示例:AppStream 2.0 服务角色跨服务混淆代理问题防范
AppStream 2.0 使用各种资源 ARN 代入服务角色,这会导致复杂的条件语句。我们建议使用通配符资源类型来防止 AppStream 2.0 资源出现任何意外故障。
例 aws:SourceAccount 条件:
- JSON
-
-
{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "appstream.amazonaws.com" ] }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "your AWS 账户 ID" } } } ] }
例 aws:SourceArn 条件:
- JSON
-
-
{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "appstream.amazonaws.com" ] }, "Action": "sts:AssumeRole", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:appstream:us-east-1:111122223333:*" } } } ] }
混淆代理问题防范
示例:AppStream 2.0 实例集机器角色跨服务混淆代理问题预防