這是 AWS CDK v2 開發人員指南。較舊的 CDK v1 已於 2022 年 6 月 1 日進入維護,並於 2023 年 6 月 1 日結束支援。
本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 許可和 AWS CDK
AWS 建構程式庫使用一些常見、廣泛實作的慣用語來管理存取和許可。IAM 模組為您提供使用這些慣用詞所需的工具。
AWS CDK 使用 AWS CloudFormation 部署變更。每個部署都涉及開始 a AWS CloudFormation 部署的演員 (開發人員或自動化系統)。在此過程中,演員將擔任一或多個 IAM 身分 (使用者或角色),並選擇性地將角色傳遞至 AWS CloudFormation。
如果您使用 AWS IAM Identity Center 來驗證使用者身分,則單一登入提供者會提供短期工作階段登入資料,授權您擔任預先定義的 IAM 角色。若要了解 AWS CDK 如何從 IAM Identity Center 身分驗證取得 AWS 憑證,請參閱 * AWS SDKs和工具參考指南*中的[了解 IAM Identity Center 身分驗證](https://docs.aws.amazon.com/sdkref/latest/guide/understanding-sso.html)。
## 主體
IAM 主體是經過驗證的 AWS 實體,代表可呼叫 AWS APIs的使用者、服務或應用程式。 AWS Construct Library 支援以數種彈性方式指定委託人,以授予委託人存取您的 AWS 資源。
在安全環境中,「主體」一詞特別是指已驗證的實體,例如使用者。群組和角色之類的物件不*代表*使用者 (和其他已驗證的實體),而是為了授予許可而間接*識別*它們。
例如,如果您建立 IAM 群組,您可以授予群組 (及其成員) 對 Amazon RDS 資料表的寫入存取權。不過,群組本身不是委託人,因為它不代表單一實體 (您也無法登入群組)。
在 CDK 的 IAM 程式庫中,直接或間接識別委託人的類別會實作[https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.IPrincipal.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.IPrincipal.html)界面,允許這些物件在存取政策中可互換使用。不過,並非所有這些都是安全意識的委託人。這些物件包括:
1. IAM 資源,例如 [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html)、 [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.User.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.User.html)和 [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Group.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Group.html)
1. 服務主體 (`new iam.[ServicePrincipal](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.ServicePrincipal.html)('service.amazonaws.com')`)
1. 聯合主體 (`new iam.[FederatedPrincipal](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.FederatedPrincipal.html)('cognito-identity.amazonaws.com')`)
1. 帳戶主體 (`new iam.[AccountPrincipal](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.AccountPrincipal.html)('0123456789012')`)
1. 正式使用者主體 (`new iam.[CanonicalUserPrincipal](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.CanonicalUserPrincipal.html)('79a59d[…]7ef2be')`)
1. AWS Organizations 主體 (`new iam.[OrganizationPrincipal](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.OrganizationPrincipal.html)('org-id')`)
1. 任意 ARN 主體 (`new iam.[ArnPrincipal](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.ArnPrincipal.html)(res.arn)`)
1. `iam.[CompositePrincipal](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.CompositePrincipal.html)(principal1, principal2, …)` 信任多個委託人的
