You need to enable JavaScript to run this app.
导航
VPN连接
  • 文档首页
    • /VPN连接/用户指南/访问控制/VPN连接自定义策略语法示例
VPN连接自定义策略语法示例
最近更新时间:2024.08.14 16:31:41首次发布时间:2024.03.22 08:25:16
我的收藏

如果火山引擎提供的系统预设策略不满足您的需求,您可通过创建自定义策略,遵循最小授权原则,进行更精细化的权限管控,以提升IAM身份对主账号下资源的安全访问。本文为您介绍日常场景中常见的VPN连接相关的自定义策略示例,供您参考。

自定义策略语法中策略元素配置的详细介绍,请参见IAM策略语法

自定义策略示例

示例一:拒绝删除VPN网关

说明

Deny的优先级高于Allow,当身份对某些操作存在Deny权限时,再次赋予这些操作的Allow权限将无法生效。

拒绝删除全部VPN网关

{
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "vpn:DeleteVpnGateway"
            ],
            "Resource": [
				        "*"
      ]
        }
    ]
}

拒绝删除200000000X账号下实例ID为vgw-2yyxafgve001、vgw-2yyxafgve002的VPN网关

{
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "vpn:Delete*"
            ],
            "Resource": [
			        "trn:vpn:*:200000000X:vpngateway/vgw-2yyxafgve001",
			        "trn:vpn:*:200000000X:vpngateway/vgw-2yyxafgve002"
      ]
        }
    ]
}

示例二:允许使用VPC资源

允许创建VPC资源

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "vpc:*Vpc*",
                "vpc:*Subnet*",
                "vpc:*NetworkInterface*",
                "vpc:*Route*",
                "vpc:*SecurityGroup*",
                "vpc:*HaVip*",
                "vpc:*NetworkAcl*",
                "vpc:*PrivateIpAddresses",
                "vpc:*Ipv6Addresses"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

允许使用已创建的部分VPC资源,但不可操作VPC资源

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "vpc:*DescribeVpc*",
                "vpc:*DescribeSubnet*",
                "vpc:*DescribeNetworkInterface*",
                "vpc:*DescribeRoute*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

示例三:允许使用标签功能

{	
		"Statement":[	
				{	
						"Effect":"Allow",	
						"Action":[	
								"vpc:TagResources",
								"vpc:UntagResources",
								"vpc:ListTagsForResources"
						],	
						"Resource":[	
								"*"
						]
				}
		]
}

示例四:允许查看IPsec连接日志

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "tls:Describe*",
                "tls:Get*",
                "tls:PreviewDelimiterLog",
                "tls:SearchLogs",
                "tls:Statistics",
                "tls:CreateDownloadTask"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

示例五:仅允许访问标签键为“vpn”,且标签值为“use”的VPN资源

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "vpn:*"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "volc:ResourceTag/vpn": "use"
                }
            }
        }
    ]
}

示例六:允许IPsec连接绑定已有中转路由器资源,但不可操作中转路由器资源

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "transitrouter:DescribeTransitRouters",
                "transitrouter:CreateTransitRouterVpnAttachment"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

相关文档

通用自定义策略示例:文档中提供了多种常见的自定义策略语法示例供您参考。

附录:VPN连接资源类型

VPN连接资源TRN格式如下表所示:

产品产品Service代码资源类型资源类型代码trn格式
VPN连接vpnVPN网关vpngatewaytrn:vpn:{region}:{account}:vpngateway/{vpngatewayid}
用户网关customergatewaytrn:vpn:{region}:{account}:customergateway/{customergatewayid}
IPSec连接vpnconnectiontrn:vpn:{region}:{account}:vpnconnection/{vpnconnectionid}
VPN网关路由vpngatewayroutetrn:vpn:{region}:{account}:vpngatewayroute/{vpngatewayrouteid}