本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# 附录：配置文件和角色策略示例
<a name="appendix-sample-policies"></a>

## 应用程序 1 的示例策略
<a name="appendix-sample-policies-app-1"></a>

**配置文件 1** 的示例策略允许对亚马逊简单存储服务 (Amazon S3) 中的存储**桶 1** 执行某些操作：

```
{
    "Version": "2012-10-17", 		 	 	 		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetObjectTagging",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-bucket1",
                "arn:aws:s3:::amzn-s3-demo-bucket1/*"
            ]
        }
    ]
}
```

**角色 1** 的示例策略允许对亚马逊弹性计算云 (Amazon EC2) 实例执行`DescribeInstances`操作，并允许**对亚马逊 S3 中的存储桶 1 **和存储桶**** 2 执行某些操作：

```
{
    "Version": "2012-10-17", 		 	 	 		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances"
            ],
            "Resource": [
                "arn:aws:ec2:us-east-1:123456789012:instance/i-01234567890abcdef"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetObjectTagging",
                "s3:GetObjectVersion",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectLegalHold",
                "s3:PutObjectTagging"
            ],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-bucket1",
                "arn:aws:s3:::amzn-s3-demo-bucket1/*",
                "arn:aws:s3:::amzn-s3-demo-bucket2",
                "arn:aws:s3:::amzn-s3-demo-bucket2/*"
            ]
        }
    ]
}
```

P **rofile 1** 策略限制了**角色 1** 策略授予的权限。当角色通过时，它会应用于角色会话 IAM Roles Anywhere。扮**演角色 1** 的应用程序只能访问**存储桶 1**。它无法访问**存储桶 2** 或执行任何 Amazon EC2 操作，因为**配置文件 1** 策略不授予这些权限。

## 应用程序 2 的示例策略
<a name="appendix-sample-policies-app-2"></a>

**配置文件 2** 的示例策略允许在 Amazon S3 中对**存储桶 2** 执行某些操作：

```
{
    "Version": "2012-10-17", 		 	 	 		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetObjectTagging",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-bucket2",
                "arn:aws:s3:::amzn-s3-demo-bucket2/*"
            ]
        }
    ]
}
```

**角色 2 的示例策略允许对 Amazon EC2** 实例`DescribeInstances`执行操作，并允许对 Amazon S3 中的**存储桶 1** 和**存储桶 2** 执行某些操作：

```
{
    "Version": "2012-10-17", 		 	 	 		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances"
            ],
            "Resource": [
                "arn:aws:ec2:us-east-1:567890123456:instance/i-05678901234ghijk"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetObjectTagging",
                "s3:GetObjectVersion",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectLegalHold",
                "s3:PutObjectTagging"
            ],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-bucket1",
                "arn:aws:s3:::amzn-s3-demo-bucket1/*",
                "arn:aws:s3:::amzn-s3-demo-bucket2",
                "arn:aws:s3:::amzn-s3-demo-bucket2/*"
            ]
        }
    ]
}
```

**配置文件 2** 的策略限制了**角色 2** 授予的权限。当角色通过时，它会应用于角色会话 IAM Roles Anywhere。扮**演角色 2** 的应用程序只能访问**存储桶 2**。它无法访问**存储桶 1** 或执行 Amazon EC2 操作，因为**配置文件 2** 策略不授予这些权限。