附錄:範例設定檔和角色政策 - AWS 方案指引
應用程式 1應用程式 2

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

附錄:範例設定檔和角色政策

應用程式 1 的範例政策

設定檔 1 的範例政策允許 Amazon Simple Storage Service (Amazon S3) 中儲存貯體 1 的一些動作:

{
    "Version": "2012-10-17", 		 	 	 		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetObjectTagging",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-bucket1",
                "arn:aws:s3:::amzn-s3-demo-bucket1/*"
            ]
        }
    ]
}

角色 1 的範例政策允許 Amazon Elastic Compute Cloud (Amazon EC2) 執行個體DescribeInstances的動作,並允許 Amazon S3 中儲存貯體 1儲存貯體 2 的一些動作:

{
    "Version": "2012-10-17", 		 	 	 		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances"
            ],
            "Resource": [
                "arn:aws:ec2:us-east-1:123456789012:instance/i-01234567890abcdef"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetObjectTagging",
                "s3:GetObjectVersion",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectLegalHold",
                "s3:PutObjectTagging"
            ],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-bucket1",
                "arn:aws:s3:::amzn-s3-demo-bucket1/*",
                "arn:aws:s3:::amzn-s3-demo-bucket2",
                "arn:aws:s3:::amzn-s3-demo-bucket2/*"
            ]
        }
    ]
}

設定檔 1 政策會限制角色 1 政策授予的許可。透過 擔任角色時,它會套用至角色工作階段 IAM Roles Anywhere。擔任角色 1 的應用程式只能存取儲存貯體 1。它無法存取儲存貯體 2 或執行任何 Amazon EC2 動作,因為設定檔 1 政策未授予這些許可。

應用程式 2 的範例政策

設定檔 2 的範例政策允許 Amazon S3 中儲存貯體 2 的一些動作:

{
    "Version": "2012-10-17", 		 	 	 		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetObjectTagging",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-bucket2",
                "arn:aws:s3:::amzn-s3-demo-bucket2/*"
            ]
        }
    ]
}

角色 2 的範例政策允許 Amazon EC2 執行個體DescribeInstances的動作,並允許 Amazon S3 中儲存貯體 1儲存貯體 2 的一些動作:

{
    "Version": "2012-10-17", 		 	 	 		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances"
            ],
            "Resource": [
                "arn:aws:ec2:us-east-1:567890123456:instance/i-05678901234ghijk"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetObjectTagging",
                "s3:GetObjectVersion",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectLegalHold",
                "s3:PutObjectTagging"
            ],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-bucket1",
                "arn:aws:s3:::amzn-s3-demo-bucket1/*",
                "arn:aws:s3:::amzn-s3-demo-bucket2",
                "arn:aws:s3:::amzn-s3-demo-bucket2/*"
            ]
        }
    ]
}

設定檔 2 的政策會限制角色 2 授予的許可。透過 擔任角色時,它會套用至角色工作階段 IAM Roles Anywhere。擔任角色 2 的應用程式只能存取儲存貯體 2。它無法存取儲存貯體 1 或執行 Amazon EC2 動作,因為設定檔 2 政策未授予這些許可。