## 授權
許多建構代表可以存取的資源,例如 Amazon S3 儲存貯體或 Amazon DynamoDB 資料表。對於這些實體,您可以將存取權授予另一個實體。有兩種方法可以執行此操作,具體取決於特定的建構:使用其對應的授予類別 (例如,`BucketGrants`Amazon S3 儲存貯體),或使用建構本身中具有名稱開頭為**授予**的方法。前者是偏好的,因為它們可以用相同的方式授予 L1 和 L2 資源的存取權。若要建立授與類別的執行個體,請使用其原廠方法:
**Example**
```
BucketGrants.fromBucket(bucket); // bucket can be either a Bucket (L2) or a CfnBucket (L1)
```
```
BucketGrants.fromBucket(bucket); // bucket can be either a Bucket (L2) or a CfnBucket (L1)
```
```
BucketGrants.from_bucket(bucket) # bucket can be either a Bucket (L2) or a CfnBucket (L1)
```
```
BucketGrants.fromBucket(bucket); // bucket can be either a Bucket (L2) or a CfnBucket (L1)
```
```
BucketGrants.FromBucket(bucket); // bucket can be either a Bucket (L2) or a CfnBucket (L1)
```
授予類別提供方法來授予存取其資源的特定許可。例如, `BucketGrants`具有方法 `read`和 `readWrite`(Python:、`read``read_write`),分別啟用從實體到儲存貯體的讀取和讀取/寫入存取權。實體不必確切知道執行這些操作需要哪些 Amazon S3 IAM 許可。
授予類別中方法的第一個引數 (或資源本身的**授予**方法) 一律為類型 [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.IGrantable.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.IGrantable.html)。此界面代表可授予許可的實體。也就是說,它代表具有 角色的資源,例如 IAM 物件 [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html)、 [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.User.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.User.html)和 [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Group.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Group.html)。
也可以授予其他實體許可。例如,本主題稍後會示範如何授予 CodeBuild 專案對 Amazon S3 儲存貯體的存取權。一般而言,關聯角色是透過被授予存取權之實體的 `role` 屬性取得。
使用執行角色的資源,例如 [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html),也會實作 `IGrantable`,因此您可以直接授予他們存取權,而不是授予他們角色的存取權。例如,如果 `bucket` 是 Amazon S3 儲存貯體,而 `function` 是 Lambda 函數,則下列程式碼會授予函數對儲存貯體的讀取存取權。
為了方便起見,L2 建構也提供 `grants` 屬性,傳回對應 Grants 類別的執行個體。
**Example**
```
bucket.grants.read(function);
```
```
bucket.grants.read(function);
```
```
bucket.grants.read(function)
```
```
bucket.getGrants().read(function);
```
```
bucket.Grants.Read(function);
```
有時必須在部署堆疊時套用許可。其中一種情況是,當您將 An AWS CloudFormation 自訂資源存取權授予其他一些資源時。自訂資源將在部署期間調用,因此在部署時必須具有指定的許可。
另一個情況是,當服務驗證您傳遞給該服務的角色是否套用了正確的政策。(許多 AWS 服務會執行此操作,以確保您不會忘記設定政策。) 在這些情況下,如果套用許可太晚,部署可能會失敗。
若要強制在建立另一個資源之前套用授予的許可,您可以在授予本身上新增相依性,如下所示。雖然授予方法的傳回值通常被捨棄,但每個授予方法實際上都會傳回`iam.Grant`物件。
**Example**
```
const grant = bucket.grants.read(lambda);
const custom = new CustomResource(...);
custom.node.addDependency(grant);
```
```
const grant = bucket.grants.read(lambda);
const custom = new CustomResource(...);
custom.node.addDependency(grant);
```
```
grant = bucket.grants.read(function)
custom = CustomResource(...)
