限制跨 AWS 区域的数据传输
除了指定的两个 AWS IAM 角色之外,此服务控制策略SCP拒绝对 eu-west-1 和 EU-Central-1以外的 AWS 区域的API 调用 。此 SCP 可帮助防止创建 AWS 存储 在未经批准的区域进行数据处理。此策略使用 NotAction 参数,因为它负责全局 AWS 服务 (如 IAM)以及与全局服务集成的服务,如 AWS Key Management Service(AWS KMS)和 Amazon CloudFront。在参数值中,您可以将这些全局服务和其他不适用的服务指定为例外。有关此策略如何帮助保护组织中的隐私和个人数据的详细信息,请参阅 AWS 组织 在本指南中。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllOutsideEU",
"Effect": "Deny",
"NotAction": [
"a4b:*",
"acm:*",
"aws-marketplace-management:*",
"aws-marketplace:*",
"aws-portal:*",
"budgets:*",
"ce:*",
"chime:*",
"cloudfront:*",
"config:*",
"cur:*",
"directconnect:*",
"ec2:DescribeRegions",
"ec2:DescribeTransitGateways",
"ec2:DescribeVpnGateways",
"fms:*",
"globalaccelerator:*",
"health:*",
"iam:*",
"importexport:*",
"kms:*",
"mobileanalytics:*",
"networkmanager:*",
"organizations:*",
"pricing:*",
"route53:*",
"route53domains:*",
"route53-recovery-cluster:*",
"route53-recovery-control-config:*",
"route53-recovery-readiness:*",
"s3:GetAccountPublic*",
"s3:ListAllMyBuckets",
"s3:ListMultiRegionAccessPoints",
"s3:PutAccountPublic*",
"shield:*",
"sts:*",
"support:*",
"trustedadvisor:*",
"waf-regional:*",
"waf:*",
"wafv2:*",
"wellarchitected:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"eu-central-1",
"eu-west-1"
]
},
"ArnNotLike": {
"aws:PrincipalARN": [
"arn:aws:iam::*:role/Role1AllowedToBypassThisSCP",
"arn:aws:iam::*:role/Role2AllowedToBypassThisSCP"
]
}
}
}
]
}最后更新于