IAM Policy 實戰

Vibe Prompt

「幫我寫 AWS IAM Policy:允許某個服務角色只能讀取特定 S3 bucket 與寫入特定 DynamoDB 表格。」

最小權限 Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject"],
      "Resource": "arn:aws:s3:::myapp-assets/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:PutItem",
        "dynamodb:GetItem",
        "dynamodb:UpdateItem"
      ],
      "Resource": "arn:aws:dynamodb:ap-northeast-1:123456789:table/Visitors"
    },
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": "10.0.0.0/16"
        }
      }
    }
  ]
}

常見 IAM 角色

| 角色 | 用途 | |------|------| | EC2 Role | 賦予 EC2 存取其他 AWS 服務的權限 | | Lambda Role | Lambda 函式的執行權限 | | Cross-Account Role | 跨帳號存取 | | Service-Linked Role | AWS 服務內部使用 |

Vibe Prompt

「幫我用 CDK 建立 IAM Role + Policy,並附加到 Lambda 函式。」

const role = new iam.Role(this, 'LambdaRole', {
  assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
  managedPolicies: [
    iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaBasicExecutionRole'),
  ],
});

table.grantReadWriteData(role);
bucket.grantRead(role);

const fn = new lambda.Function(this, 'MyFunction', {
  runtime: lambda.Runtime.PYTHON_3_11,
  handler: 'index.handler',
  code: lambda.Code.fromAsset('lambda'),
  role,
});

解鎖完整教學內容

本章為付費內容。加入專案即可解鎖超過 5000 字的深度解析,包含 10 個以上神級 Prompt 與真實 Source Code 範例!