本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
使用條件索引鍵
您可以指定條件,以決定 IAM 政策的生效方式。在 ElastiCache 中,您可以使用 JSON 政策的 Condition 元素來比較請求內容中的索引鍵和您在政策中指定的索引鍵值。如需詳細資訊,請參閱 IAM JSON 政策元素:Condition。
若要查看 ElastiCache 條件索引鍵的清單,請參閱《服務授權參考》中的 Amazon ElastiCache 的條件索引鍵。
如需全域條件索引鍵的清單,請參閱 AWS 全域條件內容索引鍵。
搭配 AWS 全域條件金鑰使用 ElastiCache
使用需要 ElastiCache 主體的AWS 全域條件金鑰時,請使用具有主體的 OR條件: elasticache.amazonaws.com和 ec.amazonaws.com。
如果您未新增 ElastiCache 的兩個主體,政策中列出的任何資源的「允許」或「拒絕」動作將無法正確強制執行。
具有aws:CalledVia全域條件索引鍵的政策範例:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"ForAnyValue:StringLike": {
"aws:CalledVia": [
"ec.amazonaws.com",
"elasticache.amazonaws.com"
]
}
}
}
]
}
指定條件:使用條件金鑰
若要實作精細的控制機制,您可以撰寫 IAM 許可政策,指定條件來控制特定請求上的一組個別參數。您接著將政策套用至使用 IAM 主控台所建立的 IAM 使用者、群組或角色。
若要套用條件,請將條件資訊新增至 IAM 政策陳述式。在下列範例中,您會指定建立的任何自行設計快取叢集都將屬於節點類型 cache.r5.large 的條件。
若要使用 String類型的條件索引鍵建構Condition元素,請使用不區分大小寫的條件運算子,StringEqualsIgnoreCase或StringNotEqualsIgnoreCase將索引鍵與字串值進行比較。
ElastiCache 會以不區分CacheParameterGroupName大小寫的方式處理 CacheNodeType和 的輸入引數。因此,字串條件運算子 StringEqualsIgnoreCase、 和 StringNotEqualsIgnoreCase應該用於參考它們的許可政策。
以下顯示使用 Valkey 或 Redis OSS 時此許可政策的範例。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:CreateCacheCluster",
"elasticache:CreateReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:parametergroup:*",
"arn:aws:elasticache:*:*:subnetgroup:*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticache:CreateCacheCluster",
"elasticache:CreateReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:cluster:*",
"arn:aws:elasticache:*:*:replicationgroup:*"
],
"Condition": {
"StringEquals": {
"elasticache:CacheNodeType": [
"cache.r5.large"
]
}
}
}
]
}
以下顯示使用 Memcached 時此許可政策的範例。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:CreateCacheCluster"
],
"Resource": [
"arn:aws:elasticache:*:*:parametergroup:*",
"arn:aws:elasticache:*:*:subnetgroup:*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticache:CreateCacheCluster"
],
"Resource": [
"arn:aws:elasticache:*:*:cluster:*"
],
"Condition": {
"StringEquals": {
"elasticache:CacheNodeType": [
"cache.r5.large"
]
}
}
}
]
}
如需詳細資訊,請參閱為您的 ElastiCache 資源加上標籤。
如需使用政策條件運算子的詳細資訊,請參閱「ElastiCache API 許可:動作、資源和條件參考」。
範例政策:使用條件進行精細參數控制
本節顯示對先前所列出的 ElastiCache 參數實作精細存取控制的範例政策。
elasticache:MaximumDataStorage:指定無伺服器快取的資料儲存上限。使用提供的條件,客戶就無法建立可儲存超過特定資料量的快取。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowDependentResources",
"Effect": "Allow",
"Action": [
"elasticache:CreateServerlessCache"
],
"Resource": [
"arn:aws:elasticache:*:*:serverlesscachesnapshot:*",
"arn:aws:elasticache:*:*:snapshot:*",
"arn:aws:elasticache:*:*:usergroup:*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticache:CreateServerlessCache"
],
"Resource": [
"arn:aws:elasticache:*:*:serverlesscache:*"
],
"Condition": {
"NumericLessThanEquals": {
"elasticache:MaximumDataStorage": "30"
},
"StringEquals": {
"elasticache:DataStorageUnit": "GB"
}
}
}
]
}
elasticache:MaximumECPUPerSecond:指定無伺服器快取的每秒 ECPU 上限值。使用提供的條件,客戶就無法建立可執行超過每秒特定 ECPU 數量的快取。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowDependentResources",
"Effect": "Allow",
"Action": [
"elasticache:CreateServerlessCache"
],
"Resource": [
"arn:aws:elasticache:*:*:serverlesscachesnapshot:*",
"arn:aws:elasticache:*:*:snapshot:*",
"arn:aws:elasticache:*:*:usergroup:*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticache:CreateServerlessCache"
],
"Resource": [
"arn:aws:elasticache:*:*:serverlesscache:*"
],
"Condition": {
"NumericLessThanEquals": {
"elasticache:MaximumECPUPerSecond": "100000"
}
}
}
]
}
elasticache:CacheNodeType:指定使用者可以建立的節點類型。使用提供的條件,客戶可以指定節點類型的單一值或範圍值。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:CreateCacheCluster",
"elasticache:CreateReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:parametergroup:*",
"arn:aws:elasticache:*:*:subnetgroup:*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticache:CreateCacheCluster",
"elasticache:CreateReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:cluster:*",
"arn:aws:elasticache:*:*:replicationgroup:*"
],
"Condition": {
"StringEquals": {
"elasticache:CacheNodeType": [
"cache.t2.micro",
"cache.t2.medium"
]
}
}
}
]
}
elasticache:CacheNodeType:使用 Memcached,指定使用者可以建立的 NodeType (s)。使用提供的條件,客戶可以指定節點類型的單一值或範圍值。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:CreateCacheCluster"
],
"Resource": [
"arn:aws:elasticache:*:*:parametergroup:*",
"arn:aws:elasticache:*:*:subnetgroup:*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticache:CreateCacheCluster"
],
"Resource": [
"arn:aws:elasticache:*:*:cluster:*"
],
"Condition": {
"StringEquals": {
"elasticache:CacheNodeType": [
"cache.t2.micro",
"cache.t2.medium"
]
}
}
}
]
}
elasticache:NumNodeGroups:建立具有少於 20 個節點群組的複寫群組。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:CreateReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:parametergroup:*",
"arn:aws:elasticache:*:*:subnetgroup:*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticache:CreateReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:replicationgroup:*"
],
"Condition": {
"NumericLessThanEquals": {
"elasticache:NumNodeGroups": "20"
}
}
}
]
}
elasticache:ReplicasPerNodeGroup:指定每個節點的複本數 (5 到 10 個)。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:CreateReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:parametergroup:*",
"arn:aws:elasticache:*:*:subnetgroup:*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticache:CreateReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:replicationgroup:*"
],
"Condition": {
"NumericGreaterThanEquals": {
"elasticache:ReplicasPerNodeGroup": "5"
},
"NumericLessThanEquals": {
"elasticache:ReplicasPerNodeGroup": "10"
}
}
}
]
}
elasticache:EngineVersion:指定使用 5.0.6 版引擎。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:CreateCacheCluster",
"elasticache:CreateReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:parametergroup:*",
"arn:aws:elasticache:*:*:subnetgroup:*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticache:CreateCacheCluster",
"elasticache:CreateReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:cluster:*",
"arn:aws:elasticache:*:*:replicationgroup:*"
],
"Condition": {
"StringEquals": {
"elasticache:EngineVersion": "5.0.6"
}
}
}
]
}
elasticache:EngineVersion:指定 Memcached 引擎 1.6.6 版的使用情況
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:CreateCacheCluster"
],
"Resource": [
"arn:aws:elasticache:*:*:parametergroup:*",
"arn:aws:elasticache:*:*:subnetgroup:*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticache:CreateCacheCluster"
],
"Resource": [
"arn:aws:elasticache:*:*:cluster:*"
],
"Condition": {
"StringEquals": {
"elasticache:EngineVersion": "1.6.6"
}
}
}
]
}
elasticache:EngineType:僅使用 Valkey 或 Redis OSS 引擎指定 。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:CreateCacheCluster",
"elasticache:CreateReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:parametergroup:*",
"arn:aws:elasticache:*:*:subnetgroup:*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticache:CreateCacheCluster",
"elasticache:CreateReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:cluster:*",
"arn:aws:elasticache:*:*:replicationgroup:*"
],
"Condition": {
"StringEquals": {
"elasticache:EngineType": "redis"
}
}
}
]
}
elasticache:AtRestEncryptionEnabled:指定只在啟用加密的情況下建立複寫群組。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:CreateReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:parametergroup:*",
"arn:aws:elasticache:*:*:subnetgroup:*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticache:CreateReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:replicationgroup:*"
],
"Condition": {
"Bool": {
"elasticache:AtRestEncryptionEnabled": "true"
}
}
}
]
}
-
elasticache:TransitEncryptionEnabled
-
將 CreateReplicationGroup 動作的 elasticache:TransitEncryptionEnabled 條件索引鍵設定為 false,以指定只有在未使用 TLS 時,才能建立複寫群組:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:CreateReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:parametergroup:*",
"arn:aws:elasticache:*:*:subnetgroup:*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticache:CreateReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:replicationgroup:*"
],
"Condition": {
"Bool": {
"elasticache:TransitEncryptionEnabled": "false"
}
}
}
]
}
如果在 CreateReplicationGroup 動作的政策中將 elasticache:TransitEncryptionEnabled 條件索引鍵設定為 false,則只有在 CreateReplicationGroup 要求未使用 TLS 時 (即要求未包含設為 true 的 TransitEncryptionEnabled 參數或設為 required 的 TransitEncryptionMode 參數),才允許要求。
-
將 CreateReplicationGroup 動作的 elasticache:TransitEncryptionEnabled 條件索引鍵設定為 true,以指定只有在使用 TLS 時,才能建立複寫群組:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:CreateReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:parametergroup:*",
"arn:aws:elasticache:*:*:subnetgroup:*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticache:CreateReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:replicationgroup:*"
],
"Condition": {
"Bool": {
"elasticache:TransitEncryptionEnabled": "true"
}
}
}
]
}
如果在 CreateReplicationGroup 動作的政策中將 elasticache:TransitEncryptionEnabled 條件索引鍵設定為 true,則只有在 CreateReplicationGroup 要求包含設定為 true 的 TransitEncryptionEnabled 參數以及設定為 required 的 TransitEncryptionMode 時,才允許要求。
-
針對 ModifyReplicationGroup 動作設定 elasticache:TransitEncryptionEnabled 為 true,以指定只有在使用 TLS 時,才能修改複寫群組:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:ModifyReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:replicationgroup:*"
],
"Condition": {
"BoolIfExists": {
"elasticache:TransitEncryptionEnabled": "true"
}
}
}
]
}
如果在 ModifyReplicationGroup 動作的政策中將 elasticache:TransitEncryptionEnabled 條件索引鍵設定為 true,則只有在 ModifyReplicationGroup 要求包含設定為 required 的 TransitEncryptionMode 參數時,才允許要求。設為 true 的 TransitEncryptionEnabled 參數也可以選擇性包含在內,但在這種情況下啟用 TLS 不需要。
-
elasticache:AutomaticFailoverEnabled:指定只在啟用自動容錯移轉的情況下建立複寫群組。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:CreateReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:parametergroup:*",
"arn:aws:elasticache:*:*:subnetgroup:*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticache:CreateReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:replicationgroup:*"
],
"Condition": {
"Bool": {
"elasticache:AutomaticFailoverEnabled": "true"
}
}
}
]
}
elasticache:MultiAZEnabled:指定在停用異地同步備份的情況下無法建立複寫群組。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:CreateCacheCluster",
"elasticache:CreateReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:parametergroup:*",
"arn:aws:elasticache:*:*:subnetgroup:*"
]
},
{
"Effect": "Deny",
"Action": [
"elasticache:CreateCacheCluster",
"elasticache:CreateReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:cluster:*",
"arn:aws:elasticache:*:*:replicationgroup:*"
],
"Condition": {
"Bool": {
"elasticache:MultiAZEnabled": "false"
}
}
}
]
}
elasticache:ClusterModeEnabled:指定複只能在啟用叢集模式的情況下建立寫群組。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:CreateReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:parametergroup:*",
"arn:aws:elasticache:*:*:subnetgroup:*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticache:CreateReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:replicationgroup:*"
],
"Condition": {
"Bool": {
"elasticache:ClusterModeEnabled": "true"
}
}
}
]
}
elasticache:AuthTokenEnabled:指定只能在啟用 AUTH 字符的情況下建立複寫群組。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:CreateCacheCluster",
"elasticache:CreateReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:parametergroup:*",
"arn:aws:elasticache:*:*:subnetgroup:*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticache:CreateCacheCluster",
"elasticache:CreateReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:cluster:*",
"arn:aws:elasticache:*:*:replicationgroup:*"
],
"Condition": {
"Bool": {
"elasticache:AuthTokenEnabled": "true"
}
}
}
]
}
elasticache:SnapshotRetentionLimit:指定要保留快照的天數 (或下限/上限)。以下政策強制存放備份至少 30 天。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:CreateCacheCluster",
"elasticache:CreateReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:parametergroup:*",
"arn:aws:elasticache:*:*:subnetgroup:*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticache:CreateCacheCluster",
"elasticache:CreateReplicationGroup",
"elasticache:CreateServerlessCache"
],
"Resource": [
"arn:aws:elasticache:*:*:cluster:*",
"arn:aws:elasticache:*:*:replicationgroup:*",
"arn:aws:elasticache:*:*:serverlesscache:*"
],
"Condition": {
"NumericGreaterThanEquals": {
"elasticache:SnapshotRetentionLimit": "30"
}
}
}
]
}
elasticache:KmsKeyId:指定客戶受管 AWS KMS 金鑰的使用方式。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowDependentResources",
"Effect": "Allow",
"Action": [
"elasticache:CreateServerlessCache"
],
"Resource": [
"arn:aws:elasticache:*:*:serverlesscachesnapshot:*",
"arn:aws:elasticache:*:*:snapshot:*",
"arn:aws:elasticache:*:*:usergroup:*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticache:CreateServerlessCache"
],
"Resource": [
"arn:aws:elasticache:*:*:serverlesscache:*"
],
"Condition": {
"StringEquals": {
"elasticache:KmsKeyId": "my-key"
}
}
}
]
}
elasticache:CacheParameterGroupName:使用叢集上組織的特定參數,指定非預設參數群組。您也可以為參數群組指定命名模式,或阻止刪除特定參數群組名稱。以下是限制僅使用「my-org-param-group」的範例。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:CreateCacheCluster",
"elasticache:CreateReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:parametergroup:*",
"arn:aws:elasticache:*:*:subnetgroup:*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticache:CreateCacheCluster",
"elasticache:CreateReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:cluster:*",
"arn:aws:elasticache:*:*:replicationgroup:*"
],
"Condition": {
"StringEquals": {
"elasticache:CacheParameterGroupName": "my-org-param-group"
}
}
}
]
}
elasticache:CacheParameterGroupName:使用 Memcached,指定具有叢集上組織特定參數的非預設參數群組。您也可以為參數群組指定命名模式,或阻止刪除特定參數群組名稱。以下是限制僅使用「my-org-param-group」的範例。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:CreateCacheCluster"
],
"Resource": [
"arn:aws:elasticache:*:*:parametergroup:*",
"arn:aws:elasticache:*:*:subnetgroup:*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticache:CreateCacheCluster"
],
"Resource": [
"arn:aws:elasticache:*:*:cluster:*"
],
"Condition": {
"StringEquals": {
"elasticache:CacheParameterGroupName": "my-org-param-group"
}
}
}
]
}
-
elasticache:CreateCacheCluster:如果請求標籤 CreateCacheCluster 遺失或不等於 Project、Dev 或 QA,拒絕 Prod 動作。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:CreateCacheCluster"
],
"Resource": [
"arn:aws:elasticache:*:*:parametergroup:*",
"arn:aws:elasticache:*:*:subnetgroup:*",
"arn:aws:elasticache:*:*:securitygroup:*",
"arn:aws:elasticache:*:*:replicationgroup:*"
]
},
{
"Effect": "Deny",
"Action": [
"elasticache:CreateCacheCluster"
],
"Resource": [
"arn:aws:elasticache:*:*:cluster:*"
],
"Condition": {
"Null": {
"aws:RequestTag/Project": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticache:CreateCacheCluster",
"elasticache:AddTagsToResource"
],
"Resource": "arn:aws:elasticache:*:*:cluster:*",
"Condition": {
"StringEquals": {
"aws:RequestTag/Project": [
"Dev",
"Prod",
"QA"
]
}
}
}
]
}
elasticache:CacheNodeType:允許 CreateCacheCluster 具有 cacheNodeType cache.r5.large 或 cache.r6g.4xlarge 以及 Project=XYZ 標籤。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:CreateCacheCluster",
"elasticache:CreateReplicationGroup"
],
"Resource": [
"arn:aws:elasticache:*:*:parametergroup:*",
"arn:aws:elasticache:*:*:subnetgroup:*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticache:CreateCacheCluster"
],
"Resource": [
"arn:aws:elasticache:*:*:cluster:*"
],
"Condition": {
"StringEqualsIfExists": {
"elasticache:CacheNodeType": [
"cache.r5.large",
"cache.r6g.4xlarge"
]
},
"StringEquals": {
"aws:RequestTag/Project": "XYZ"
}
}
}
]
}
elasticache:CacheNodeType:允許 CreateCacheCluster 具有 cacheNodeType cache.r5.large 或 cache.r6g.4xlarge 以及 Project=XYZ 標籤。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:CreateCacheCluster"
],
"Resource": [
"arn:aws:elasticache:*:*:parametergroup:*",
"arn:aws:elasticache:*:*:subnetgroup:*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticache:CreateCacheCluster"
],
"Resource": [
"arn:aws:elasticache:*:*:cluster:*"
],
"Condition": {
"StringEqualsIfExists": {
"elasticache:CacheNodeType": [
"cache.r5.large",
"cache.r6g.4xlarge"
]
},
"StringEquals": {
"aws:RequestTag/Project": "XYZ"
}
}
}
]
}
建立同時強制執行標籤和其他條件索引鍵的政策時,因為具有 --tags 參數的建立請求需要額外的 elasticache:AddTagsToResource 政策,IfExists 條件可能需要條件索引鍵元素。
