的示例 SCP Amazon Resource Access Manager - Amazon Organizations
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

的示例 SCP Amazon Resource Access Manager

阻止外部共享

以下示例 SCP 阻止用户创建允许与不属于组织的 IAM 用户和角色共享的资源共享。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "ram:CreateResourceShare", "ram:UpdateResourceShare" ], "Resource": "*", "Condition": { "Bool": { "ram:RequestedAllowsExternalPrincipals": "true" } } } ] }

允许特定账户仅共享指定的资源类型

以下 SCP 允许账户 111111111111222222222222 创建共享前缀列表的资源共享,并将前缀列表与现有资源共享相关联。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "OnlyNamedAccountsCanSharePrefixLists", "Effect": "Allow", "Action": [ "ram:AssociateResourceShare", "ram:CreateResourceShare" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:PrincipalAccount": [ "111111111111", "222222222222" ] }, "StringEquals": { "ram:RequestedResourceType": "ec2:PrefixList" } } } ] }

阻止与组织或组织部门(OU)共享

以下 SCP 禁止用户创建与一个或多个 Amazon 组织单位共享资源的资源共享。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "ram:CreateResourceShare", "ram:AssociateResourceShare" ], "Resource": "*", "Condition": { "ForAnyValue:StringLike": { "ram:Principal": [ "arn:aws:organizations::*:organization/*", "arn:aws:organizations::*:ou/*" ] } } } ] }

仅允许与指定的 IAM 用户和角色共享

以下示例 SCP 允许用户与组织 o-12345abcdef、组织部门 ou-98765fedcba 和账户 111111111111 共享资源。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ram:AssociateResourceShare", "ram:CreateResourceShare" ], "Resource": "*", "Condition": { "ForAnyValue:StringNotEquals": { "ram:Principal": [ "arn:aws:organizations::123456789012:organization/o-12345abcdef", "arn:aws:organizations::123456789012:ou/o-12345abcdef/ou-98765fedcba", "111111111111" ] } } } ] }