本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# 常見的資源型政策範例
<a name="rbp-examples"></a>

這些範例顯示控制 Aurora DSQL 叢集存取的常見模式。您可以結合和修改這些模式，以符合您的特定存取需求。

## 封鎖公有網際網路存取
<a name="rbp-example-block-public"></a>

此政策會封鎖從公有網際網路 （非 VPC) 連線至 Aurora DSQL 叢集。政策不會指定客戶可以從哪些 VPC 連線，只有他們必須從 VPC 連線。若要限制對特定 VPC 的存取，請使用 `aws:SourceVpc`搭配 `StringEquals`條件運算子。

```
{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Resource": "*",
      "Action": [
        "dsql:DbConnect",
        "dsql:DbConnectAdmin"
      ],
      "Condition": {
        "Null": {
          "aws:SourceVpc": "true"
        }
      }
    }
  ]
}
```

**注意**  
此範例僅使用 `aws:SourceVpc` 來檢查 VPC 連線。`aws:VpcSourceIp` 和 `aws:SourceVpce`條件金鑰提供額外的精細度，但對於僅限 VPC 的基本存取控制則不需要。

若要為特定角色提供例外狀況，請改用此政策：

```
{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "DenyAccessFromOutsideVPC",
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Resource": "*",
      "Action": [
        "dsql:DbConnect",
        "dsql:DbConnectAdmin"
      ],
      "Condition": {
        "Null": {
          "aws:SourceVpc": "true"
        },
        "StringNotEquals": {
          "aws:PrincipalArn": [
            "arn:aws:iam::123456789012:role/ExceptionRole",
            "arn:aws:iam::123456789012:role/AnotherExceptionRole"
          ]
        }
      }
    }
  ]
}
```

## 限制對 AWS Organization 的存取
<a name="rbp-example-org-access"></a>

此政策限制對 AWS 組織內主體的存取：

```
{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "dsql:DbConnect",
        "dsql:DbConnectAdmin"
      ],
      "Resource": "arn:aws:dsql:us-east-1:123456789012:cluster/mydsqlclusterid0123456789a",
      "Condition": {
        "StringNotEquals": {
          "aws:PrincipalOrgID": "o-exampleorgid"
        }
      }
    }
  ]
}
```

## 限制對特定組織單位的存取
<a name="rbp-example-ou-access"></a>

此政策限制對 AWS 組織中特定組織單位 (OU) 內主體的存取，提供比整個組織更精細的控制：

```
{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "dsql:DbConnect"
      ],
      "Resource": "arn:aws:dsql:us-east-1:123456789012:cluster/mydsqlclusterid0123456789a",
      "Condition": {
        "StringNotLike": {
          "aws:PrincipalOrgPaths": "o-exampleorgid/r-examplerootid/ou-exampleouid/*"
        }
      }
    }
  ]
}
```

## 多區域叢集政策
<a name="rbp-example-multi-region"></a>

對於多區域叢集，每個區域叢集會維護自己的資源政策，允許區域特定的控制項。以下是每個區域具有不同政策的範例：

*us-east-1 政策：*

```
{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Resource": "*",
      "Action": [
        "dsql:DbConnect"
      ],
      "Condition": {
        "StringNotEquals": {
          "aws:SourceVpc": "vpc-east1-id"
        },
        "Null": {
          "aws:SourceVpc": "true"
        }
      }
    }
  ]
}
```

*us-east-2 政策：*

```
{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Resource": "*",
      "Action": [
        "dsql:DbConnect"
      ],
      "Condition": {
        "StringEquals": {
          "aws:SourceVpc": "vpc-east2-id"
        }
      }
    }
  ]
}
```

**注意**  
條件內容索引鍵可能不同 AWS 區域 （例如 VPC IDs)。