AWS resource-based policies(以資源為基礎的政策)簡介。
AWS IAM resource-based policies是一份附加在服務/資源(e.g. S3, EC2, Lambda, ...)上用以指定誰(Principal)允許對該資源執行特定操作(action)的JSON文件設定。resource-based policies屬於inline policies。
例如下面為在AWS Lambda DemoFunction
資源設定的resource-based policies的JSON配置。
DemoFunction resource-based policies
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "demo-func-john-001-invoke",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::400371196721:user/john-001"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:ap-northeast-2:400371196721:function:DemoFunction"
}
]
}
上面設定允許Principal 使用者john-001arn:aws:iam::400371196721:user/john-001
對AWS Lambda資源arn:aws:lambda:ap-northeast-2:400371196721:function:DemoFunction
進行InvokeFunction
的操作。
沒有留言:
張貼留言