# 常见的基于资源的策略示例
<a name="rbp-examples"></a>

这些示例显示了用于控制对 Aurora DSQL 集群的访问权限的常见模式。您可以组合和修改这些模式以满足您的特定访问要求。

## 屏蔽公共互联网访问
<a name="rbp-example-block-public"></a>

此策略屏蔽从公共互联网（非 VPC）连接到您的 Aurora DSQL 集群。该策略未指定客户可以从哪些 VPC 进行连接，只规定他们必须从 VPC 进行连接。要限制对特定 VPC 的访问，请将 `aws:SourceVpc` 与 `StringEquals` 条件运算符结合使用。

```
{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Resource": "*",
      "Action": [
        "dsql:DbConnect",
        "dsql:DbConnectAdmin"
      ],
      "Condition": {
        "Null": {
          "aws:SourceVpc": "true"
        }
      }
    }
  ]
}
```

**注意**  
此示例仅使用 `aws:SourceVpc` 来检查 VPC 连接。`aws:VpcSourceIp` 和 `aws:SourceVpce` 条件键提供了更高的粒度，但对于仅限 VPC 的基本访问控制来说并不是必需的。

要为特定角色提供例外情况，请改用以下策略：

```
{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "DenyAccessFromOutsideVPC",
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Resource": "*",
      "Action": [
        "dsql:DbConnect",
        "dsql:DbConnectAdmin"
      ],
      "Condition": {
        "Null": {
          "aws:SourceVpc": "true"
        },
        "StringNotEquals": {
          "aws:PrincipalArn": [
            "arn:aws:iam::123456789012:role/ExceptionRole",
            "arn:aws:iam::123456789012:role/AnotherExceptionRole"
          ]
        }
      }
    }
  ]
}
```

## 限制对 AWS 组织的访问权限
<a name="rbp-example-org-access"></a>

此策略将访问权限限制为 AWS 组织内部的主体：

```
{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "dsql:DbConnect",
        "dsql:DbConnectAdmin"
      ],
      "Resource": "arn:aws:dsql:us-east-1:123456789012:cluster/mydsqlclusterid0123456789a",
      "Condition": {
        "StringNotEquals": {
          "aws:PrincipalOrgID": "o-exampleorgid"
        }
      }
    }
  ]
}
```

## 限制对组织单元的访问权限
<a name="rbp-example-ou-access"></a>

此策略将访问权限限制为 AWS 组织中特定组织单元（OU）内的主体，提供比组织范围的访问权限更精细的控制：

```
{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "dsql:DbConnect"
      ],
      "Resource": "arn:aws:dsql:us-east-1:123456789012:cluster/mydsqlclusterid0123456789a",
      "Condition": {
        "StringNotLike": {
          "aws:PrincipalOrgPaths": "o-exampleorgid/r-examplerootid/ou-exampleouid/*"
        }
      }
    }
  ]
}
```

## 多区域集群策略
<a name="rbp-example-multi-region"></a>

对于多区域集群，每个区域集群都维护其自己的资源策略，支持特定于区域的控制。以下是每个区域不同策略的示例：

*us-east-1 策略：*

```
{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Resource": "*",
      "Action": [
        "dsql:DbConnect"
      ],
      "Condition": {
        "StringNotEquals": {
          "aws:SourceVpc": "vpc-east1-id"
        },
        "Null": {
          "aws:SourceVpc": "true"
        }
      }
    }
  ]
}
```

*us-east-2 策略：*

```
{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Resource": "*",
      "Action": [
        "dsql:DbConnect"
      ],
      "Condition": {
        "StringEquals": {
          "aws:SourceVpc": "vpc-east2-id"
        }
      }
    }
  ]
}
```

**注意**  
条件上下文键可能因 AWS 区域而异（例如 VPC ID）。