本文为您介绍通过管控策略限制资源共享的示例。
背景信息
您可以创建自定义管控策略,然后绑定到资源目录的资源夹或成员,限制成员对资源的共享操作权限。具体操作:
策略示例
禁止组织外资源共享
策略内容:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"resourcesharing:CreateResourceShare",
"resourcesharing:UpdateResourceShare"
],
"Resource": "*",
"Condition": {
"Bool": {
"resourcesharing:RequestedAllowExternalTargets": "true"
}
}
}
]
}通过本策略可以防止用户创建允许共享给组织外账号的共享单元。
禁止将资源共享给预期外的账号
策略内容:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"resourcesharing:AssociateResourceShare",
"resourcesharing:CreateResourceShare"
],
"Resource": "*",
"Condition": {
"StringNotLike": {
"resourcesharing:Target": [
"rd-3G****/r-Wm****/*",
"rd-3G****/r-Wm****",
"192796193830****"
]
}
}
}
]
}本策略仅允许将资源共享给账号192796193830****、资源夹rd-3G****/r-Wm****下的所有成员,禁止共享给其他账号。请替换成您自己的目标账号。
禁止用户接受组织外账号的资源共享邀请
策略内容:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": "resourcesharing:AcceptResourceShareInvitation",
"Resource": "*"
}
]
}本策略会阻止用户接受组织外账号的资源共享邀请。与共享账号属于同一资源目录时不会产生共享邀请,因此不受此策略的影响。
仅允许共享指定的资源类型
策略内容:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"resourcesharing:CreateResourceShare",
"resourcesharing:AssociateResourceShare"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"resourcesharing:RequestedResourceType": ["VSwitch","Image","Snapshot"]
}
}
}
]
}本策略仅允许共享交换机VSwitch、镜像Image和快照Snapshot,禁止共享除这些资源类型以外的其他资源。资源类型代码请参见支持资源共享的云服务的资源类型列。
仅允许共享指定的资源
策略内容:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"resourcesharing:CreateResourceShare",
"resourcesharing:AssociateResourceShare"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"resourcesharing:ResourceArn": [
"acs:vpc:cn-shanghai:131993166204****:vswitch/vsw-7xv4sfwo86u2etl64****",
"acs:ecs:cn-shanghai:131993166204****:snapshot/s-7xviog7aq4tenbqj****"
]
}
}
}
]
}本策略仅允许共享阿里云账号131993166204****下的指定交换机vsw-7xv4sfwo86u2etl64****和指定快照s-7xviog7aq4tenbqj****,禁止共享除这些资源以外的其他资源。资源ARN格式请参见支持资源共享的云服务的资源ARN列。
文档内容是否对您有帮助?