custom.node.add_dependency(grant)
```
```
Grant grant = bucket.getGrants().read(function);
CustomResource custom = new CustomResource(...);
custom.node.addDependency(grant);
```
```
var grant = bucket.Grants.Read(function);
var custom = new CustomResource(...);
custom.node.AddDependency(grant);
```
## 角色
IAM 套件包含代表 [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) IAM 角色的建構。下列程式碼會建立新的角色,信任 Amazon EC2 服務。
**Example**
```
import * as iam from 'aws-cdk-lib/aws-iam';
const role = new iam.Role(this, 'Role', {
assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com'), // required
});
```
```
const iam = require('aws-cdk-lib/aws-iam');
const role = new iam.Role(this, 'Role', {
assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com') // required
});
```
```
import aws_cdk.aws_iam as iam
role = iam.Role(self, "Role",
assumed_by=iam.ServicePrincipal("ec2.amazonaws.com")) # required
```
```
import software.amazon.awscdk.services.iam.Role;
import software.amazon.awscdk.services.iam.ServicePrincipal;
Role role = Role.Builder.create(this, "Role")
.assumedBy(new ServicePrincipal("ec2.amazonaws.com")).build();
```
```
using Amazon.CDK.AWS.IAM;
var role = new Role(this, "Role", new RoleProps
{
AssumedBy = new ServicePrincipal("ec2.amazonaws.com"), // required
});
```
您可以透過呼叫角色的 [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html#addwbrtowbrpolicystatement](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html#addwbrtowbrpolicystatement)方法 (Python:`add_to_policy`),將許可新增至角色,傳入定義要新增之規則[https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.PolicyStatement.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.PolicyStatement.html)的 。陳述式會新增至角色的預設政策;如果沒有,則會建立一個。
下列範例會將`Deny`政策陳述式新增至 動作的 角色,`ec2:SomeAction`以及資源 `bucket` 和 `otherRole`(Python:`other_role`) `s3:AnotherAction`上的 ,條件為授權的服務 is AWS CodeBuild。
**Example**
```
role.addToPolicy(new iam.PolicyStatement({
effect: iam.Effect.DENY,
resources: [bucket.bucketArn, otherRole.roleArn],
actions: ['ec2:SomeAction', 's3:AnotherAction'],
conditions: {StringEquals: {
'ec2:AuthorizedService': 'codebuild.amazonaws.com',
}}}));
```
```
role.addToPolicy(new iam.PolicyStatement({
effect: iam.Effect.DENY,
resources: [bucket.bucketArn, otherRole.roleArn],
actions: ['ec2:SomeAction', 's3:AnotherAction'],
conditions: {StringEquals: {
'ec2:AuthorizedService': 'codebuild.amazonaws.com'
}}}));
```
```
role.add_to_policy(iam.PolicyStatement(
effect=iam.Effect.DENY,
resources=[bucket.bucket_arn, other_role.role_arn],
actions=["ec2:SomeAction", "s3:AnotherAction"],
conditions={"StringEquals": {
"ec2:AuthorizedService": "codebuild.amazonaws.com"}}
))
```
```
role.addToPolicy(PolicyStatement.Builder.create()
.effect(Effect.DENY)
.resources(Arrays.asList(bucket.getBucketArn(), otherRole.getRoleArn()))
.actions(Arrays.asList("ec2:SomeAction", "s3:AnotherAction"))
.conditions(java.util.Map.of( // Map.of requires Java 9 or later
"StringEquals", java.util.Map.of(
"ec2:AuthorizedService", "codebuild.amazonaws.com")))
.build());
```
```
role.AddToPolicy(new PolicyStatement(new PolicyStatementProps
{
Effect = Effect.DENY,
Resources = new string[] { bucket.BucketArn, otherRole.RoleArn },
Actions = new string[] { "ec2:SomeAction", "s3:AnotherAction" },
Conditions = new Dictionary
{
["StringEquals"] = new Dictionary
{
["ec2:AuthorizedService"] = "codebuild.amazonaws.com"
}
}
}));
```
在上述範例中,我們已使用 [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html#addwbrtowbrpolicystatement](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html#addwbrtowbrpolicystatement)(Python:`add_to_policy`) 呼叫建立新的[https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.PolicyStatement.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.PolicyStatement.html)內嵌。您也可以傳入現有的政策陳述式或您已修改的政策陳述式。[https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.PolicyStatement.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.PolicyStatement.html) 物件有許多新增主體、資源、條件和動作[的方法](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.PolicyStatement.html#methods)。
如果您使用的建構需要角色才能正常運作,您可以執行下列其中一項操作:
+ 在執行個體化建構物件時傳遞現有角色。
+ 讓建構為您建立新的角色,信任適當的服務主體。下列範例使用這類建構:CodeBuild 專案。
**Example**
```
