S3 Vectors 基于资源的策略示例 - Amazon Simple Storage Service
示例 1:跨账户访问策略示例 2:拒绝向量索引级别的操作示例 3:同时在向量索引级别和存储桶级别拒绝修改操作

S3 Vectors 基于资源的策略示例

注意

适用于 Amazon Simple Storage Service 的 Amazon S3 Vectors 为预览版,可能会发生变化。

基于资源的策略附加到某个资源。可以为向量存储桶创建基于资源的策略。S3 Vectors 的基于资源的策略使用标准 AWS 策略格式(即 JSON),您可以将这些策略直接附加到向量存储桶,以控制对存储桶及其内容的访问权限。

与附加到用户、组或角色的基于身份的策略不同,基于资源的策略附加到资源本身(向量存储桶),并可以向其它 AWS 账户中的主体授予权限。这使得它们非常适合需要跨组织边界共享向量数据或根据所访问的特定资源实施精细访问权限控制的场景。

基于资源的策略与基于身份的策略相结合进行评估,有效权限由所有适用策略的并集确定。这意味着,主体执行一项操作所需的权限应同时来自基于身份的策略(附加到其用户/角色)和基于资源的策略(附加到存储桶),除非基于资源的策略显式授予该权限。

示例 1:跨账户访问策略

此策略演示如何向来自不同 AWS 账户的用户授予特定权限:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CrossAccountBucketAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam:123456789012:role/Admin"
            },
            "Action": [
                "s3vectors:CreateIndex",
                "s3vectors:ListIndexes",
                "s3vectors:QueryVectors",
                "s3vectors:PutVectors",
                "s3vectors:DeleteIndex"
            ],
            "Resource": [
                "arn:aws:s3vectors:aws-region:111122223333:bucket/amzn-s3-demo-vector-bucket/*",
                "arn:aws:s3vectors:aws-region:111122223333:bucket/amzn-s3-demo-vector-bucket"
            ]
        }
    ]
}

示例 2:拒绝向量索引级别的操作

此策略演示如何拒绝 IAM 角色执行特定向量索引级别的操作:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyIndexLevelActions",
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:iam:123456789012:role/External-Role-Name"
            },
            "Action": [
                "s3vectors:QueryVectors",
                "s3vectors:PutVectors",
                "s3vectors:DeleteIndex",
                "s3vectors:GetVectors",
                "s3vectors:GetIndex",
                "s3vectors:DeleteVectors",
                "s3vectors:CreateIndex",
                "s3vectors:ListVectors"
            ],
            "Resource": "arn:aws:s3vectors:aws-region:111122223333:bucket/amzn-s3-demo-vector-bucket/*"
        }
    ]
}

示例 3:同时在向量索引级别和存储桶级别拒绝修改操作

此策略演示如何通过指定多个资源,来拒绝向量索引级别和存储桶级别操作的修改请求:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyModificationActionsAtBucketandIndexLevels",
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:iam:123456789012:role/External-Role-Name"
            },
            "Action": [
                "s3vectors:CreateVectorBucket",
                "s3vectors:DeleteVectorBucket",
                "s3vectors:PutVectorBucketPolicy",
                "s3vectors:DeleteVectorBucketPolicy",                
                "s3vectors:CreateIndex",
                "s3vectors:DeleteIndex",
                "s3vectors:PutVectors",
                "s3vectors:DeleteVectors"
            ],
            "Resource": [
                "arn:aws:s3vectors:aws-region:111122223333:bucket/amzn-s3-demo-vector-bucket/*",
                "arn:aws:s3vectors:aws-region:111122223333:bucket/amzn-s3-demo-vector-bucket"
            ]
        }
    ]
}