单值上下文键策略示例 - AWS Identity and Access Management
示例:具有单值上下文键的多个条件块示例:具有多个单值上下文键和值的一个条件块

单值上下文键策略示例

以下一组策略示例演示了如何使用单值上下文键创建策略条件。

示例:具有单值上下文键的多个条件块

条件块有多个条件时,每个条件都有一个上下文键,所有上下文键必须解析为 true 才能调用所需的 Allow 或 Deny 效果。使用否定匹配条件运算符时,条件值的评估逻辑是相反的。

以下示例允许用户创建 EC2 卷并在创建卷期间将标签应用到卷。请求上下文必须包含上下文键 aws:RequestTag/project 的值,以及上下文键 aws:ResourceTag/environment 的值可以是除生产之外的任何内容。

JSON
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:CreateVolume",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "ec2:CreateTags",
      "Resource": "arn:aws:ec2:us-east-1:123456789012:volume/*",
      "Condition": {
        "StringLike": {
          "aws:RequestTag/project": "*"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "ec2:CreateTags",
      "Resource": "arn:aws:ec2:us-east-1:123456789012:*/*",
      "Condition": {
        "StringNotEquals": {
          "aws:ResourceTag/environment": "production"
        }
      }
    }
  ]
}

请求上下文必须包含项目标签值,并且不能为生产资源创建以调用 Allow 效果。以下 EC2 卷已成功创建,因为项目名称为 Feature3,资源标签为 QA

aws ec2 create-volume \
    --availability-zone us-east-1a \
    --volume-type gp2 \
    --size 80 \
    --tag-specifications 'ResourceType=volume,Tags=[{Key=project,Value=Feature3},{Key=environment,Value=QA}]'

示例:具有多个单值上下文键和值的一个条件块

条件块包含多个上下文键并且每个上下文键具有多个值时,每个上下文键必须解析为 true,以便至少有一个键值能够调用所需的 Allow 或 Deny 效果。使用否定匹配条件运算符时,上下文键值的评估逻辑是相反的。

以下示例允许用户在 Amazon Elastic Container Service 集群上启动和运行任务。

  • 对于 aws:RequestTag/environment 上下文键 AND,请求上下文必须包含 production prod-backup

  • ecs:cluster 上下文键可确保在 default1 default2 ARN ECS 集群上运行任务。

JSON
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecs:RunTask",
        "ecs:StartTask"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/environment": [
            "production",
            "prod-backup"
          ]
        },
        "ArnEquals": {
          "ecs:cluster": [
            "arn:aws:ecs:us-east-1:111122223333:cluster/default1",
            "arn:aws:ecs:us-east-1:111122223333:cluster/default2"
          ]
        }
      }
    }
  ]
}

下表显示了 AWS 如何根据请求中的条件键值来评估此策略。

策略条件 请求上下文 结果 
"StringEquals": {
  "aws:RequestTag/environment": [
    "production",
    "prod-backup"
  ]
},
"ArnEquals": {
  "ecs:cluster": [
    "arn:aws:ecs:us-east-1:111122223333:cluster/default1",
    "arn:aws:ecs:us-east-1:111122223333:cluster/default2"
  ]
}
 
aws:RequestTag: environment:production
ecs:cluster:
  arn:aws:ecs:us-east-1:111122223333:cluster/default1

匹配

 
"StringEquals": {
  "aws:RequestTag/environment": [
    "production",
    "prod-backup"
  ]
},
"ArnEquals": {
  "ecs:cluster": [
    "arn:aws:ecs:us-east-1:111122223333:cluster/default1",
    "arn:aws:ecs:us-east-1:111122223333:cluster/default2"
  ]
}
 
aws:RequestTag: environment:prod-backup
ecs:cluster:
  arn:aws:ecs:us-east-1:111122223333:cluster/default2

匹配

 
"StringEquals": {
  "aws:RequestTag/environment": [
    "production",
    "prod-backup"
  ]
},
"ArnEquals": {
  "ecs:cluster": [
    "arn:aws:ecs:us-east-1:111122223333:cluster/default1",
    "arn:aws:ecs:us-east-1:111122223333:cluster/default2"
  ]
}
 
aws:RequestTag: webserver:production
ecs:cluster:
  arn:aws:ecs:us-east-1:111122223333:cluster/default2

不匹配

 
"StringEquals": {
  "aws:RequestTag/environment": [
    "production",
    "prod-backup"
  ]
},
"ArnEquals": {
  "ecs:cluster": [
    "arn:aws:ecs:us-east-1:111122223333:cluster/default1",
    "arn:aws:ecs:us-east-1:111122223333:cluster/default2"
  ]
}

请求上下文中没有 aws:RequestTag

ecs:cluster
  arn:aws:ecs:us-east-1:111122223333:cluster/default2

不匹配