Amazon Data Pipeline:拒绝用户访问他人创建的 DataPipeline 管道
此示例说明如何创建基于身份的策略以拒绝对用户未创建的管道的访问。如果 PipelineCreator
字段的值与 IAM 用户名匹配,则指定的操作不会被拒绝。此策略授予有计划地通过 Amazon API 或 Amazon CLI 完成此操作的必要权限。
重要
该策略不允许进行任何操作。可将此策略与允许特定操作的其他策略结合使用。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ExplicitDenyIfNotTheOwner", "Effect": "Deny", "Action": [ "datapipeline:ActivatePipeline", "datapipeline:AddTags", "datapipeline:DeactivatePipeline", "datapipeline:DeletePipeline", "datapipeline:DescribeObjects", "datapipeline:EvaluateExpression", "datapipeline:GetPipelineDefinition", "datapipeline:PollForTask", "datapipeline:PutPipelineDefinition", "datapipeline:QueryObjects", "datapipeline:RemoveTags", "datapipeline:ReportTaskProgress", "datapipeline:ReportTaskRunnerHeartbeat", "datapipeline:SetStatus", "datapipeline:SetTaskStatus", "datapipeline:ValidatePipelineDefinition" ], "Resource": ["*"], "Condition": { "StringNotEquals": {"datapipeline:PipelineCreator": "${aws:userid}"} } } ] }