本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# 在 IAM 政策中使用存取點
<a name="access-points-iam-policy"></a>

您可以使用 IAM 政策來強制執行由其 IAM 角色識別的特定 NFS 用戶端，僅能來存取特定的存取點。若要執行此作業，請使用 `elasticfilesystem:AccessPointArn` IAM 條件金鑰。`AccessPointArn` 是用來掛載檔案系統之存取點的 Amazon Resource Name (ARN)。

以下是檔案系統政策範例，此政策允許 IAM 角色 `app1` 使用存取點 `fsap-01234567` 存取檔案系統。此政策也允許 `app2` 透過存取點 `fsap-89abcdef` 使用檔案系統。

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Id": "MyFileSystemPolicy",
    "Statement": [
        {
            "Sid": "App1Access",
            "Effect": "Allow",
            "Principal": { "AWS": "arn:aws:iam::111122223333:role/app1" },
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite"
            ],
            "Resource": "arn:aws:elasticfilesystem:{{us-east-1}}:{{111122223333}}:file-system/*",
            "Condition": {
                "StringEquals": {
                    "elasticfilesystem:AccessPointArn" : "arn:aws:elasticfilesystem:us-east-1:222233334444:access-point/fsap-01234567"
                }
            }
        },
        {
            "Sid": "App2Access",
            "Effect": "Allow",
            "Principal": { "AWS": "arn:aws:iam::111122223333:role/app2" },
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite"
            ],
            "Resource": "arn:aws:elasticfilesystem:{{us-east-1}}:{{111122223333}}:file-system/*",
            "Condition": {
                "StringEquals": {
                    "elasticfilesystem:AccessPointArn" : "arn:aws:elasticfilesystem:us-east-1:222233334444:access-point/fsap-89abcdef"
                }
            }
        }
    ]
}
```

------