限制跨 AWS 区域的数据传输 - AWS 规范性指导

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

限制跨 AWS 区域的数据传输

调查

我们很乐意听取您的意见。请通过简短的调查提供有关 AWS PRA 的反馈。

除两个 AWS Identity and Access Management(IAM)角色外,此服务控制策略拒绝对 eu-west-1eu-central-1 以外的 AWS 区域中的区域 AWS 服务 进行 API 调用。此 SCP 可以帮助防止在未经批准的区域创建 AWS 存储和处理服务,从而彻底防止这些区域中的 AWS 服务处理个人数据。此策略使用 NotAction 参数是因其需兼顾全球 AWS 服务(例如 IAM)及与全球服务集成的服务,例如 AWS Key Management Service(AWS KMS)和 Amazon CloudFront。您可以在参数值中将这些全球服务和其他不适用的服务指定为例外。有关本策略如何帮助保护组织中的隐私和个人数据的更多信息,请参阅本指南中的 AWS Organizations

{
    "Version": "2012-10-17",		 	 	 		 	 	 
    "Statement": [
        {
            "Sid": "DenyAllOutsideEU",
            "Effect": "Deny",
            "NotAction": [
                "a4b:*",
                "acm:*",
                "aws-marketplace-management:*",
                "aws-marketplace:*",
                "aws-portal:*",
                "budgets:*",
                "ce:*",
                "chime:*",
                "cloudfront:*",
                "config:*",
                "cur:*",
                "directconnect:*",
                "ec2:DescribeRegions",
                "ec2:DescribeTransitGateways",
                "ec2:DescribeVpnGateways",
                "fms:*",
                "globalaccelerator:*",
                "health:*",
                "iam:*",
                "importexport:*",
                "kms:*",
                "mobileanalytics:*",
                "networkmanager:*",
                "organizations:*",
                "pricing:*",
                "route53:*",
                "route53domains:*",
                "route53-recovery-cluster:*",
                "route53-recovery-control-config:*",
                "route53-recovery-readiness:*",
                "s3:GetAccountPublic*",
                "s3:ListAllMyBuckets",
                "s3:ListMultiRegionAccessPoints",
                "s3:PutAccountPublic*",
                "shield:*",
                "sts:*",
                "support:*",
                "trustedadvisor:*",
                "waf-regional:*",
                "waf:*",
                "wafv2:*",
                "wellarchitected:*"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": [
                        "eu-central-1",
                        "eu-west-1"
                    ]
                },
                "ArnNotLike": {
                    "aws:PrincipalARN": [
                        "arn:aws:iam::*:role/Role1AllowedToBypassThisSCP",
                        "arn:aws:iam::*:role/Role2AllowedToBypassThisSCP"
                    ]
                }
            }
        }
    ]
}