aws-cdk-lib.aws_iam.PolicyStatementProps

interface PolicyStatementProps

LanguageType name
.NETAmazon.CDK.AWS.IAM.PolicyStatementProps
Gogithub.com/aws/aws-cdk-go/awscdk/v2/awsiam#PolicyStatementProps
Javasoftware.amazon.awscdk.services.iam.PolicyStatementProps
Pythonaws_cdk.aws_iam.PolicyStatementProps
TypeScript (source)aws-cdk-lib » aws_iam » PolicyStatementProps

Interface for creating a policy statement.

Example

    // Add gateway endpoints when creating the VPC
    const vpc = new ec2.Vpc(this, 'MyVpc', {
      gatewayEndpoints: {
        S3: {
          service: ec2.GatewayVpcEndpointAwsService.S3,
        },
      },
    });

    // Alternatively gateway endpoints can be added on the VPC
    const dynamoDbEndpoint = vpc.addGatewayEndpoint('DynamoDbEndpoint', {
      service: ec2.GatewayVpcEndpointAwsService.DYNAMODB,
    });

    // This allows to customize the endpoint policy
    dynamoDbEndpoint.addToPolicy(
      new iam.PolicyStatement({ // Restrict to listing and describing tables
        principals: [new iam.AnyPrincipal()],
        actions: ['dynamodb:DescribeTable', 'dynamodb:ListTables'],
        resources: ['*'],
      }));

    // Add an interface endpoint
    vpc.addInterfaceEndpoint('EcrDockerEndpoint', {
      service: ec2.InterfaceVpcEndpointAwsService.ECR_DOCKER,

      // Uncomment the following to allow more fine-grained control over
      // who can access the endpoint via the '.connections' object.
      // open: false
    });

Properties

NameTypeDescription
actions?string[]List of actions to add to the statement.
conditions?{ [string]: any }Conditions to add to the statement.
effect?EffectWhether to allow or deny the actions in this statement.
notActions?string[]List of not actions to add to the statement.
notPrincipals?IPrincipal[]List of not principals to add to the statement.
notResources?string[]NotResource ARNs to add to the statement.
principals?IPrincipal[]List of principals to add to the statement.
resources?string[]Resource ARNs to add to the statement.
sid?stringThe Sid (statement ID) is an optional identifier that you provide for the policy statement.

actions?

Type: string[] (optional, default: no actions)

List of actions to add to the statement.


conditions?

Type: { [string]: any } (optional, default: no condition)

Conditions to add to the statement.


effect?

Type: Effect (optional, default: Effect.ALLOW)

Whether to allow or deny the actions in this statement.


notActions?

Type: string[] (optional, default: no not-actions)

List of not actions to add to the statement.


notPrincipals?

Type: IPrincipal[] (optional, default: no not principals)

List of not principals to add to the statement.


notResources?

Type: string[] (optional, default: no not-resources)

NotResource ARNs to add to the statement.


principals?

Type: IPrincipal[] (optional, default: no principals)

List of principals to add to the statement.


resources?

Type: string[] (optional, default: no resources)

Resource ARNs to add to the statement.


sid?

Type: string (optional, default: no sid)

The Sid (statement ID) is an optional identifier that you provide for the policy statement.

You can assign a Sid value to each statement in a statement array. In services that let you specify an ID element, such as SQS and SNS, the Sid value is just a sub-ID of the policy document's ID. In IAM, the Sid value must be unique within a JSON policy.