amazon-web-services - 有没有办法限制 IAM 角色可以在 IAM 策略上添加哪些操作？

Question

我们希望我们的开发人员能够创建可以部署其服务的代码管道。这意味着他们需要能够为代码管道步骤创建 IAM 角色。

这意味着我们需要为开发人员提供 IAM 功能。有没有办法限制这种情况，使他们可以创建的 IAM 角色仅限于创建某些服务？比如说 ECS、EC2、RDS 相关操作。或者可能专门将某些服务列入黑名单，例如 IAM 相关操作。

Answer 1

是的。为此，我们为开发人员提供一个角色(由 CodeBuild 承担)，该角色能够根据权限边界创建其他角色。我们鼓励他们将 CodePipeline 分成多个阶段，并为每个阶段分配不同的角色。他们使用此 CodeBuild 角色来启动他们的管道。这些角色在可以传递到哪些服务以及可以执行哪些操作方面受到限制。

准云形成有关如何执行此操作的说明如下:

  DeveloperPipelineCreateRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: "Developer-pipeline-create-role"
      ManagedPolicyArns:
        - !Ref DeveloperPipelineCreatePolicy
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - codebuild.amazonaws.com
            Action:
              - sts:AssumeRole

  DeveloperPipelineCreatePolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: "Developer-pipeline-create-policy"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Sid: AllowCreateRoles
          Effect: Allow
          Action:
            - iam:CreateRole
            - iam:DetachRolePolicy
            - iam:AttachRolePolicy
            - iam:PutRolePermissionsBoundary
          Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/*'
          Condition:
            StringEquals:
              iam:PermissionsBoundary:
                - !Sub 'arn:aws:iam::${AWS::AccountId}:policy/pipeline-iam-boundary'
                - !Sub 'arn:aws:iam::${AWS::AccountId}:policy/source-iam-boundary'
                - !Sub 'arn:aws:iam::${AWS::AccountId}:policy/build-iam-boundary'
                - !Sub 'arn:aws:iam::${AWS::AccountId}:policy/deploy-iam-boundary'
                - !Sub 'arn:aws:iam::${AWS::AccountId}:policy/execution-iam-boundary'

  CodePipelineBoundary:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: !Sub "pipeline-iam-boundary"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Action:
            - iam:PassRole
            Resource: "*"
            Effect: Allow
            Condition:
              StringEqualsIfExists:
                iam:PassedToService:
                - cloudformation.amazonaws.com
                - elasticbeanstalk.amazonaws.com
                - ec2.amazonaws.com
                - ecs-tasks.amazonaws.com
          - Sid: AddStuffYourPipelineRoleMightDo
            Effect: Allow
            Action: (something)
            Resource: (something)

    SourceBoundary: (similar to above)
    BuildBoundary: (similar to above)
    ...