import * as codebuild from 'aws-cdk-lib/aws-codebuild';
// imagine roleOrUndefined is a function that might return a Role object
// under some conditions, and undefined under other conditions
const someRole: iam.IRole | undefined = roleOrUndefined();
const project = new codebuild.Project(this, 'Project', {
// if someRole is undefined, the Project creates a new default role,
// trusting the codebuild.amazonaws.com service principal
role: someRole,
});
```
```
const codebuild = require('aws-cdk-lib/aws-codebuild');
// imagine roleOrUndefined is a function that might return a Role object
// under some conditions, and undefined under other conditions
const someRole = roleOrUndefined();
const project = new codebuild.Project(this, 'Project', {
// if someRole is undefined, the Project creates a new default role,
// trusting the codebuild.amazonaws.com service principal
role: someRole
});
```
```
import aws_cdk.aws_codebuild as codebuild
# imagine role_or_none is a function that might return a Role object
# under some conditions, and None under other conditions
some_role = role_or_none();
project = codebuild.Project(self, "Project",
# if role is None, the Project creates a new default role,
# trusting the codebuild.amazonaws.com service principal
role=some_role)
```
```
import software.amazon.awscdk.services.iam.Role;
import software.amazon.awscdk.services.codebuild.Project;
// imagine roleOrNull is a function that might return a Role object
// under some conditions, and null under other conditions
Role someRole = roleOrNull();
// if someRole is null, the Project creates a new default role,
// trusting the codebuild.amazonaws.com service principal
Project project = Project.Builder.create(this, "Project")
.role(someRole).build();
```
```
using Amazon.CDK.AWS.CodeBuild;
// imagine roleOrNull is a function that might return a Role object
// under some conditions, and null under other conditions
var someRole = roleOrNull();
// if someRole is null, the Project creates a new default role,
// trusting the codebuild.amazonaws.com service principal
var project = new Project(this, "Project", new ProjectProps
{
Role = someRole
});
```
建立物件後,角色 (無論角色是傳入,還是建構所建立的預設角色) 可作為 屬性 使用`role`。不過,此屬性不適用於外部資源。因此,這些建構具有 `addToRolePolicy`(Python:`add_to_role_policy`) 方法。
如果建構是外部資源,而且它呼叫 `role` 屬性的 `addToPolicy`(Python:`add_to_policy`) 方法,則 方法不會執行任何動作。這可為您節省明確處理未定義案例的麻煩。
下列範例示範:
**Example**
```
// project is imported into the CDK application
const project = codebuild.Project.fromProjectName(this, 'Project', 'ProjectName');
// project is imported, so project.role is undefined, and this call has no effect
project.addToRolePolicy(new iam.PolicyStatement({
effect: iam.Effect.ALLOW, // ... and so on defining the policy
}));
```
```
// project is imported into the CDK application
const project = codebuild.Project.fromProjectName(this, 'Project', 'ProjectName');
// project is imported, so project.role is undefined, and this call has no effect
project.addToRolePolicy(new iam.PolicyStatement({
effect: iam.Effect.ALLOW // ... and so on defining the policy
}));
```
```
# project is imported into the CDK application
project = codebuild.Project.from_project_name(self, 'Project', 'ProjectName')
# project is imported, so project.role is undefined, and this call has no effect
project.add_to_role_policy(iam.PolicyStatement(
effect=iam.Effect.ALLOW, # ... and so on defining the policy
)
)
```
```
// project is imported into the CDK application
Project project = Project.fromProjectName(this, "Project", "ProjectName");
// project is imported, so project.getRole() is null, and this call has no effect
project.addToRolePolicy(PolicyStatement.Builder.create()
.effect(Effect.ALLOW) // .. and so on defining the policy
.build();
)
```
```
// project is imported into the CDK application
var project = Project.FromProjectName(this, "Project", "ProjectName");
// project is imported, so project.role is null, and this call has no effect
project.AddToRolePolicy(new PolicyStatement(new PolicyStatementProps
{
Effect = Effect.ALLOW, // ... and so on defining the policy
}));
```
