This topic provides examples on how to use an access control policy to limit resource sharing.
Background information
To use an access control policy to limit resource sharing, perform the following steps:
Policy examples
Policy used to prohibit resource sharing outside a resource directory
The preceding policy prohibits the creation of resource shares through which resources are shared to accounts outside the current resource directory.
Document:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"resourcesharing:CreateResourceShare",
"resourcesharing:UpdateResourceShare"
],
"Resource": "*",
"Condition": {
"Bool": {
"resourcesharing:RequestedAllowExternalTargets": "true"
}
}
}
]
}
Policy used to prohibit resource sharing with unexpected accounts
The preceding policy allows resource sharing only with the account 192796193830****
and all members in the folder rd-3G****/r-Wm****
. You can change the value of the resourcesharing:Target parameter based on your business requirements.
Document:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"resourcesharing:AssociateResourceShare",
"resourcesharing:CreateResourceShare"
],
"Resource": "*",
"Condition": {
"StringNotLike": {
"resourcesharing:Target": [
"rd-3G****/r-Wm****/*",
"rd-3G****/r-Wm****",
"192796193830****"
]
}
}
}
]
}
Policy used to prohibit the acceptance of resource sharing invitations from accounts outside a resource directory
The preceding policy prohibits the acceptance of resource sharing invitations from accounts outside the current resource directory. If principals and resource owners belong to the same resource directory, no resource sharing invitations are initiated. Therefore, this policy does not affect resource sharing within the same resource directory.
Document:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": "resourcesharing:AcceptResourceShareInvitation",
"Resource": "*"
}
]
}
Policy used to prohibit sharing of unexpected types of resources
The preceding policy allows sharing of only vSwitches
, images
, and snapshots
.
Document:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"resourcesharing:CreateResourceShare",
"resourcesharing:UpdateResourceShare",
"resourcesharing:AssociateResourceShare"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"resourcesharing:RequestedResourceType": ["VSwitch","Image","Snapshot"]
}
}
}
]
}