在 IAM 政策中使用存取點 - Amazon Elastic File System

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

在 IAM 政策中使用存取點

您可以使用 IAM 政策來強制執行由其 IAM 角色識別的特定 NFS 用戶端,僅能來存取特定的存取點。若要執行此作業,請使用 elasticfilesystem:AccessPointArn IAM 條件金鑰。AccessPointArn 是用來掛載檔案系統之存取點的 Amazon Resource Name (ARN)。

以下是檔案系統政策範例,此政策允許 IAM 角色 app1 使用存取點 fsap-01234567 存取檔案系統。此政策也允許 app2 透過存取點 fsap-89abcdef 使用檔案系統。

JSON
{
    "Version": "2012-10-17",
    "Id": "MyFileSystemPolicy",
    "Statement": [
        {
            "Sid": "App1Access",
            "Effect": "Allow",
            "Principal": { "AWS": "arn:aws:iam::111122223333:role/app1" },
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite"
            ],
            "Resource": "arn:aws:elasticfilesystem:us-east-1:111122223333:file-system/*",
            "Condition": {
                "StringEquals": {
                    "elasticfilesystem:AccessPointArn" : "arn:aws:elasticfilesystem:us-east-1:222233334444:access-point/fsap-01234567"
                }
            }
        },
        {
            "Sid": "App2Access",
            "Effect": "Allow",
            "Principal": { "AWS": "arn:aws:iam::111122223333:role/app2" },
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite"
            ],
            "Resource": "arn:aws:elasticfilesystem:us-east-1:111122223333:file-system/*",
            "Condition": {
                "StringEquals": {
                    "elasticfilesystem:AccessPointArn" : "arn:aws:elasticfilesystem:us-east-1:222233334444:access-point/fsap-89abcdef"
                }
            }
        }
    ]
}