IAM平台已提前为您设置了关于VPC的默认策略,您可为直接为IAM身份(IAM用户、用户组或角色)授权系统预设策略。系统预设策略只能用于授权,不可编辑和修改。
系统预设策略名称 | 描述 |
---|---|
VPCFullAccess | 被授权该策略后的IAM身份(IAM用户、用户组、角色),可获得权限范围内私有网络功能的 管理 权限。 |
VPCReadOnlyAccess | 被授权该策略后的IAM身份(IAM用户、用户组、角色),可获得权限范围内私有网络功能的 只读 权限。 |
说明
通配符*
:匹配0个、1个或多个字符。
{ "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*Vpc*", "vpc:*Subnet*", "vpc:*NetworkInterface*", "vpc:*Route*", "vpc:*SecurityGroup*", "vpc:*HaVip*", "vpc:*NetworkAcl*", "vpc:*PrivateIpAddresses", "vpc:*Ipv6Addresses", "vpc:*FlowLog*", "vpc:*PrefixList*", "vpc:*TrafficMirror*", "vpc:TagResources", "vpc:UntagResources", "vpc:ListTagsForResources", "cen:GrantInstanceToCen", "cen:RevokeInstanceFromCen", "cen:DescribeInstanceGrantedRules", "quota:GetServiceQuota", "ecs:DescribeZones" ], "Resource": [ "*" ] } ] }
{ "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*DescribeVpc*", "vpc:*DescribeSubnet*", "vpc:*DescribeNetworkInterface*", "vpc:*DescribeRoute*", "vpc:*DescribeSecurityGroup*", "vpc:*DescribeHaVip*", "cen:DescribeInstanceGrantedRules", "vpc:*DescribeNetworkAcl*", "vpc:*DescribeFlowLog*", "vpc:*DescribePrefixList*", "vpc:*DescribeTrafficMirror*", "vpc:ListTagsForResources" ], "Resource": [ "*" ] } ] }
Deny的优先级高于Allow,当身份对某些操作存在Deny权限时,再次赋予这些操作的Allow权限将无法生效。
为IAM用户授权 VPCFullAccess 后,可为其再授予如下权限,拒绝删除VPC和子网。
{ "Statement": [ { "Effect": "Deny", "Action": [ "vpc:DeleteVpc", "vpc:DeleteSubnet" ], "Resource": [ "*" ] } ] }
为IAM用户授权 VPCReadOnlyAccess 后,可为其再授予指定子网(如subnet-2yyxafgve001)的权限,使其可以管理该子网。
{ "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*Subnet*" ], "Resource": [ "trn:vpc:*:*:subnet/subnet-2yyxafgve001" ] } ] }
仅允许IAM用户修改指定路由表vtb-2fdzao4h726f45中的路由条目。将vtb-2fdzao4h726f45中加入到项目中,并为该IAM用户在该项目授予如下权限。
{ "Statement": [ { "Effect": "Allow", "Action": [ "vpc:DescribeRouteTable*", "vpc:*RouteEntry*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "vpc:Describe*", "ecs:Describe*", "vpn:Describe*", "natgateway:Describe*", "transitrouter:Describe*" ], "Resource": [ "*" ] } ] }
{ "Statement":[ { "Effect":"Allow", "Action":[ "vpc:TagResources", "vpc:UntagResources", "vpc:ListTagsForResources" ], "Resource":[ "*" ] } ] }
更多IAM策略示例,请参见 自定义策略示例 。