我正在尝试创建一个策略,我可以限制用户访问不同的区域 RDS。但是,我想只给他们一个区域的管理员访问权限,即ap-southeast-1。
我创建了一些策略,但它们不适用于新加坡区域,仅适用于美国东部区域。
为什么这对我们东部有效,但对新加坡却不行?
策略示例:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt----------",
"Effect": "Allow",
"Action": [
"rds:*"
],
"Condition": {
"StringEquals": {
"ec2:Region": "ap-southeast-1"
}
},
"Resource": [
"*"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt----------",
"Action": [
"rds:*",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"sns:ListSubscriptions",
"sns:ListTopics",
"logs:DescribeLogStreams",
"logs:GetLogEvents"
],
"Effect": "Allow",
"Resource": "arn:aws:rds:ap-southeast-1:*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1454649600000",
"Effect": "Allow",
"Action": [
"*"
],
"Resource": [
"arn:aws:rds:ap-southeast-1:account number:*"
]
}
]
}
试试这个..下面的代码对我有用。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt145591112222",
"Action": "rds:*",
"Effect": "Allow",
"Resource": "arn:aws:rds:ap-southeast-1:ACC_ID:db:*"
}
]
}