VPCE和组织内资源
允许组织内的主体访问组织内的资源,则条件设置为:
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "<my-org-id>",
"aws:ResourceOrgID": "<my-org-id>"
}
}
允许AWS服务主体发起请求,则条件设置为:
"Condition": {
"Bool": {
"aws:PrincipalIsAWSService": "true"
}
}
允许组织主体访问任何资源,则条件设置为:
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "<my-org-id>",
"aws:PrincipalTag/resource-perimeter-exception": "true"
}
}
完整策略如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowRequestsByOrgsIdentitiesToOrgsResources",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "<my-org-id>",
"aws:ResourceOrgID": "<my-org-id>"
}
}
},
{
"Sid": "AllowRequestsByAWSServicePrincipals",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "*",
"Resource": "*",
"Condition": {
"Bool": {
"aws:PrincipalIsAWSService": "true"
}
}
},
{
"Sid": "AllowRequestsByOrgsIdentitiesToAnyResources",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "<my-org-id>",
"aws:PrincipalTag/resource-perimeter-exception": "true"
}
}
}
]
}
最后更新于