本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# S3 Vectors 資源型政策範例
以資源為基礎的政策會連接至資源。您可以為向量儲存貯體建立資源型政策。S3 Vectors 的資源型政策使用您直接連接到向量儲存貯體的 JSON 標準 AWS 政策格式,以控制對儲存貯體及其內容的存取。
與連接到使用者、群組或角色的身分型政策不同,資源型政策會連接到資源本身 (向量儲存貯體),並可將許可授予其他 AWS 帳戶的主體。這使得這類型政策成為當您需要跨組織邊界共用向量資料,或根據要存取的特定資源實作精細存取控制的情況的理想選擇。
資源型政策會與身分型政策結合評估,而有效許可權則是由所有適用政策的聯集決定。這表示主體需要身分型政策 (連接至其使用者/角色) 和資源型政策 (連接至儲存貯體) 的許可權,才能執行動作,除非資源型政策明確授予許可權。
## 範例 1:跨帳戶存取權政策
此政策示範如何將特定許可權授予來自不同 AWS 帳戶的使用者:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CrossAccountBucketAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:123456789012:role/Admin"
},
"Action": [
"s3vectors:CreateIndex",
"s3vectors:ListIndexes",
"s3vectors:QueryVectors",
"s3vectors:PutVectors",
"s3vectors:DeleteIndex"
],
"Resource": [
"arn:aws:s3vectors:aws-region:111122223333:bucket/amzn-s3-demo-vector-bucket/*",
"arn:aws:s3vectors:aws-region:111122223333:bucket/amzn-s3-demo-vector-bucket"
]
}
]
}
```
## 範例 2:拒絕向量索引層級動作
此政策展示如何拒絕 IAM 角色的特定向量索引層級動作:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyIndexLevelActions",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam:123456789012:role/External-Role-Name"
},
"Action": [
"s3vectors:QueryVectors",
"s3vectors:PutVectors",
"s3vectors:DeleteIndex",
"s3vectors:GetVectors",
"s3vectors:GetIndex",
"s3vectors:DeleteVectors",
"s3vectors:CreateIndex",
"s3vectors:ListVectors"
],
"Resource": "arn:aws:s3vectors:aws-region:111122223333:bucket/amzn-s3-demo-vector-bucket/*"
}
]
}
```
## 範例 3:拒絕向量索引和儲存貯體層級的修改操作
此政策展示如何透過指定多個資源,拒絕向量索引和儲存貯體層級動作的修改請求:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyModificationActionsAtBucketandIndexLevels",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam:123456789012:role/External-Role-Name"
},
"Action": [
"s3vectors:CreateVectorBucket",
"s3vectors:DeleteVectorBucket",
"s3vectors:PutVectorBucketPolicy",
"s3vectors:DeleteVectorBucketPolicy",
"s3vectors:CreateIndex",
"s3vectors:DeleteIndex",
"s3vectors:PutVectors",
"s3vectors:DeleteVectors"
],
"Resource": [
"arn:aws:s3vectors:aws-region:111122223333:bucket/amzn-s3-demo-vector-bucket/*",
"arn:aws:s3vectors:aws-region:111122223333:bucket/amzn-s3-demo-vector-bucket"
]
}
]
}
```