You need to enable JavaScript to run this app.
导航
NAT网关自定义策略示例
最近更新时间:2024.08.15 10:56:42首次发布时间:2024.04.22 11:46:53

如果火山引擎提供的系统预设策略不满足您的需求,您可通过创建自定义策略,遵循最小授权原则,进行更精细化的权限管控,以提升IAM身份对主账号下资源的安全访问。本文为您介绍日常场景中常见的NAT网关相关的自定义策略示例,供您参考。

自定义策略语法中策略元素配置的详细介绍,请参见 IAM策略语法

自定义策略示例

说明

Deny的优先级高于Allow,当身份对某些操作存在Deny权限时,再次赋予这些操作的Allow权限将无法生效。

示例一:拒绝删除NAT网关

为IAM用户授权 NATFullAccess 后,可为其再授予如下权限,拒绝删除NAT网关。

拒绝删除全部NAT网关

{
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "natgateway:DeleteNatGateway"
            ],
            "Resource": [
				        "*"
      ]
        }
    ]
}

拒绝删除200000000X账号下实例ID为ngw-2yyxafgve001、ngw-2yyxafgve002的NAT网关

{
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "natgateway:DeleteNatGateway"
            ],
            "Resource": [
			        "trn:natgateway:*:200000000X:ngw/ngw-2yyxafgve001",
			        "trn:natgateway:*:200000000X:ngw/ngw-2yyxafgve002"
      ]
        }
    ]
}

示例二:允许管理SNAT规则/DNAT规则

允许管理200000000X账号下实例ID为ngw-2yyxafgve001NAT网关的SNAT规则

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
		            "natgateway:DescribeNatGateway*"
            ],
            "Resource": [
               "trn:natgateway:*:200000000X:ngw/ngw-2yyxafgve001"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "natgateway:CreateSnatEntry",
                "natgateway:ModifySnatEntryAttributes",
                "natgateway:DescribeSnatEntries",
                "natgateway:DescribeSnatEntryAttributes",
                "natgateway:DeleteSnatEntry",
                "vpc:DescribeEipAddress*"
            ],
            "Resource": [
								"*"
            ]
        },
        
        
    ]
}

允许管理200000000X账号下实例ID为ngw-2yyxafgve001NAT网关的DNAT规则

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
		            "natgateway:DescribeNatGateway*"
            ],
            "Resource": [
               "trn:natgateway:*:200000000X:ngw/ngw-2yyxafgve001"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "natgateway:CreateDnatEntry",
                "natgateway:ModifyDnatEntryAttributes",
                "natgateway:DescribeDnatEntries",
                "natgateway:DescribeDnatEntryAttributes",
                "natgateway:DeleteDnatEntry",
                "vpc:DescribeEipAddress*"
            ],
            "Resource": [
               "*"
            ]
        }
    ]
}

示例三:允许使用标签功能

{	
			"Statement":[	
					{	
							"Effect":"Allow",	
							"Action":[	
									"vpc:TagResources",
									"vpc:UntagResources",
									"vpc:ListTagsForResources"
							],	
							"Resource":[	
									"*"
							]
					}
			]
	}

相关文档

更多示例请参见 自定义策略(Demo)

附录

NAT网关资源TRN格式如下表所示:

产品产品Service代码资源类型资源类型代码trn格式
NAT网关natgatewayNAT网关ngwtrn:natgateway:{region}:{account}:ngw/{ngwid}