在IAM策略中使用接入点 - Amazon Elastic File System

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

在IAM策略中使用接入点

您可以使用IAM策略强制规定由其IAM角色标识的特定NFS客户端只能访问特定的接入点。为此,您可以使用elasticfilesystem:AccessPointArnIAM条件键。AccessPointArn是挂载文件系统的接入点的 Amazon 资源名称 (ARN)。

以下是允许IAM角色使用访问点app1访问文件系统的文件系统策略示例fsap-01234567。该策略还允许 app2 通过访问点使用文件系统 fsap-89abcdef

{
    "Version": "2012-10-17",
    "Id": "MyFileSystemPolicy",
    "Statement": [
        {
            "Sid": "App1Access",
            "Effect": "Allow",
            "Principal": { "AWS": "arn:aws:iam::111122223333:role/app1" },
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite"
            ],
            "Condition": {
                "StringEquals": {
                    "elasticfilesystem:AccessPointArn" : "arn:aws:elasticfilesystem:us-east-1:222233334444:access-point/fsap-01234567"
                }
            }
        },
        {
            "Sid": "App2Access",
            "Effect": "Allow",
            "Principal": { "AWS": "arn:aws:iam::111122223333:role/app2" },
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite"
            ],
            "Condition": {
                "StringEquals": {
                    "elasticfilesystem:AccessPointArn" : "arn:aws:elasticfilesystem:us-east-1:222233334444:access-point/fsap-89abcdef"
                }
            }
        }
    ]
}