AWS Identity and Access Management
用户指南
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 Amazon AWS 入门

策略摘要示例

以下示例包括 JSON 策略及其关联的策略摘要服务摘要操作摘要,可帮助您了解通过策略授予的权限。

策略 1:DenyCustomerBucket

此策略展示对同一项服务的允许和拒绝。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "FullAccess", "Effect": "Allow", "Action": ["s3:*"], "Resource": ["*"] }, { "Sid": "DenyCustomerBucket", "Action": ["s3:*"], "Effect": "Deny", "Resource": ["arn:aws:s3:::customer", "arn:aws:s3:::customer/*" ] } ] }

DenyCustomerBucket 策略摘要:


        “Policy summary (策略摘要)”对话框图像

DenyCustomerBucket S3 (Explicit deny) 服务摘要:


        “Service summary (服务摘要)”对话框图像

GetObject (Read) 操作摘要:


        “Action summary (操作摘要)”对话框图像

策略2:DynamoDbRowCognitoID

该策略基于用户的 Amazon Cognito ID 提供对 Amazon DynamoDB 的行级别访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:UpdateItem" ], "Resource": [ "arn:aws:dynamodb:us-west-1:123456789012:table/myDynamoTable" ], "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": [ "${cognito-identity.amazonaws.com:sub}" ] } } } ] }

DynamoDbRowCognitoID 策略摘要:


        “Policy summary (策略摘要)”对话框图像

DynamoDbRowCognitoID DynamoDB (允许) 服务摘要:


        “Service summary (服务摘要)”对话框图像

GetItem (List) 操作摘要:


        “Action summary (操作摘要)”对话框图像

策略 3:MultipleResourceCondition

此策略包括多个资源和条件。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": ["arn:aws:s3:::Apple_bucket/*"], "Condition": {"StringEquals": {"s3:x-amz-acl": ["public-read"]}} }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": ["arn:aws:s3:::Orange_bucket/*"], "Condition": {"StringEquals": { "s3:x-amz-acl": ["custom"], "s3:x-amz-grant-full-control": ["1234"] }} } ] }

MultipleResourceCondition 策略摘要:


        “Policy summary (策略摘要)”对话框图像

MultipleResourceCondition S3 (允许) 服务摘要:


        “Service summary (服务摘要)”对话框图像

PutObject (Write) 操作摘要:


        “Action summary (操作摘要)”对话框图像

策略 4:EC2_Troubleshoot

以下策略允许用户获取正在运行的 Amazon EC2 实例的截图,这可以帮助排查 EC2 故障。该策略还允许查看有关 Amazon S3 开发人员存储桶中的项目的信息。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:GetConsoleScreenshot" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::developer" ] } ] }

EC2_Troubleshoot 策略摘要:


        “Policy summary (策略摘要)”对话框图像

EC2_Troubleshoot S3 (允许) 服务摘要:


        “Service summary (服务摘要)”对话框图像

ListBucket (List) 操作摘要:


        “Action summary (操作摘要)”对话框图像

策略 5:Unrecognized_Service_Action

以下策略旨在提供对 DynamoDB 的完全访问,但由于 dynamodb 错误地拼写为 dynamobd,导致访问失败。该策略旨在允许在 us-west-2 区域访问某些 Amazon EC2 操作,但拒绝在 ap-northeast-2 区域访问。然而,由于 ap-northeast-2 操作中间出现无法识别的 o,因此未显式拒绝对 RebootInstances 区域中重启实例的访问。此示例显示如何使用策略摘要来定位策略中的错误。要了解如何根据策略摘要中的信息编辑策略,请参阅编辑策略以纠正警告

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamobd:*" ], "Resource": [ "*" ] }, { "Action": [ "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:ReboootInstances" ], "Resource": "*", "Effect": "Deny", "Condition": { "StringEquals": { "ec2:Region": "ap-northeast-2" } } }, { "Action": [ "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances" ], "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ec2:Region": "us-east-2" } } } ] }

Unrecognized_Service_Action 策略摘要:


        “Policy summary (策略摘要)”对话框图像

Unrecognized_Service_Action EC2 (Explicit deny) 服务摘要:


        “Service summary (服务摘要)”对话框图像

Unrecognized_Service_Action StartInstances (Write) 操作摘要:


        “Action summary (操作摘要)”对话框图像

策略 6:CodeBuild_CodeCommit_CodeDeploy

此策略提供对特定 CodeBuild、CodeCommit 和 CodeDeploy 资源的访问。由于这些资源特定于每个服务,因此它们只与匹配的服务一起出现。如果您包含的资源与 Action 元素中的任何服务均不匹配,则该资源将出现在所有操作摘要中。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1487980617000", "Effect": "Allow", "Action": [ "codebuild:*", "codecommit:*", "codedeploy:*" ], "Resource": [ "arn:aws:codebuild:us-west-2:123456789012:project/my-demo-project", "arn:aws:codecommit:us-west-2:123456789012:MyDemoRepo", "arn:aws:codedeploy:us-west-2:123456789012:application:WordPress_App", "arn:aws:codedeploy:us-west-2:123456789012:instance/AssetTag*" ] } ] }

CodeBuild_CodeCommit_CodeDeploy 策略摘要:


        “Policy summary (策略摘要)”对话框图像

CodeBuild_CodeCommit_CodeDeploy CodeBuild (Allow) 服务摘要:


        “Service summary (服务摘要)”对话框图像

CodeBuild_CodeCommit_CodeDeploy StartBuild (Write) 操作摘要:


        “Action summary (操作摘要)”对话框图像