本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
使用條件索引鍵
您可以指定條件,以決定 IAM 政策的生效方式。在中 ElastiCache,您可以使用 JSON 政策的Condition元素,將要求內容中的索引鍵與您在原則中指定的索引鍵值進行比較。如需詳細資訊,請參閱 IAM JSON 政策元素:Condition。
若要查看 ElastiCache 條件金鑰清單,請參閱服務授權參考 ElastiCache中的 Amazon 條件金鑰。
如需全域條件索引鍵的清單,請參閱 AWS 全域條件內容索引鍵。
指定條件:使用條件金鑰
若要實作精細的控制機制,您可以撰寫 IAM 許可政策,指定條件來控制特定請求上的一組個別參數。您接著將政策套用至使用 IAM 主控台所建立的 IAM 使用者、群組或角色。
若要套用條件,請將條件資訊新增至 IAM 政策陳述式。在下列範例中,您會指定建立的任何自行設計快取叢集都將屬於節點類型 cache.r5.large 的條件。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*", "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "StringEquals": { "elasticache:CacheNodeType": [ "cache.r5.large" ] } } } ] }
如需詳細資訊,請參閱標籤型存取控制政策範例。
如需使用政策條件運算子的詳細資訊,請參閱「ElastiCache API 權限:動作、資源和條件參考」。
範例政策:使用條件進行精細參數控制
本節顯示在先前列出的 ElastiCache 參數上實作精細存取控制的範例原則。
彈性:MaximumDataStorage: 指定無伺服器快取的最大資料儲存空間。使用提供的條件,客戶就無法建立可儲存超過特定資料量的快取。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowDependentResources", "Effect": "Allow", "Action": [ "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:serverlesscachesnapshot:*", "arn:aws:elasticache:*:*:snapshot:*", "arn:aws:elasticache:*:*:usergroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:serverlesscache:*" ], "Condition": { "NumericLessThanEquals": { "elasticache:MaximumDataStorage": "30" }, "StringEquals": { "elasticache:DataStorageUnit": "GB" } } } ] }彈性:最大 CPU PerSecond:指定無伺服器快取的每秒最大 ECPU 值。使用提供的條件,客戶就無法建立可執行超過每秒特定 ECPU 數量的快取。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowDependentResources", "Effect": "Allow", "Action": [ "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:serverlesscachesnapshot:*", "arn:aws:elasticache:*:*:snapshot:*", "arn:aws:elasticache:*:*:usergroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:serverlesscache:*" ], "Condition": { "NumericLessThanEquals": { "elasticache:MaximumECPUPerSecond": "100000" } } } ] }彈性疼痛:CacheNodeType: 指定使用者可以建立哪些 NodeType項目。使用提供的條件,客戶可以指定節點類型的單一值或範圍值。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*", "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "StringEquals": { "elasticache:CacheNodeType": [ "cache.t2.micro", "cache.t2.medium" ] } } } ] }彈性NumNodeGroups:建立節點群組少於 20 個的複製群組。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "NumericLessThanEquals": { "elasticache:NumNodeGroups": "20" } } } ] }彈性疼痛ReplicasPerNodeGroup:指定 5 到 10 之間每個節點的複本。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "NumericGreaterThanEquals": { "elasticache:ReplicasPerNodeGroup": "5" }, "NumericLessThanEquals": { "elasticache:ReplicasPerNodeGroup": "10" } } } ] }彈性疼痛:EngineVersion: 指定引擎版本 5.0.6 的用法。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*", "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "StringEquals": { "elasticache:EngineVersion": "5.0.6" } } } ] }彈性疼痛:EngineType: 僅使用 Redis OSS 引擎來指定。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*", "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "StringEquals": { "elasticache:EngineType": "redis" } } } ] }彈性:AtRestEncryptionEnabled:指定僅在啟用加密的情況下建立複製群組。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:AtRestEncryptionEnabled": "true" } } } ] }-
彈性痛:TransitEncryptionEnabled
-
將CreateReplicationGroup動作的
elasticache:TransitEncryptionEnabled條件索引鍵設定false為,以指定只有在未使用 TLS 時才能建立複寫群組:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:TransitEncryptionEnabled": "false" } } } ] }在CreateReplicationGroup動作的原則
false中將elasticache:TransitEncryptionEnabled條件CreateReplicationGroup索引鍵設定為時,只有在未使用 TLS 時才允許要求 (也就是說,如果要求未包含設定為的TransitEncryptionEnabled參數true或TransitEncryptionMode參數設定為required。 -
將
elasticache:TransitEncryptionEnabledconditon 金鑰設定true為,以指CreateReplicationGroup定只有在使用 TLS 時才能建立複寫群組:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:TransitEncryptionEnabled": "true" } } } ] }當CreateReplicationGroup動作的原則
