AWS resource-based policies 簡介

AWS resource-based policies（以資源為基礎的政策）簡介。

AWS IAM resource-based policies是一份附加在服務/資源(e.g. S3, EC2, Lambda, ...)上用以指定誰(Principal)允許對該資源執行特定操作(action)的JSON文件設定。resource-based policies屬於inline policies。

例如下面為在AWS Lambda DemoFunction資源設定的resource-based policies的JSON配置。

DemoFunction resource-based policies

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "demo-func-john-001-invoke",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::400371196721:user/john-001"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:ap-northeast-2:400371196721:function:DemoFunction"
    }
  ]
}

上面設定允許Principal 使用者john-001arn:aws:iam::400371196721:user/john-001對AWS Lambda資源arn:aws:lambda:ap-northeast-2:400371196721:function:DemoFunction進行InvokeFunction的操作。

• Policies and permissions in IAM
• Using resource-based policies for AWS Lambda