策略摘要示例 - Amazon Identity and Access Management
策略 1:DenyCustomerBucket策略2:DynamoDbRowCognitoID 策略 3:MultipleResourceCondition策略 4:EC2_troubleshoot策略 5:CodeBuild_CodeCommit_CodeDeploy
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

策略摘要示例

以下示例包括 JSON 策略及其关联的策略摘要服务摘要操作摘要,可帮助您了解通过策略授予的权限。

策略 1:DenyCustomerBucket

此策略展示对同一项服务的允许和拒绝。

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "FullAccess",
            "Effect": "Allow",
            "Action": ["s3:*"],
            "Resource": ["*"]
        },
        {
            "Sid": "DenyCustomerBucket",
            "Action": ["s3:*"],
            "Effect": "Deny",
            "Resource": ["arn:aws:s3:::customer", "arn:aws:s3:::customer/*" ]
        }
    ]
}

DenyCustomerBucket 策略摘要:

“Policy summary (策略摘要)”对话框图像

DenyCustomerBucket S3 (Explicit deny) 服务摘要:

“Service summary (服务摘要)”对话框图像

GetObject (Read) 操作摘要:

“Action summary (操作摘要)”对话框图像

策略2:DynamoDbRowCognitoID

该策略基于用户的 Amazon Cognito ID 提供对 Amazon DynamoDB 的行级别访问权限。

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:DeleteItem",
                "dynamodb:GetItem",
                "dynamodb:PutItem",
                "dynamodb:UpdateItem"
            ],
            "Resource": [
                "arn:aws:dynamodb:us-west-1:123456789012:table/myDynamoTable"
            ],
            "Condition": {
                "ForAllValues:StringEquals": {
                    "dynamodb:LeadingKeys": [
                        "${cognito-identity.amazonaws.com:sub}"
                    ]
                }
            }
        }
    ]
}

DynamoDbRowCognitoID 策略摘要:

“Policy summary (策略摘要)”对话框图像

DynamoDbRowCognitoID DynamoDB (允许) 服务摘要:

“Service summary (服务摘要)”对话框图像

GetItem (List) 操作摘要:

“Action summary (操作摘要)”对话框图像

策略 3:MultipleResourceCondition

此策略包括多个资源和条件。

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": ["arn:aws:s3:::Apple_bucket/*"],
            "Condition": {"StringEquals": {"s3:x-amz-acl": ["public-read"]}}
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": ["arn:aws:s3:::Orange_bucket/*"],
            "Condition": {"StringEquals": {
                "s3:x-amz-acl": ["custom"],
                "s3:x-amz-grant-full-control": ["1234"]
            }}
        }
    ]
}

MultipleResourceCondition 策略摘要:

“Policy summary (策略摘要)”对话框图像

MultipleResourceCondition S3 (允许) 服务摘要:

“Service summary (服务摘要)”对话框图像

PutObject (Write) 操作摘要:

“Action summary (操作摘要)”对话框图像

策略 4:EC2_troubleshoot

以下策略允许用户获取正在运行的 Amazon EC2 实例的截图,这可以帮助排查 EC2 故障。该策略还允许查看有关 Amazon S3 开发人员存储桶中的项目的信息。

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:GetConsoleScreenshot"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::developer"
            ]
        }
    ]
}

EC2_Troubleshoot 策略摘要:

“Policy summary (策略摘要)”对话框图像

EC2_Troubleshoot S3 (允许) 服务摘要:

“Service summary (服务摘要)”对话框图像

ListBucket (List) 操作摘要:

“Action summary (操作摘要)”对话框图像

策略 5:CodeBuild_CodeCommit_CodeDeploy

此策略提供对特定 CodeBuild、CodeCommit 和 CodeDeploy 资源的访问。由于这些资源特定于每个服务,因此它们只与匹配的服务一起出现。如果您包含的资源与 Action 元素中的任何服务均不匹配,则该资源将出现在所有操作摘要中。

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "Stmt1487980617000",
            "Effect": "Allow",
            "Action": [
                "codebuild:*",
                "codecommit:*",
                "codedeploy:*"
            ],
            "Resource": [
                "arn:aws:codebuild:us-east-2:123456789012:project/my-demo-project",
                "arn:aws:codecommit:us-east-2:123456789012:MyDemoRepo",
                "arn:aws:codedeploy:us-east-2:123456789012:application:WordPress_App",
                "arn:aws:codedeploy:us-east-2:123456789012:instance/AssetTag*"
            ]
        }
    ]
}

CodeBuild_CodeCommit_CodeDeploy 策略摘要:

“Policy summary (策略摘要)”对话框图像

CodeBuild_CodeCommit_CodeDeploy CodeBuild (Allow) 服务摘要:

“Service summary (服务摘要)”对话框图像

CodeBuild_CodeCommit_CodeDeploy StartBuild (Write) 操作摘要:

“Action summary (操作摘要)”对话框图像