本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# Amazon SES 中的身分政策範例
身分授權可讓您針對身分指定允許或拒絕 API 動作的細微條件。
**Topics**
+ [指定委託人](#identity-authorization-policy-example-delegate-user)
+ [限制動作](#sending-authorization-policy-example-restricting-action)
+ [使用多個陳述式](#identity-authorization-policy-example-multiple-statements)
## 指定委託人
*委託人*是您授予許可的實體,可以是 AWS 帳戶、 AWS Identity and Access Management (IAM) 使用者或屬於相同帳戶的 AWS 服務。
以下範例顯示一個簡單的政策,允許 AWS ID *123456789012* 控制也由 AWS 帳戶 *123456789012* 擁有的已驗證身分 *example.com*。
------
#### [ JSON ]
****
```
{
"Id":"SampleAuthorizationPolicy",
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AuthorizeMarketer",
"Effect":"Allow",
"Resource":"arn:aws:ses:us-east-1:123456789012:identity/example.com",
"Principal":{
"AWS":[
"123456789012"
]
},
"Action":[
"ses:DeleteEmailIdentity",
"ses:PutEmailIdentityDkimSigningAttributes"
]
}
]
}
```
------
以下範例政策將許可授予兩個使用者,以控制已驗證身分 *example.com*。使用者由他們的 Amazon Resource Name (ARN) 指定。
------
#### [ JSON ]
****
```
{
"Id":"ExampleAuthorizationPolicy",
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AuthorizeIAMUser",
"Effect":"Allow",
"Resource":"arn:aws:ses:us-east-1:123456789012:identity/example.com",
"Principal":{
"AWS":[
"arn:aws:iam::123456789012:user/John",
"arn:aws:iam::123456789012:user/Jane"
]
},
"Action":[
"ses:DeleteEmailIdentity",
"ses:PutEmailIdentityDkimSigningAttributes"
]
}
]
}
```
------
## 限制動作
根據您要授權的控制層級,有多個動作可以在身分授權政策中指定:
```
1. "BatchGetMetricData",
2. "ListRecommendations",
3. "CreateDeliverabilityTestReport",
4. "CreateEmailIdentityPolicy",
5. "DeleteEmailIdentity",
6. "DeleteEmailIdentityPolicy",
7. "GetDomainStatisticsReport",
8. "GetEmailIdentity",
9. "GetEmailIdentityPolicies",
10. "PutEmailIdentityConfigurationSetAttributes",
11. "PutEmailIdentityDkimAttributes",
12. "PutEmailIdentityDkimSigningAttributes",
13. "PutEmailIdentityFeedbackAttributes",
14. "PutEmailIdentityMailFromAttributes",
15. "TagResource",
16. "UntagResource",
17. "UpdateEmailIdentityPolicy"
```
身分授權政策也可以讓您將委託人限制為這些動作其中之一。
------
#### [ JSON ]
****
```
{
"Id": "ExamplePolicy",
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ControlAction",
"Effect": "Allow",
"Resource": "arn:aws:ses:us-east-1:123456789012:identity/example.com",
"Principal": {
"AWS": [
"123456789012"
]
},
"Action": [
"ses:PutEmailIdentityMailFromAttributes"
]
}
]
}
```
------
## 使用多個陳述式
您的身分授權政策可以包含多個陳述式。以下範例政策有兩個陳述式。第一個陳述式拒絕兩個使用者在同一個帳戶 `123456789012` 內從 *sender@example.com* 存取 `getemailidentity`。第二個聲明以 `UpdateEmailIdentityPolicy` 為由拒絕了同一帳戶 `123456789012` 內的委託人 *Jack*。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"DenyGet",
"Effect":"Deny",
"Resource":"arn:aws:ses:us-east-1:123456789012:identity/sender@example.com",
"Principal":{
"AWS":[
"arn:aws:iam::123456789012:user/John",
"arn:aws:iam::123456789012:user/Jane"
]
},
"Action":[
"ses:GetEmailIdentity"
]
},
{
"Sid":"DenyUpdate",
"Effect":"Deny",
"Resource":"arn:aws:ses:us-east-1:123456789012:identity/sender@example.com",
"Principal":{
"AWS":"arn:aws:iam::123456789012:user/Jack"
},
"Action":[
"ses:UpdateEmailIdentityPolicy"
]
}
]
}
```
------