本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# Amazon SES 中的身份策略示例
您可以使用身份授权指定允许或拒绝对身份执行 API 操作的精细条件。
**Topics**
+ [指定主体](#identity-authorization-policy-example-delegate-user)
+ [限制操作](#sending-authorization-policy-example-restricting-action)
+ [使用多个语句](#identity-authorization-policy-example-multiple-statements)
## 指定主体
*委托人*(即您向其授予权限的实体)可以是 AWS 账户、 AWS Identity and Access Management (IAM) 用户或属于同一账户的 AWS 服务。
*以下示例显示了一个简单的策略,该策略允许 AWS ID *123456789012 控制同样归123456789012* 拥有的经过验证的身份 e *xample.com*。 AWS 账户 *
------
#### [ JSON ]
****
```
{
"Id":"SampleAuthorizationPolicy",
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AuthorizeMarketer",
"Effect":"Allow",
"Resource":"arn:aws:ses:us-east-1:123456789012:identity/example.com",
"Principal":{
"AWS":[
"123456789012"
]
},
"Action":[
"ses:DeleteEmailIdentity",
"ses:PutEmailIdentityDkimSigningAttributes"
]
}
]
}
```
------
以下示例策略向两个用户授予控制已验证的身份 *example.com* 的权限。用户通过其 Amazon 资源名称(ARN)指定。
------
#### [ JSON ]
****
```
{
"Id":"ExampleAuthorizationPolicy",
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AuthorizeIAMUser",
"Effect":"Allow",
"Resource":"arn:aws:ses:us-east-1:123456789012:identity/example.com",
"Principal":{
"AWS":[
"arn:aws:iam::123456789012:user/John",
"arn:aws:iam::123456789012:user/Jane"
]
},
"Action":[
"ses:DeleteEmailIdentity",
"ses:PutEmailIdentityDkimSigningAttributes"
]
}
]
}
```
------
## 限制操作
根据您要授权的控制级别,可以在身份授权策略中指定多种操作:
```
1. "BatchGetMetricData",
2. "ListRecommendations",
3. "CreateDeliverabilityTestReport",
4. "CreateEmailIdentityPolicy",
5. "DeleteEmailIdentity",
6. "DeleteEmailIdentityPolicy",
7. "GetDomainStatisticsReport",
8. "GetEmailIdentity",
9. "GetEmailIdentityPolicies",
10. "PutEmailIdentityConfigurationSetAttributes",
11. "PutEmailIdentityDkimAttributes",
12. "PutEmailIdentityDkimSigningAttributes",
13. "PutEmailIdentityFeedbackAttributes",
14. "PutEmailIdentityMailFromAttributes",
15. "TagResource",
16. "UntagResource",
17. "UpdateEmailIdentityPolicy"
```
身份授权策略还使您能够将主体限制为只能执行其中一项操作。
------
#### [ JSON ]
****
```
{
"Id": "ExamplePolicy",
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ControlAction",
"Effect": "Allow",
"Resource": "arn:aws:ses:us-east-1:123456789012:identity/example.com",
"Principal": {
"AWS": [
"123456789012"
]
},
"Action": [
"ses:PutEmailIdentityMailFromAttributes"
]
}
]
}
```
------
## 使用多个语句
身份授权策略可以包含多个语句。以下示例策略包含两个语句。第一个语句拒绝两个用户在同一个账户 `123456789012` 内通过 *sender@example.com* 访问 `getemailidentity`。第二个语句拒绝主体 *Jack* 在同一个账户 `123456789012` 内访问 `UpdateEmailIdentityPolicy`。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"DenyGet",
"Effect":"Deny",
"Resource":"arn:aws:ses:us-east-1:123456789012:identity/sender@example.com",
"Principal":{
"AWS":[
"arn:aws:iam::123456789012:user/John",
"arn:aws:iam::123456789012:user/Jane"
]
},
"Action":[
"ses:GetEmailIdentity"
]
},
{
"Sid":"DenyUpdate",
"Effect":"Deny",
"Resource":"arn:aws:ses:us-east-1:123456789012:identity/sender@example.com",
"Principal":{
"AWS":"arn:aws:iam::123456789012:user/Jack"
},
"Action":[
"ses:UpdateEmailIdentityPolicy"
]
}
]
}
```
------