本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
Amazon SES 中的身分政策範例
身分授權可讓您針對身分指定允許或拒絕 API 動作的細微條件。
指定委託人
委託人 (也就是您授予許可的實體) 可以是屬於同一帳戶的 AWS 帳戶、AWS Identity and Access Management (IAM) 使用者或 AWS 服務。
以下範例示範一個簡單的政策,允許 AWS ID 123456789012 從已驗證身分 example.com 傳送電子郵件 (該身分亦為 AWS 帳戶 123456789012 所擁有)。
{ "Id":"SampleAuthorizationPolicy", "Version":"2012-10-17", "Statement":[ { "Sid":"AuthorizeMarketer", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:123456789012:identity/example.com", "Principal":{ "AWS":[ "123456789012" ] }, "Action":[ "ses:DeleteEmailIdentity", "ses:PutEmailIdentityDkimSigningAttributes" ] } ] }
以下範例政策將許可授予兩個使用者,以控制已驗證身分 example.com。使用者由他們的 Amazon Resource Name (ARN) 指定。
{ "Id":"ExampleAuthorizationPolicy", "Version":"2012-10-17", "Statement":[ { "Sid":"AuthorizeIAMUser", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:123456789012:identity/example.com", "Principal":{ "AWS":[ "arn:aws:iam::123456789012:user/John", "arn:aws:iam::123456789012:user/Jane" ] }, "Action":[ "ses:DeleteEmailIdentity", "ses:PutEmailIdentityDkimSigningAttributes" ] } ] }
限制動作
根據您要授權的控制層級,有多個動作可以在身分授權政策中指定:
"BatchGetMetricData", "ListRecommendations", "CreateDeliverabilityTestReport", "CreateEmailIdentityPolicy", "DeleteEmailIdentity", "DeleteEmailIdentityPolicy", "GetDomainStatisticsReport", "GetEmailIdentity", "GetEmailIdentityPolicies", "PutEmailIdentityConfigurationSetAttributes", "PutEmailIdentityDkimAttributes", "PutEmailIdentityDkimSigningAttributes", "PutEmailIdentityFeedbackAttributes", "PutEmailIdentityMailFromAttributes", "TagResource", "UntagResource", "UpdateEmailIdentityPolicy"
身分授權政策也可以讓您將委託人限制為這些動作其中之一。
{ "Id":"ExamplePolicy", "Version":"2012-10-17", "Statement":[ { "Sid":"ControlAction", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:123456789012:identity/example.com", "Principal":{ "AWS":[ "123456789012" ] }, "Action":[ "ses:PutEmailIdentityMailFromAttributes ] } ] }
使用多個陳述式
您的身分授權政策可以包含多個陳述式。以下範例政策有兩個陳述式。第一個陳述式拒絕兩個使用者在同一個帳戶 123456789012
內從 sender@example.com 存取 getemailidentity
。第二個聲明以 UpdateEmailIdentityPolicy
為由拒絕了同一帳戶 123456789012
內的委託人 Jack。
{ "Version":"2012-10-17", "Statement":[ { "Sid":"DenyGet", "Effect":"Deny", "Resource":"arn:aws:ses:us-east-1:123456789012:identity/sender@example.com", "Principal":{ "AWS":[ "arn:aws:iam::123456789012:user/John", "arn:aws:iam::123456789012:user/Jane" ] }, "Action":[ "ses:GetEmailIdentity" ] }, { "Sid":"DenyUpdate", "Effect":"Deny", "Resource":"arn:aws:ses:us-east-1:123456789012:identity/sender@example.com", "Principal":{ "AWS":"arn:aws:iam::123456789012:user/Jack" }, "Action":[ "ses:UpdateEmailIdentityPolicy" ] } ] }