可以将IfExists添加到任何条件运算符名称的末尾,Null条件-例如,StringLikeIfExists.你这样做是为了说如果请求上下文中包含策略密钥,请进行处理策略中指定的密钥.如果钥匙不存在,我不会关心;不要因为缺少比较而使比较失败."其他语句中的条件元素仍可能导致不匹配,但如果使用... IfExists进行检查,则不会丢失密钥.
You can add IfExists to the end of any condition operator name except
the Null condition—for example, StringLikeIfExists. You do this to say
"If the policy key is present in the context of the request, process
the key as specified in the policy. If the key is not present, I don't
care; don't fail the comparison because of its absence." Other
condition elements in the statement can still result in a nonmatch,
but not a missing key when checked with ...IfExists.
使用IfExists的示例
许多条件键描述有关某种类型的资源,并且仅在访问该类型的资源时存在.这些条件键在其他类型的资源上不存在.这个当政策声明仅适用于一个时,不会引起问题资源类型.但是,在某些情况下,单个语句可以应用于多种类型的资源,例如当策略语句引用来自多个服务或给定时间的操作服务中的操作访问几种不同的资源类型在同一服务中.在这种情况下,包括一个条件键仅适用于策略声明中的一种资源可能会导致策略声明中的Condition元素失败,从而导致声明的效果"不适用.
Many condition keys describe information about a certain type of
resource and only exist when accessing that type of resource. These
condition keys are not present on other types of resources. This
doesn't cause an issue when the policy statement applies to only one
type of resource. However, there are cases where a single statement
can apply to multiple types of resources, such as when the policy
statement references actions from multiple services or when a given
action within a service accesses several different resource types
within the same service. In such cases, including a condition key that
applies to only one of the resources in the policy statement can cause
the Condition element in the policy statement to fail such that the
statement's "Effect" does not apply.
{
"Version": "2012-10-17",
"Statement": {
"Sid": "THISPOLICYDOESNOTWORK",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {"StringLike": {"ec2:InstanceType": [
"t1.*",
"t2.*",
"m3.*"
]}}
}
}
上述策略的目的是使用户能够启动任何类型为t1,t2或m3的实例.但是,启动一个实例实际上需要访问除实例之外的许多资源本身;例如图像,密钥对,安全组等.将根据所需的每种资源评估整个语句启动实例.这些额外资源没有ec2:InstanceType条件键,因此StringLike检查失败,并且没有授予用户启动任何实例类型的能力.到要解决此问题,请改用StringLikeIfExists条件运算符.这样,仅当条件键存在时才进行测试.你可以读取以下内容:如果正在检查的资源具有"ec2:InstanceType"条件键,然后仅在键值以"t1.","t2."或"m3.*"开头.如果资源正在已检查没有该条件键,则不必担心."
The intent of the preceding policy is to enable the user to launch any
instance that is type t1, t2 or m3. However, launching an instance
actually requires accessing many resources in addition to the instance
itself; for example, images, key pairs, security groups, etc. The
entire statement is evaluated against every resource that is required
to launch the instance. These additional resources do not have the
ec2:InstanceType condition key, so the StringLike check fails, and the
user is not granted the ability to launch any instance type. To
address this, use the StringLikeIfExists condition operator instead.
This way, the test only happens if the condition key exists. You could
read the following as: "If the resource being checked has an
"ec2:InstanceType" condition key, then allow the action only if the
key value begins with "t1.", "t2.", or "m3.*". If the resource being
checked does not have that condition key, then don't worry about it."
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {"StringLikeIfExists": {"ec2:InstanceType": [
"t1.*",
"t2.*",
"m3.*"
]}}
}
}
您的条件应该是:
"Condition": {
"NotIpAddressIfExists": {
"aws:SourceIp": [
"12.34.56.78/32"
]
},
"StringNotEqualsIfExists": {
"aws:sourceVpce": "vpce-xxxxxxxx"
}
}
说明
Explanation
在定义策略时,如果请求是通过VPC端点发出的,则源IP密钥不可用.同样,如果请求来自VPC端点之外,则与VPC相关的密钥将不可用.需要使用IfExists来评估有条件可用的密钥.
When defining policies, if the request is coming through a VPC Endpoint, source IP key is not available. Similarly, if the request is coming outside of VPC endpoint, VPC related keys are not available. IfExists needs to be used to evaluate keys that are conditionally available.
这篇关于S3存储桶安全性,开放访问受公共IP和VPC端点限制的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
