策略示例

允许用户对任何 Amazon DocumentDB 资源执行任何 Describe 操作

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"AllowRDSDescribe",
         "Effect":"Allow",
         "Action":"rds:Describe*",
         "Resource":"*"
      }
   ]
}

防止用户删除实例

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"DenyDelete1",
         "Effect":"Deny",
         "Action":"rds:DeleteDBInstance",
         "Resource":"arn:aws:rds:us-east-1:123456789012:db:my-db-instance"
      }
   ]
}

使用 IAM 条件

{
    "Version": "20121017",
    "Statement": [
        {
            "Action": [
                "rds:CreateDBInstance",
                "rds:CreateDBCluster"
            ],
            "Condition": {
                "StringNotLike": {
                    "rds:DatabaseEngine": "chimera"
                }
            },
            "Effect": "Deny",
            "Resource": "*",
            "Sid": "DenyUsageOfRDSEnginesExceptDocumentDB"
        }
    ]
}

上一页使⽤标签限制⽤⼾只能操作⾃⼰的AWS资源下一页计算

最后更新于4年前