策略摘要示例 - AWS Identity and Access Management

策略摘要示例

以下示例包括 JSON 策略及其关联的策略摘要服务摘要操作摘要,可帮助您了解通过策略授予的权限。

策略 1:DenyCustomerBucket

此策略展示对同一项服务的允许和拒绝。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "FullAccess", "Effect": "Allow", "Action": ["s3:*"], "Resource": ["*"] }, { "Sid": "DenyCustomerBucket", "Action": ["s3:*"], "Effect": "Deny", "Resource": ["arn:aws:s3:::customer", "arn:aws:s3:::customer/*" ] } ] }

DenyCustomerBucket 策略摘要:

“Policy summary (策略摘要)”对话框图像

DenyCustomerBucket S3 (Explicit deny) 服务摘要:

“Service summary (服务摘要)”对话框图像

GetObject (Read) 操作摘要:

“Action summary (操作摘要)”对话框图像

策略2:DynamoDbRowCognitoID

该策略基于用户的 Amazon Cognito ID 提供对 Amazon DynamoDB 的行级别访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:UpdateItem" ], "Resource": [ "arn:aws:dynamodb:us-west-1:123456789012:table/myDynamoTable" ], "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": [ "${cognito-identity.amazonaws.com:sub}" ] } } } ] }

DynamoDbRowCognitoID 策略摘要:

“Policy summary (策略摘要)”对话框图像

DynamoDbRowCognitoID DynamoDB (允许) 服务摘要:

“Service summary (服务摘要)”对话框图像

GetItem (List) 操作摘要:

“Action summary (操作摘要)”对话框图像

策略 3:MultipleResourceCondition

此策略包括多个资源和条件。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": ["arn:aws:s3:::Apple_bucket/*"], "Condition": {"StringEquals": {"s3:x-amz-acl": ["public-read"]}} }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": ["arn:aws:s3:::Orange_bucket/*"], "Condition": {"StringEquals": { "s3:x-amz-acl": ["custom"], "s3:x-amz-grant-full-control": ["1234"] }} } ] }

MultipleResourceCondition 策略摘要:

“Policy summary (策略摘要)”对话框图像

MultipleResourceCondition S3 (允许) 服务摘要:

“Service summary (服务摘要)”对话框图像

PutObject (Write) 操作摘要:

“Action summary (操作摘要)”对话框图像

策略 4:EC2_troubleshoot

以下策略允许用户获取正在运行的 Amazon EC2 实例的截图,这可以帮助排查 EC2 故障。该策略还允许查看有关 Amazon S3 开发人员存储桶中的项目的信息。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:GetConsoleScreenshot" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::developer" ] } ] }

EC2_Troubleshoot 策略摘要:

“Policy summary (策略摘要)”对话框图像

EC2_Troubleshoot S3 (允许) 服务摘要:

“Service summary (服务摘要)”对话框图像

ListBucket (List) 操作摘要:

“Action summary (操作摘要)”对话框图像

策略 5:CodeBuild_CodeCommit_CodeDeploy

此策略提供对特定 CodeBuild、CodeCommit 和 CodeDeploy 资源的访问。由于这些资源特定于每个服务,因此它们只与匹配的服务一起出现。如果您包含的资源与 Action 元素中的任何服务均不匹配,则该资源将出现在所有操作摘要中。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1487980617000", "Effect": "Allow", "Action": [ "codebuild:*", "codecommit:*", "codedeploy:*" ], "Resource": [ "arn:aws:codebuild:us-east-2:123456789012:project/my-demo-project", "arn:aws:codecommit:us-east-2:123456789012:MyDemoRepo", "arn:aws:codedeploy:us-east-2:123456789012:application:WordPress_App", "arn:aws:codedeploy:us-east-2:123456789012:instance/AssetTag*" ] } ] }

CodeBuild_CodeCommit_CodeDeploy 策略摘要:

“Policy summary (策略摘要)”对话框图像

CodeBuild_CodeCommit_CodeDeploy CodeBuild (Allow) 服务摘要:

“Service summary (服务摘要)”对话框图像

CodeBuild_CodeCommit_CodeDeploy StartBuild (Write) 操作摘要:

“Action summary (操作摘要)”对话框图像