true中將elasticache:TransitEncryptionEnabled條件索引鍵設定為時,只有在CreateReplicationGroup要求包含設定為的參數true且TransitEncryptionEnabled參數設定為時,才允許要求required。TransitEncryptionMode -
針對
ModifyReplicationGroup動作設定elasticache:TransitEncryptionEnabled為true,以指定只有在使用 TLS 時,才能修改複寫群組:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:ModifyReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "BoolIfExists": { "elasticache:TransitEncryptionEnabled": "true" } } } ] }當ModifyReplicationGroup動作的原則
true中將elasticache:TransitEncryptionEnabled條件索引鍵設定為時,只有在ModifyReplicationGroup要求包含設定為的TransitEncryptionMode參數時,才允許要求required。設為true的TransitEncryptionEnabled參數也可以選擇性包含在內,但在這種情況下啟用 TLS 不需要。
-
-
彈性:AutomaticFailoverEnabled:指定僅在啟用自動容錯移轉的情況下建立複製群組。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:AutomaticFailoverEnabled": "true" } } } ] } elasticache:MultiAZEnabled:指定在停用異地同步備份的情況下無法建立複寫群組。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Deny", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*", "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:MultiAZEnabled": "false" } } } ] }彈性ClusterModeEnabled:指定複製群組只能在啟用叢集模式的情況下建立。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:ClusterModeEnabled": "true" } } } ] }彈性:AuthTokenEnabled: 指定只能在啟用 AUTH 權杖的情況下建立複寫群組。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*", "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:AuthTokenEnabled": "true" } } } ] }彈性疼痛:SnapshotRetentionLimit: 指定保留快照的天數 (或最小/最大)。以下政策強制存放備份至少 30 天。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup", "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*", "arn:aws:elasticache:*:*:replicationgroup:*", "arn:aws:elasticache:*:*:serverlesscache:*" ], "Condition": { "NumericGreaterThanEquals": { "elasticache:SnapshotRetentionLimit": "30" } } } ] }彈性:KmsKeyId: 指定客戶管理的 AWS KMS 金鑰的使用方式。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowDependentResources", "Effect": "Allow", "Action": [ "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:serverlesscachesnapshot:*", "arn:aws:elasticache:*:*:snapshot:*", "arn:aws:elasticache:*:*:usergroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:serverlesscache:*" ], "Condition": { "StringEquals": { "elasticache:KmsKeyId": "my-key" } } } ] }elasticache:CacheParameterGroupName: 使用叢集上組織的特定參數來指定非預設參數群組。您也可以為參數群組指定命名模式,或阻止刪除特定參數群組名稱。以下是限制使用「my-org-param-group」的範例。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*", "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "StringEquals": { "elasticache:CacheParameterGroupName": "my-org-param-group" } } } ] }-
彈性疼痛CreateCacheCluster:如果請求標記
Project丟失或不等於或,則拒絕CreateCacheCluster操作Dev。QAProd{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*", "arn:aws:elasticache:*:*:securitygroup:*", "arn:aws:elasticache:*:*:replicationgroup:*" ] }, { "Effect": "Deny", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" ], "Condition": { "Null": { "aws:RequestTag/Project": "true" } } }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:AddTagsToResource" ], "Resource": "arn:aws:elasticache:*:*:cluster:*", "Condition": { "StringEquals": { "aws:RequestTag/Project": [ "Dev", "Prod", "QA" ] } } } ] } 彈性疼痛:CacheNodeType: 允許使
CreateCacheCluster用cacheNodeType緩存 .r5. 大或緩存 .r6g.4XL 和標籤。Project=XYZ{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" ], "Condition": { "StringEqualsIfExists": { "elasticache:CacheNodeType": [ "cache.r5.large", "cache.r6g.4xlarge" ] }, "StringEquals": { "aws:RequestTag/Project": "XYZ" } } } ] }
注意
建立同時強制執行標籤和其他條件索引鍵的政策時,因為具有 --tags 參數的建立請求需要額外的 elasticache:AddTagsToResource 政策,IfExists 條件可能需要條件索引鍵元素。
