Verified Access 信任数据的默认上下文 - AWS 已验证的访问权限
HTTP 请求TCP 数据流

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Verified Access 信任数据的默认上下文

AWS Verified Access 无论您配置了哪个信任提供商,默认情况下,所有 Cedar 评估都包含有关当前请求的一些元素。如果您愿意,可以编写根据数据进行评估的策略。

以下是评估中包含的数据的示例。

HTTP 请求

评估策略时,Verified Access 会在context.http_request密钥下方包含 Cedar 上下文中有关当前 HTTP 请求的数据。

{
     "title": "HTTP Request data included by Verified Access",
     "type": "object",
     "properties": {
         "user_agent": {
             "type": "string",
             "description": "The value of the User-Agent request header"
         },
         "x_forwarded_for": {
             "type": "string",
             "description": "The value of the X-Forwarded-For request header"
         },
         "http_method": {
             "type": "string",
             "description": "The HTTP method (for example, GET or POST)"
         },
         "hostname": {
             "type": "string",
             "description": "The value of the Host request header"
         },
         "port": { 
            "type": "integer",
            "description": "The endpoint port"
         },
         "client_ip": {
             "type": "string",
             "description": "The IP address connecting to the endpoint"
         }
     }
 }
策略示例

以下是使用 HTTP 请求数据的 Cedar 策略示例。

forbid(principal, action, resource) when {
   context.http_request.http_method == "POST"
   && !(context.identity.roles.contains("Administrator"))
 };

TCP 数据流

评估策略时,Verified Access 会在context.tcp_flow密钥下方包含有关 Cedar 上下文中当前 TCP 流的数据。

{
     "title": "TCP flow data included by Verified Access",
     "type": "object",
     "properties": {
         "destination_ip": {
             "type": "string",
             "description": "The IP address of the target"
         },
         "destination_port": {
             "type": "string",
             "description": "The target port"
         },
         "client_ip": {
             "type": "string",
             "description": "The IP address connecting to the endpoint"
         }
     }
 }