本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# 附錄：範例設定檔和角色政策
<a name="appendix-sample-policies"></a>

## 應用程式 1 的範例政策
<a name="appendix-sample-policies-app-1"></a>

**設定檔 1 **的範例政策允許 Amazon Simple Storage Service (Amazon S3) **中儲存貯體 1** 的一些動作：

```
{
    "Version": "2012-10-17", 		 	 	 		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetObjectTagging",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-bucket1",
                "arn:aws:s3:::amzn-s3-demo-bucket1/*"
            ]
        }
    ]
}
```

**角色 1 **的範例政策允許 Amazon Elastic Compute Cloud (Amazon EC2) 執行個體`DescribeInstances`的動作，並允許 Amazon S3 中**儲存貯體 1** 和**儲存貯體 2** 的一些動作：

```
{
    "Version": "2012-10-17", 		 	 	 		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances"
            ],
            "Resource": [
                "arn:aws:ec2:us-east-1:123456789012:instance/i-01234567890abcdef"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetObjectTagging",
                "s3:GetObjectVersion",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectLegalHold",
                "s3:PutObjectTagging"
            ],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-bucket1",
                "arn:aws:s3:::amzn-s3-demo-bucket1/*",
                "arn:aws:s3:::amzn-s3-demo-bucket2",
                "arn:aws:s3:::amzn-s3-demo-bucket2/*"
            ]
        }
    ]
}
```

**設定檔 1** 政策會限制**角色 1 **政策授予的許可。透過 擔任角色時，它會套用至角色工作階段 IAM Roles Anywhere。擔任**角色 1** 的應用程式只能存取**儲存貯體 1**。它無法存取**儲存貯體 2** 或執行任何 Amazon EC2 動作，因為**設定檔 1 **政策未授予這些許可。

## 應用程式 2 的範例政策
<a name="appendix-sample-policies-app-2"></a>

**設定檔 2 **的範例政策允許 Amazon S3 **中儲存貯體 2** 的一些動作：

```
{
    "Version": "2012-10-17", 		 	 	 		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetObjectTagging",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-bucket2",
                "arn:aws:s3:::amzn-s3-demo-bucket2/*"
            ]
        }
    ]
}
```

**角色 2 **的範例政策允許 Amazon EC2 執行個體`DescribeInstances`的動作，並允許 Amazon S3 中**儲存貯體 1** 和**儲存貯體 2** 的一些動作：

```
{
    "Version": "2012-10-17", 		 	 	 		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances"
            ],
            "Resource": [
                "arn:aws:ec2:us-east-1:567890123456:instance/i-05678901234ghijk"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetObjectTagging",
                "s3:GetObjectVersion",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectLegalHold",
                "s3:PutObjectTagging"
            ],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-bucket1",
                "arn:aws:s3:::amzn-s3-demo-bucket1/*",
                "arn:aws:s3:::amzn-s3-demo-bucket2",
                "arn:aws:s3:::amzn-s3-demo-bucket2/*"
            ]
        }
    ]
}
```

**設定檔 2 **的政策會限制**角色 2 **授予的許可。透過 擔任角色時，它會套用至角色工作階段 IAM Roles Anywhere。擔任**角色 2** 的應用程式只能存取**儲存貯體 2**。它無法存取**儲存貯體 1** 或執行 Amazon EC2 動作，因為**設定檔 2 **政策未授予這些許可。