于身份的策略为谁拥有哪些权限提供了清晰的审计跟踪记录,并且可以随着访问要求的演变轻松进行修改。
在为 S3 Vectors 设计基于身份的策略时,请考虑将与向量数据进行交互的不同类型的用户和应用程序。常见模式包括需要查询向量的数据科学家、需要加载和管理向量数据的数据工程师、需要完全控制存储桶配置的管理员,以及需要对特定向量索引具有特定读取或写入权限的应用程序。
策略示例
管理访问策略
该策略提供对 S3 Vectors 资源的完全管理访问权限,适合平台管理员或 DevOps 团队:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAdministrativeAccess", "Effect": "Allow", "Action": [ "s3vectors:CreateVectorBucket", "s3vectors:PutVectorBucketPolicy", "s3vectors:DeleteVectorBucket", "s3vectors:DeleteVectorBucketPolicy", "s3vectors:GetVectorBucket", "s3vectors:GetVectorBucketPolicy", "s3vectors:ListVectorBuckets", "s3vectors:CreateIndex", "s3vectors:DeleteIndex", "s3vectors:GetIndex", "s3vectors:ListIndexes", "s3vectors:DeleteVectors", "s3vectors:GetVectors", "s3vectors:ListVectors", "s3vectors:PutVectors", "s3vectors:QueryVectors" ], "Resource": "*" } ] }
特定于应用程序的访问策略
此策略专为需要对指定的向量索引执行特定操作的应用程序而设计:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowApplicationVectorAccess", "Effect": "Allow", "Action": [ "s3vectors:QueryVectors", "s3vectors:GetVectors", "s3vectors:PutVectors", "s3vectors:ListVectors" ], "Resource": [ "arn:aws:s3vectors::aws-region123456789012:bucket/amzn-s3-demo-vector-bucket/index/product-recommendations", "arn:aws:s3vectors::aws-region123456789012:bucket/amzn-s3-demo-vector-bucket/index/content-similarity" ] }, { "Sid": "AllowGetIndex", "Effect": "Allow", "Action": "s3vectors:GetIndex", "Resource": "arn:aws:s3vectors::aws-region123456789012:bucket/amzn-s3-demo-vector-bucket/index/*" }, { "Sid": "AllowIndexInspection", "Effect": "Allow", "Action": "s3vectors:ListIndexes", "Resource": "arn:aws:s3vectors::aws-region123456789012:bucket/amzn-s3-demo-vector-bucket" } ] }