• AWS Systems Manager CloudWatch 控制面板在 2026 年 4 月 30 日之后将不再可用。客户可以像现在一样继续使用 Amazon CloudWatch 控制台来查看、创建和管理其 Amazon CloudWatch 控制面板。有关更多信息，请参阅 [Amazon CloudWatch 控制面板文档](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html)。

# 自动审批和拒绝访问策略的语句结构和内置运算符
<a name="auto-approval-deny-access-policy-statement-structure"></a>

下表展示了自动审批和拒绝访问策略的结构。


| 组件 | 语法 | 
| --- | --- | 
| 效果 |  `permit \| forbid`  | 
| 范围 |  `(principal, action, resource)`  | 
| 条件子句 |  <pre>when {<br />    principal or resource has attribute name             <br />};</pre>  | 

## 策略组件
<a name="policy-components"></a>

自动审批或拒绝访问策略包含以下部分：
+ **效果** – `permit`（允许）或 `forbid`（拒绝）访问。
+ **范围** – 指定效果适用于哪些主体、操作和资源。您可以通过不标识特定主体、操作或资源来使 Cedar 中的范围保持未定义状态。在这种情况下，策略适用于所有可能的主体、操作和资源。对于即时访问节点，`action` 始终为 `AWS::SSM::Action::"getTokenForInstanceAccess"`。
+ **条件子句** – 应用效果的上下文。

## 评论
<a name="auth-policies-policy-comments"></a>

您可以在 策略中包含注释。注释被定义为以 `//` 开头、以换行符结尾的一行。

以下示例显示了策略中的注释。

```
// Allows users in the Engineering group from the Platform org to automatically connect to nodes tagged with Engineering and Production keys. 
permit (
    principal in AWS::IdentityStore::Group::"d4q81745-r081-7079-d789-14da1EXAMPLE",
    action == AWS::SSM::Action::"getTokenForInstanceAccess",
    resource
)
when {
    principal has organization && resource.hasTag("Engineering") && resource.hasTag("Production") && principal.organization == "Platform"
};
```

## 多子句
<a name="multiple-clauses"></a>

您可以利用 `&&` 运算符，在一个策略声明中使用多个条件子句。

```
// Allow access if node has tag where the tag key is Environment 
// & tag value is Development 

permit(principal, action == AWS::SSM::getTokenForInstanceAccess, resource)
when {
    resource.hasTag("Environment") &&
    resource.getTag("Environment") == "Development"
};
```

## 预留字符
<a name="reserved-characters"></a>

以下示例说明当上下文属性使用 `:`（分号）时如何编写策略，该符号是策略语言中的保留字符。

```
permit (
    principal,
    action == AWS::SSM::Action::"getTokenForInstanceAccess",
    resource
)
when {
    principal has employeeNumber && principal.employeeNumber like "E-1*" && resource.hasTag("Purpose") && resource.getTag("Purpose") == "Testing"
}
```

有关其他示例，请参阅 [示例策略语句](#policy-statement-examples)。

## 即时节点访问架构
<a name="auto-approval-deny-access-policy-statement-schema"></a>

以下是即时节点访问的 Cedar 架构。

```
namespace AWS::EC2 {
    entity Instance tags String;
}


namespace AWS::IdentityStore {
    entity Group;
    
    entity User in [Group] {
    employeeNumber?: String,
    costCenter?: String,
    organization?: String,
    division?: String,
    };

}


namespace AWS::IAM {

    entity Role;
    
    type AuthorizationContext = {
        principalTags: PrincipalTags,
    };
    
    entity PrincipalTags tags String;
}

namespace AWS::SSM {

    entity ManagedInstance tags String;

    action "getTokenForInstanceAccess" appliesTo {
    principal: [AWS::IdentityStore::User],
    resource: [AWS::EC2::Instance, AWS::SSM::ManagedInstance],
    context: {
        "iam": AWS::IAM::AuthorizationContext
        }
    };
}
```

## 内置运算符
<a name="built-in-policy-operators"></a>

在使用各种条件创建自动审批或拒绝访问策略的上下文时，您可以使用 `&&` 运算符来添加其他条件。您还可以使用许多其他内置运算符来为您的策略条件添加更多的表达能力。下表包含所有内置运算符，以供参考。

[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/systems-manager/latest/userguide/auto-approval-deny-access-policy-statement-structure.html)

## 示例策略语句
<a name="policy-statement-examples"></a>

以下是策略语句示例。

```
// Users assuming IAM roles with a principal tag of "Elevated" can automatically access nodes tagged with the "Environment" key when the value equals "prod"
permit(principal, action == AWS::SSM::getTokenForInstanceAccess, resource)
when {
    // Verify IAM role principal tag
    context.iam.principalTags.getTag("AccessLevel") == "Elevated" &&
    
    // Verify the node has a tag with "Environment" tag key and a tag value of "prod"
    resource.hasTag("Environment") &&
    resource.getTag("Environment") == "prod"
};
```

```
// Identity Center users in the "Contractor" division can automatically access nodes tagged with the "Environment" key when the value equals "dev"
permit(principal, action == AWS::SSM::getTokenForInstanceAccess, resource)
when {
    // Verify that the user is part of the "Contractor" division
    principal.division == "Contractor" &&
    
    // Verify the node has a tag with "Environment" tag key and a tag value of "dev"
    resource.hasTag("Environment") &&
    resource.getTag("Environment") == "dev"
};
```

```
// Identity Center users in a specified group can automatically access nodes tagged with the "Environment" key when the value equals "Production"
permit(principal in AWS::IdentityStore::Group::"d4q81745-r081-7079-d789-14da1EXAMPLE",
    action == AWS::SSM::getTokenForInstanceAccess,
    resource)
when {
    resource.hasTag("Environment") &&
    resource.getTag("Environment") == "Production"
};
```