2. 科技
    3. aws 所有区域的区域编号

    aws 所有区域的区域编号

    科技2022-08-02  126

    aws 所有区域的区域编号

    We may encounter scenarios where we need to restrict user accounts & services to be accessed in particular regions and isolate other regions from the user. For example, you have two different environments (Production & Test) in two different regions. You want to restrict your dev team to only access the services in your test environment and not the ones in your production environment. In this case, region-based access is a handy thing. You can create an IAM user with a custom policy attached to it that lets the user access only the services in a specified region.

    我们可能会遇到需要限制在特定区域访问用户帐户和服务并将其他区域与用户隔离的情况。 例如,您在两个不同的区域中有两个不同的环境(生产和测试)。 您想限制您的开发团队仅访问测试环境中的服务,而不能访问生产环境中的服务。 在这种情况下,基于区域的访问很方便。 您可以创建一个IAM用户,并附加一个自定义策略,该策略允许该用户仅访问指定区域中的服务。

    In this article, we will have a step by step walkthrough on creating IAM policies with region-based access. We will be creating a policy for EC2 & S3 services and the region will be Mumbai (ap-south-1). If you don’t have an AWS account yet, you can signup for a free account here. If you already have an AWS account just log in to your account & go to the IAM service.

    在本文中,我们将逐步介绍如何创建基于区域的访问的IAM策略。 我们将为EC2和S3服务制定政策,该地区将是孟买(ap-south-1)。 如果您还没有AWS账户,可以在此处注册一个免费账户。 如果您已经拥有一个AWS账户,只需登录到您的账户并转到IAM服务。

    Follow the steps below to create a region-based access policy :

    请按照以下步骤创建基于区域的访问策略:

    Open the IAM service from your AWS dashboard and select Policies.

    从您的AWS仪表板打开IAM服务,然后选择策略 。

    Click on the “Create Policy” option.

    单击“创建策略”选项。

    Click on Create Policy 点击创建策略

    3. Now, Choose the “JSON” policy editor and click on the “Import Managed Policy” option.

    3.现在,选择“ JSON”策略 编辑器,然后单击“导入托管策略”选项。

    JSON Editor JSON编辑器

    4. Choose the service policies you want to add. I have chosen full access for EC2 & S3.

    4.选择要添加的服务策略。 我选择了EC2和S3的完全访问权限。

    S3 Full Access S3完全访问 EC2 Full Access EC2完全访问

    5. Once you import the policies you will see some JSON in the editor like the below.

    5.导入策略后,您将在编辑器中看到一些JSON,如下所示。

    { "Version": "2012-10-17", "Statement": [ { "Action": "ec2:*", "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": "elasticloadbalancing:*", "Resource": "*" }, { "Effect": "Allow", "Action": "cloudwatch:*", "Resource": "*" }, { "Effect": "Allow", "Action": "autoscaling:*", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "autoscaling.amazonaws.com", "ec2scheduled.amazonaws.com", "elasticloadbalancing.amazonaws.com", "spot.amazonaws.com", "spotfleet.amazonaws.com", "transitgateway.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "s3:*", "Resource": "*" } ]}

    7. To add region-based access to the above policy we need to add a condition to each resource that will allow access only to the specified region which is ap-south-1 (Mumbai) in our example. Below is the condition we need to add to each of our resources.

    7.要对上述策略添加基于区域的访问权限,我们需要为每个资源添加一个条件,该条件将仅允许访问指定示例的区域(在本示例中为ap-south-1(孟买))。 以下是我们需要添加到每个资源中的条件。

    "Condition": { "StringEquals": { "aws:RequestedRegion": "ap-south-1" } }

    The condition above states that access only to the given region (ap-south-1) is allowed and all other region access is denied.

    上面的条件表明只允许访问给定区域(ap-south-1),而拒绝所有其他区域访问。

    8. After, adding the condition to each resource the JSON would look like this.

    8.之后,将条件添加到每个资源中后,JSON将如下所示。

    { "Version": "2012-10-17", "Statement": [ { "Action": "ec2:*", "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": "ap-south-1" } } }, { "Effect": "Allow", "Action": "elasticloadbalancing:*", "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": "ap-south-1" } } }, { "Effect": "Allow", "Action": "cloudwatch:*", "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": "ap-south-1" } } }, { "Effect": "Allow", "Action": "autoscaling:*", "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": "ap-south-1" } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "autoscaling.amazonaws.com", "ec2scheduled.amazonaws.com", "elasticloadbalancing.amazonaws.com", "spot.amazonaws.com", "spotfleet.amazonaws.com", "transitgateway.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "s3:*", "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": "ap-south-1" } } } ]}

    9. Once your region-based policy is ready to use, click on “Review Policy”.

    9.一旦您可以使用基于区域的策略,请单击“ Review Policy” 。

    10. Add a “Name” and “Description” to the policy and then click on “Create Policy”. Your policy has been created and now you can attach the policy to a user or group.

    10.在策略中添加“名称”和“描述” ,然后单击“创建策略”。 您的策略已创建,现在您可以将策略附加到用户或组。

    These types of policies can be beneficial while providing different levels of access to users for various services in multiple regions. You can also add multiple regions to the condition if you want to provide access to multiple regions in the same policy. To provide access to multiple regions in the same policy just update the condition to the following -

    这些类型的策略在为用户提供针对多个区域的各种服务的不同级别的访问权限时可能会很有用。 如果要在同一策略中提供对多个区域的访问权限,则还可以将多个区域添加到条件中。 要提供对同一策略中多个区域的访问权限,只需将条件更新为以下内容-

    { "Condition": { "StringEquals": { "aws:RequestedRegion": [ "ap-south-1", "ap-southeast-1" ] } }}

    Thanks for reading the article, hope it helps.

    感谢您阅读本文,希望对您有所帮助。

    翻译自: https://medium.com/swlh/how-to-restrict-users-to-access-aws-services-in-a-specific-region-aws-articles-aaabd8b01f1b

    aws 所有区域的区域编号

    相关资源:微信小程序源码-合集6.rar
    Processed: 0.010, SQL: 8