ishenwei/nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fc0dde291fa7c19f90564e88e6a04ed4c26b5ba6
nexus/wiki/concepts/IAM-策略.md
weishen fc0dde291f Auto-sync: 2026-04-19 14:51
2026-04-19 14:51:38 +08:00

45 lines
1.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
title: "IAM 策略"
type: concept
tags: [AWS, IAM, Security, Policy]
date: 2026-04-19
---
## Definition
IAM 策略是定义 AWS 权限的 JSON 文档,指定允许或拒绝的操作和资源。
## Core Concept
> "We only want to allow the access that is strictly required."
最小权限原则是 IAM 策略设计的核心指导原则。
## Types
- **AWS 托管策略**AWS 预定义的策略,可重用
- **客户托管策略**:用户创建和维护的策略,可重用
- **内联策略**:直接嵌入 IAM 角色或用户,不可重用
## Best Practices
- 使用内联策略进行角色特定的权限
- 使用托管策略进行跨角色可重用的权限
- 策略应细粒度,限制访问特定资源而非广泛开放
## JSON Structure
```json
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow|Deny",
"Action": ["s3:GetObject", "s3:ListBucket"],
"Resource": "arn:aws:s3:::bucket-name/*"
}]
}
```
## Related Concepts
- [[IAM-角色]]: 策略附加的目标
- [[内联策略]]: 绑定到特定角色
- [[托管策略]]: 可跨角色重用
- [[最小权限原则]]: 策略设计原则
## Connections
- [[IAM-策略]] ← attached_to ← [[IAM-角色]]
Reference in New Issue View Git Blame Copy Permalink