IAM Policy 實戰
Vibe Prompt
「幫我寫 AWS IAM Policy:允許某個服務角色只能讀取特定 S3 bucket 與寫入特定 DynamoDB 表格。」
最小權限 Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "arn:aws:s3:::myapp-assets/*"
},
{
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:GetItem",
"dynamodb:UpdateItem"
],
"Resource": "arn:aws:dynamodb:ap-northeast-1:123456789:table/Visitors"
},
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "10.0.0.0/16"
}
}
}
]
}
常見 IAM 角色
| 角色 | 用途 | |------|------| | EC2 Role | 賦予 EC2 存取其他 AWS 服務的權限 | | Lambda Role | Lambda 函式的執行權限 | | Cross-Account Role | 跨帳號存取 | | Service-Linked Role | AWS 服務內部使用 |
Vibe Prompt
「幫我用 CDK 建立 IAM Role + Policy,並附加到 Lambda 函式。」
const role = new iam.Role(this, 'LambdaRole', {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
managedPolicies: [
iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaBasicExecutionRole'),
],
});
table.grantReadWriteData(role);
bucket.grantRead(role);
const fn = new lambda.Function(this, 'MyFunction', {
runtime: lambda.Runtime.PYTHON_3_11,
handler: 'index.handler',
code: lambda.Code.fromAsset('lambda'),
role,
});