附录:配置文件和角色策略示例 - AWS 规范性指导
应用程序 1应用程序 2

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

附录:配置文件和角色策略示例

应用程序 1 的示例策略

配置文件 1 的示例策略允许对亚马逊简单存储服务 (Amazon S3) 中的存储桶 1 执行某些操作:

{
    "Version": "2012-10-17", 		 	 	 		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetObjectTagging",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-bucket1",
                "arn:aws:s3:::amzn-s3-demo-bucket1/*"
            ]
        }
    ]
}

角色 1 的示例策略允许对亚马逊弹性计算云 (Amazon EC2) 实例执行操作,并允许对 Amazon S3 中的存储桶 1存储桶 2 执行某些操作:DescribeInstances

{
    "Version": "2012-10-17", 		 	 	 		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances"
            ],
            "Resource": [
                "arn:aws:ec2:us-east-1:123456789012:instance/i-01234567890abcdef"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetObjectTagging",
                "s3:GetObjectVersion",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectLegalHold",
                "s3:PutObjectTagging"
            ],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-bucket1",
                "arn:aws:s3:::amzn-s3-demo-bucket1/*",
                "arn:aws:s3:::amzn-s3-demo-bucket2",
                "arn:aws:s3:::amzn-s3-demo-bucket2/*"
            ]
        }
    ]
}

P rofile 1 策略限制了角色 1 策略授予的权限。当角色通过时,它会应用于角色会话 IAM Roles Anywhere。扮演角色 1 的应用程序只能访问存储桶 1。它无法访问存储桶 2 或执行任何 Amazon EC2 操作,因为 P rofile 1 策略未授予这些权限。

应用程序 2 的示例策略

配置文件 2 的示例策略允许在 Amazon S3 中对存储桶 2 执行某些操作:

{
    "Version": "2012-10-17", 		 	 	 		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetObjectTagging",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-bucket2",
                "arn:aws:s3:::amzn-s3-demo-bucket2/*"
            ]
        }
    ]
}

角色 2 的示例策略允许对 Amazon EC2 实例DescribeInstances执行操作,并允许对 Amazon S3 中的存储桶 1存储桶 2 执行某些操作:

{
    "Version": "2012-10-17", 		 	 	 		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances"
            ],
            "Resource": [
                "arn:aws:ec2:us-east-1:567890123456:instance/i-05678901234ghijk"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetObjectTagging",
                "s3:GetObjectVersion",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectLegalHold",
                "s3:PutObjectTagging"
            ],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-bucket1",
                "arn:aws:s3:::amzn-s3-demo-bucket1/*",
                "arn:aws:s3:::amzn-s3-demo-bucket2",
                "arn:aws:s3:::amzn-s3-demo-bucket2/*"
            ]
        }
    ]
}

配置文件 2 的策略限制了角色 2 授予的权限。当角色通过时,它会应用于角色会话 IAM Roles Anywhere。扮演角色 2 的应用程序只能访问存储桶 2。它无法访问存储桶 1 或执行 Amazon EC2 操作,因为配置文件 2 策略未授予这些权限。