最近更新时间:2024.04.23 18:06:40
首次发布时间:2024.04.22 11:46:53
如果火山引擎提供的系统预设策略不满足您的需求,您可通过创建自定义策略,遵循最小授权原则,进行更精细化的权限管控,以提升IAM身份对主账号下资源的安全访问。本文为您介绍日常场景中常见的NAT网关相关的自定义策略示例,供您参考。
自定义策略语法中策略元素配置的详细介绍,请参见IAM策略语法。
说明
Deny的优先级高于Allow,当身份对某些操作存在Deny权限时,再次赋予这些操作的Allow权限将无法生效。
为IAM用户授权 NATFullAccess 后,可为其再授予如下权限,拒绝删除NAT网关。
{ "Statement": [ { "Effect": "Deny", "Action": [ "natgateway:DeleteNatGateway" ], "Resource": [ "*" ] } ] }
{ "Statement": [ { "Effect": "Deny", "Action": [ "natgateway:DeleteNatGateway" ], "Resource": [ "trn:natgateway:*:200000000X:ngw/ngw-2yyxafgve001", "trn:natgateway:*:200000000X:ngw/ngw-2yyxafgve002" ] } ] }
{ "Statement": [ { "Effect": "Allow", "Action": [ "natgateway:DescribeNatGateway*" ], "Resource": [ "trn:natgateway:*:200000000X:ngw/ngw-2yyxafgve001" ] }, { "Effect": "Allow", "Action": [ "natgateway:CreateSnatEntry", "natgateway:ModifySnatEntryAttributes", "natgateway:DescribeSnatEntries", "natgateway:DescribeSnatEntryAttributes", "natgateway:DeleteSnatEntry", "vpc:DescribeEipAddress*" ], "Resource": [ "*" ] }, ] }
{ "Statement": [ { "Effect": "Allow", "Action": [ "natgateway:DescribeNatGateway*" ], "Resource": [ "trn:natgateway:*:200000000X:ngw/ngw-2yyxafgve001" ] }, { "Effect": "Allow", "Action": [ "natgateway:CreateDnatEntry", "natgateway:ModifyDnatEntryAttributes", "natgateway:DescribeDnatEntries", "natgateway:DescribeDnatEntryAttributes", "natgateway:DeleteDnatEntry", "vpc:DescribeEipAddress*" ], "Resource": [ "*" ] } ] }
{ "Statement":[ { "Effect":"Allow", "Action":[ "vpc:TagResources", "vpc:UntagResources", "vpc:ListTagsForResources" ], "Resource":[ "*" ] } ] }
更多示例请参见自定义策略(Demo)。