本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# 在 IAM 策略中使用接入点
<a name="access-points-iam-policy"></a>

您可以使用 IAM 策略强制规定：由其 IAM 角色标识的特定 NFS 客户端只能访问特定访问点。为此，您可以使用 `elasticfilesystem:AccessPointArn` IAM 条件键。`AccessPointArn` 是挂载文件系统的访问点的 Amazon 资源名称 (ARN)。

以下是一个文件系统策略示例，该策略允许 IAM 角色 `app1` 使用访问点 `fsap-01234567` 来访问文件系统。该策略还允许 `app2` 通过访问点使用文件系统 `fsap-89abcdef`。

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Id": "MyFileSystemPolicy",
    "Statement": [
        {
            "Sid": "App1Access",
            "Effect": "Allow",
            "Principal": { "AWS": "arn:aws:iam::111122223333:role/app1" },
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite"
            ],
            "Resource": "arn:aws:elasticfilesystem:us-east-1:111122223333:file-system/*",
            "Condition": {
                "StringEquals": {
                    "elasticfilesystem:AccessPointArn" : "arn:aws:elasticfilesystem:us-east-1:222233334444:access-point/fsap-01234567"
                }
            }
        },
        {
            "Sid": "App2Access",
            "Effect": "Allow",
            "Principal": { "AWS": "arn:aws:iam::111122223333:role/app2" },
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite"
            ],
            "Resource": "arn:aws:elasticfilesystem:us-east-1:111122223333:file-system/*",
            "Condition": {
                "StringEquals": {
                    "elasticfilesystem:AccessPointArn" : "arn:aws:elasticfilesystem:us-east-1:222233334444:access-point/fsap-89abcdef"
                }
            }
        }
    ]
}
```

------