VPCE和组织内资源

允许组织内的主体访问组织内的资源,则条件设置为:

          "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "<my-org-id>",
                    "aws:ResourceOrgID": "<my-org-id>"
                }
            }

允许AWS服务主体发起请求,则条件设置为:

            "Condition": {
                "Bool": {
                    "aws:PrincipalIsAWSService": "true"
                }
            }

允许组织主体访问任何资源,则条件设置为:

            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "<my-org-id>",
                    "aws:PrincipalTag/resource-perimeter-exception": "true"
                }
            }

完整策略如下:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowRequestsByOrgsIdentitiesToOrgsResources",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "*",          
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "<my-org-id>",
                    "aws:ResourceOrgID": "<my-org-id>"
                }
            }
        },
        {
            "Sid": "AllowRequestsByAWSServicePrincipals",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "aws:PrincipalIsAWSService": "true"
                }
            }
        },
        {
            "Sid": "AllowRequestsByOrgsIdentitiesToAnyResources",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "<my-org-id>",
                    "aws:PrincipalTag/resource-perimeter-exception": "true"
                }
            }
        }
    ]
}

最后更新于