## 資源政策
中的一些資源 AWS,例如 Amazon S3 儲存貯體和 IAM 角色,也有資源政策。這些建構有 `addToResourcePolicy`方法 (Python:`add_to_resource_policy`),以 [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.PolicyStatement.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.PolicyStatement.html)做為其引數。新增至資源政策的每個政策陳述式必須至少指定一個委託人。
在下列範例中,[Amazon S3 儲存貯](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html)體會將具有 `s3:SomeAction`許可的角色`bucket`授予 本身。
**Example**
```
bucket.addToResourcePolicy(new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['s3:SomeAction'],
resources: [bucket.bucketArn],
principals: [role]
}));
```
```
bucket.addToResourcePolicy(new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['s3:SomeAction'],
resources: [bucket.bucketArn],
principals: [role]
}));
```
```
bucket.add_to_resource_policy(iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=["s3:SomeAction"],
resources=[bucket.bucket_arn],
principals=role))
```
```
bucket.addToResourcePolicy(PolicyStatement.Builder.create()
.effect(Effect.ALLOW)
.actions(Arrays.asList("s3:SomeAction"))
.resources(Arrays.asList(bucket.getBucketArn()))
.principals(Arrays.asList(role))
.build());
```
```
bucket.AddToResourcePolicy(new PolicyStatement(new PolicyStatementProps
{
Effect = Effect.ALLOW,
Actions = new string[] { "s3:SomeAction" },
Resources = new string[] { bucket.BucketArn },
Principals = new IPrincipal[] { role }
}));
```
## 使用外部 IAM 物件
如果您已在 AWS CDK 應用程式之外定義 IAM 使用者、委託人、群組或角色,您可以在 AWS CDK 應用程式中使用該 IAM 物件。若要這樣做,請使用其 ARN 或其名稱建立參考。(使用使用者、群組和角色的名稱。) 然後,傳回的參考可用來授予許可或建構政策陳述式,如先前所述。
+ 對於使用者,呼叫 [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.User.html#static-fromwbruserwbrarnscope-id-userarn](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.User.html#static-fromwbruserwbrarnscope-id-userarn)或 [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.User.html#static-fromwbruserwbrnamescope-id-username](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.User.html#static-fromwbruserwbrnamescope-id-username)。 `User.fromUserAttributes()` 也可用,但目前提供與 相同的功能`User.fromUserArn()`。
+ 對於委託人,執行個體化[https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.ArnPrincipal.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.ArnPrincipal.html)物件。
+ 對於 群組,請呼叫 [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Group.html#static-fromwbrgroupwbrarnscope-id-grouparn](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Group.html#static-fromwbrgroupwbrarnscope-id-grouparn)或 [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Group.html#static-fromwbrgroupwbrnamescope-id-groupname](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Group.html#static-fromwbrgroupwbrnamescope-id-groupname)。
+ 如需角色,請呼叫 [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html#static-fromwbrrolewbrarnscope-id-rolearn-options](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html#static-fromwbrrolewbrarnscope-id-rolearn-options)或 [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html#static-fromwbrrolewbrnamescope-id-rolename](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html#static-fromwbrrolewbrnamescope-id-rolename)。
政策 (包括 受管政策) 可以使用下列方法,以類似方式使用。您可以在需要 IAM 政策的地方使用這些物件的參考。
+ [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Policy.html#static-fromwbrpolicywbrnamescope-id-policyname](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Policy.html#static-fromwbrpolicywbrnamescope-id-policyname)
+ [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.ManagedPolicy.html#static-fromwbrmanagedwbrpolicywbrarnscope-id-managedpolicyarn](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.ManagedPolicy.html#static-fromwbrmanagedwbrpolicywbrarnscope-id-managedpolicyarn)
+ [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.ManagedPolicy.html#static-fromwbrmanagedwbrpolicywbrnamescope-id-managedpolicyname](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.ManagedPolicy.html#static-fromwbrmanagedwbrpolicywbrnamescope-id-managedpolicyname)
+ [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.ManagedPolicy.html#static-fromwbrawswbrmanagedwbrpolicywbrnamemanagedpolicyname](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.ManagedPolicy.html#static-fromwbrawswbrmanagedwbrpolicywbrnamemanagedpolicyname)
**注意**
如同所有外部 AWS 資源的參考,您無法在 CDK 應用程式中修改外部 IAM 物件。