使用基于资源的策略创建集群 - Amazon Aurora DSQL

使用基于资源的策略创建集群

您可以在创建新集群时附加基于资源的策略,以确保从一开始就实施访问控制。每个集群都可以有一个直接附加到该集群的内联策略。

在创建集群期间添加基于资源的策略

  1. 登录 AWS 管理控制台并打开 Aurora DSQL 控制台,网址为 https://console.aws.amazon.com/dsql/

  2. 选择创建集群

  3. 根据需要配置集群名称、标签和多区域设置。

  4. 集群设置部分,找到基于资源的策略选项。

  5. 开启添加基于资源的策略

  6. 在 JSON 编辑器中输入您的策略文档。例如,要屏蔽公共互联网访问,请执行以下操作:

    {
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Resource": "*",
      "Action": [
        "dsql:DbConnect",
        "dsql:DbConnectAdmin"
      ],
      "Condition": {
        "Null": {
          "aws:SourceVpc": "true"
        }
      }
    }
  ]
}

  7. 您可以使用编辑语句添加新语句来构建您的策略。

  8. 完成剩余的集群配置,然后选择创建集群

创建集群时使用 --policy 参数来附加内联策略:

aws dsql create-cluster --policy '{
    "Version": "2012-10-17",		 	 	 
    "Statement": [{
        "Effect": "Deny",
        "Principal": {"AWS": "*"},
        "Resource": "*",
        "Action": ["dsql:DbConnect", "dsql:DbConnectAdmin"],
        "Condition": { 
            "StringNotEquals": { "aws:SourceVpc": "vpc-123456" } 
        }
    }]
}'
Python
import boto3
import json

client = boto3.client('dsql')

policy = {
    "Version": "2012-10-17",		 	 	 
    "Statement": [{
        "Effect": "Deny",
        "Principal": {"AWS": "*"},
        "Resource": "*",
        "Action": ["dsql:DbConnect", "dsql:DbConnectAdmin"],
        "Condition": { 
            "StringNotEquals": { "aws:SourceVpc": "vpc-123456" } 
        }
    }]
}

response = client.create_cluster(
    policy=json.dumps(policy)
)

print(f"Cluster created: {response['identifier']}")
Java
import software.amazon.awssdk.services.dsql.DsqlClient;
import software.amazon.awssdk.services.dsql.model.CreateClusterRequest;
import software.amazon.awssdk.services.dsql.model.CreateClusterResponse;

DsqlClient client = DsqlClient.create();

String policy = """
{
  "Version": "2012-10-17",		 	 	 
  "Statement": [{
    "Effect": "Deny",
    "Principal": {"AWS": "*"},
    "Resource": "*",
    "Action": ["dsql:DbConnect", "dsql:DbConnectAdmin"],
    "Condition": { 
      "StringNotEquals": { "aws:SourceVpc": "vpc-123456" } 
    }
  }]
}
""";

CreateClusterRequest request = CreateClusterRequest.builder()
    .policy(policy)
    .build();

CreateClusterResponse response = client.createCluster(request);
System.out.println("Cluster created: " + response.identifier());