本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
Amazon SES 中的身分政策範例
身分授權可讓您針對身分指定允許或拒絕 API 動作的細微條件。
以下範例說明如何撰寫政策來控制 API 動作的不同層面:
指定委託人
委託人是您授予許可的實體,可以是 AWS 帳戶、 AWS Identity and Access Management (IAM) 使用者,或屬於相同帳戶的 AWS 服務。
下列範例顯示一個簡單的政策,允許 AWS ID 123456789012 控制也由 AWS 帳戶 123456789012 擁有的已驗證身分 example.com。
- JSON
-
-
{
"Id":"SampleAuthorizationPolicy",
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AuthorizeMarketer",
"Effect":"Allow",
"Resource":"arn:aws:ses:us-east-1:123456789012:identity/example.com",
"Principal":{
"AWS":[
"123456789012"
]
},
"Action":[
"ses:DeleteEmailIdentity",
"ses:PutEmailIdentityDkimSigningAttributes"
]
}
]
}
以下範例政策將許可授予兩個使用者,以控制已驗證身分 example.com。使用者由他們的 Amazon Resource Name (ARN) 指定。
- JSON
-
-
{
"Id":"ExampleAuthorizationPolicy",
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AuthorizeIAMUser",
"Effect":"Allow",
"Resource":"arn:aws:ses:us-east-1:123456789012:identity/example.com",
"Principal":{
"AWS":[
"arn:aws:iam::123456789012:user/John",
"arn:aws:iam::123456789012:user/Jane"
]
},
"Action":[
"ses:DeleteEmailIdentity",
"ses:PutEmailIdentityDkimSigningAttributes"
]
}
]
}
限制動作
根據您要授權的控制層級,有多個動作可以在身分授權政策中指定:
"BatchGetMetricData",
"ListRecommendations",
"CreateDeliverabilityTestReport",
"CreateEmailIdentityPolicy",
"DeleteEmailIdentity",
"DeleteEmailIdentityPolicy",
"GetDomainStatisticsReport",
"GetEmailIdentity",
"GetEmailIdentityPolicies",
"PutEmailIdentityConfigurationSetAttributes",
"PutEmailIdentityDkimAttributes",
"PutEmailIdentityDkimSigningAttributes",
"PutEmailIdentityFeedbackAttributes",
"PutEmailIdentityMailFromAttributes",
"TagResource",
"UntagResource",
"UpdateEmailIdentityPolicy"
身分授權政策也可以讓您將委託人限制為這些動作其中之一。
- JSON
-
-
{
"Id": "ExamplePolicy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ControlAction",
"Effect": "Allow",
"Resource": "arn:aws:ses:us-east-1:123456789012:identity/example.com",
"Principal": {
"AWS": [
"123456789012"
]
},
"Action": [
"ses:PutEmailIdentityMailFromAttributes"
]
}
]
}
使用多個陳述式
您的身分授權政策可以包含多個陳述式。以下範例政策有兩個陳述式。第一個陳述式拒絕兩個使用者在同一個帳戶 123456789012
內從 sender@example.com 存取 getemailidentity
。第二個聲明以 UpdateEmailIdentityPolicy
為由拒絕了同一帳戶 123456789012
內的委託人 Jack。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"DenyGet",
"Effect":"Deny",
"Resource":"arn:aws:ses:us-east-1:123456789012:identity/sender@example.com",
"Principal":{
"AWS":[
"arn:aws:iam::123456789012:user/John",
"arn:aws:iam::123456789012:user/Jane"
]
},
"Action":[
"ses:GetEmailIdentity"
]
},
{
"Sid":"DenyUpdate",
"Effect":"Deny",
"Resource":"arn:aws:ses:us-east-1:123456789012:identity/sender@example.com",
"Principal":{
"AWS":"arn:aws:iam::123456789012:user/Jack"
},
"Action":[
"ses:UpdateEmailIdentityPolicy"
]
}
]
}