Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅
中国的 Amazon Web Services 服务入门
(PDF)。
策略摘要示例
以下示例包括 JSON 策略及其关联的策略摘要、服务摘要和操作摘要,可帮助您了解通过策略授予的权限。
策略 1:DenyCustomerBucket
此策略展示对同一项服务的允许和拒绝。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FullAccess",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["*"]
},
{
"Sid": "DenyCustomerBucket",
"Action": ["s3:*"],
"Effect": "Deny",
"Resource": ["arn:aws:s3:::customer", "arn:aws:s3:::customer/*" ]
}
]
}
DenyCustomerBucket 策略摘要:
DenyCustomerBucket S3 (Explicit deny) 服务摘要:
GetObject (Read) 操作摘要:
策略2:DynamoDbRowCognitoID
该策略基于用户的 Amazon Cognito ID 提供对 Amazon DynamoDB 的行级别访问权限。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:dynamodb:us-west-1:123456789012:table/myDynamoTable"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${cognito-identity.amazonaws.com:sub}"
]
}
}
}
]
}
DynamoDbRowCognitoID 策略摘要:
DynamoDbRowCognitoID DynamoDB (允许) 服务摘要:
GetItem (List) 操作摘要:
策略 3:MultipleResourceCondition
此策略包括多个资源和条件。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": ["arn:aws:s3:::Apple_bucket/*"],
"Condition": {"StringEquals": {"s3:x-amz-acl": ["public-read"]}}
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": ["arn:aws:s3:::Orange_bucket/*"],
"Condition": {"StringEquals": {
"s3:x-amz-acl": ["custom"],
"s3:x-amz-grant-full-control": ["1234"]
}}
}
]
}
MultipleResourceCondition 策略摘要:
MultipleResourceCondition S3 (允许) 服务摘要:
PutObject (Write) 操作摘要:
策略 4:EC2_troubleshoot
以下策略允许用户获取正在运行的 Amazon EC2 实例的截图,这可以帮助排查 EC2 故障。该策略还允许查看有关 Amazon S3 开发人员存储桶中的项目的信息。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:GetConsoleScreenshot"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::developer"
]
}
]
}
EC2_Troubleshoot 策略摘要:
EC2_Troubleshoot S3 (允许) 服务摘要:
ListBucket (List) 操作摘要:
策略 5:CodeBuild_CodeCommit_CodeDeploy
此策略提供对特定 CodeBuild、CodeCommit 和 CodeDeploy 资源的访问。由于这些资源特定于每个服务,因此它们只与匹配的服务一起出现。如果您包含的资源与 Action 元素中的任何服务均不匹配,则该资源将出现在所有操作摘要中。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1487980617000",
"Effect": "Allow",
"Action": [
"codebuild:*",
"codecommit:*",
"codedeploy:*"
],
"Resource": [
"arn:aws:codebuild:us-east-2:123456789012:project/my-demo-project",
"arn:aws:codecommit:us-east-2:123456789012:MyDemoRepo",
"arn:aws:codedeploy:us-east-2:123456789012:application:WordPress_App",
"arn:aws:codedeploy:us-east-2:123456789012:instance/AssetTag*"
]
}
]
}
CodeBuild_CodeCommit_CodeDeploy 策略摘要:
CodeBuild_CodeCommit_CodeDeploy CodeBuild (Allow) 服务摘要:
CodeBuild_CodeCommit_CodeDeploy StartBuild (Write) 操作摘要:
