常見的資源型政策範例 - Amazon Aurora DSQL
封鎖公有存取權組織存取OU 存取多區域

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

常見的資源型政策範例

這些範例顯示控制 Aurora DSQL 叢集存取的常見模式。您可以結合和修改這些模式,以符合您的特定存取需求。

封鎖公有網際網路存取

此政策會封鎖從公有網際網路 (非 VPC) 連線至 Aurora DSQL 叢集。政策不會指定客戶可以從哪些 VPC 連線,只有他們必須從 VPC 連線。若要限制對特定 VPC 的存取,請使用 aws:SourceVpc搭配 StringEquals條件運算子。

{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Resource": "*",
      "Action": [
        "dsql:DbConnect",
        "dsql:DbConnectAdmin"
      ],
      "Condition": {
        "Null": {
          "aws:SourceVpc": "true"
        }
      }
    }
  ]
}
注意

此範例僅使用 aws:SourceVpc 來檢查 VPC 連線。aws:VpcSourceIpaws:SourceVpce條件金鑰提供額外的精細度,但對於僅限 VPC 的基本存取控制則不需要。

若要為特定角色提供例外狀況,請改用此政策:

{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "DenyAccessFromOutsideVPC",
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Resource": "*",
      "Action": [
        "dsql:DbConnect",
        "dsql:DbConnectAdmin"
      ],
      "Condition": {
        "Null": {
          "aws:SourceVpc": "true"
        },
        "StringNotEquals": {
          "aws:PrincipalArn": [
            "arn:aws:iam::123456789012:role/ExceptionRole",
            "arn:aws:iam::123456789012:role/AnotherExceptionRole"
          ]
        }
      }
    }
  ]
}

限制對 AWS Organization 的存取

此政策限制對 AWS 組織內主體的存取:

{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "dsql:DbConnect",
        "dsql:DbConnectAdmin"
      ],
      "Resource": "arn:aws:dsql:us-east-1:123456789012:cluster:mycluster",
      "Condition": {
        "StringNotEquals": {
          "aws:PrincipalOrgID": "o-exampleorgid"
        }
      }
    }
  ]
}

限制對特定組織單位的存取

此政策限制對 AWS 組織中特定組織單位 (OU) 內主體的存取,提供比整個組織更精細的控制:

{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "dsql:DbConnect"
      ],
      "Resource": "arn:aws:dsql:us-east-1:123456789012:cluster:mycluster",
      "Condition": {
        "StringNotLike": {
          "aws:PrincipalOrgPaths": "o-exampleorgid/r-examplerootid/ou-exampleouid/*"
        }
      }
    }
  ]
}

多區域叢集政策

對於多區域叢集,每個區域叢集都會維護自己的資源政策,允許區域特定的控制項。以下是每個區域具有不同政策的範例:

us-east-1 政策:

{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Resource": "*",
      "Action": [
        "dsql:DbConnect"
      ],
      "Condition": {
        "StringNotEquals": {
          "aws:SourceVpc": "vpc-east1-id"
        },
        "Null": {
          "aws:SourceVpc": "true"
        }
      }
    }
  ]
}

us-east-2 政策:

{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Resource": "*",
      "Action": [
        "dsql:DbConnect"
      ],
      "Condition": {
        "StringEquals": {
          "aws:SourceVpc": "vpc-east2-id"
        }
      }
    }
  ]
}
注意

條件內容索引鍵可能不同 AWS 區域 (例如 VPC IDs)。