个人中心
gpt4 book ai didi

amazon-web-services - 如何只授予特定的 AWS "iam : putUserPolicy"权限?

转载 作者:行者123 更新时间:2023-12-04 00:14:37 26 4
gpt4 key购买 nike

用例:在我们的应用程序中,我们需要向 IAM 实体授予 iam : putUserPolicy 权限。那是微不足道的。我们可以将下面提到的策略分配给我们想要授予 iam : putUserPolicy 权限的 IAM 实体

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "iam : putUserPolicy"
         ],
         "Resource":"*"
      }
   ]
}

假设我们有另一个要求并将 putUserPolicy 分配给 IAM 用户 U1。这意味着现在 U1 可以将任何策略分配给任何 IAM 用户。将"Resource":"*"改为"Resource":"user-arn"可以避免第二个"ANY",但是我们如何处理第一个任何?有没有办法授予 "iam : putUserPolicy" 权限,以便仅允许放置 "iam : CreateUser" 权限?或者可能只有 "iam : CreateUser" 被阻止并且允许所有策略休息?

我浏览了 AWS 文档并找到了 conditions有点帮助,但我找不到任何 IAM 服务特定的键和值,尽管我确实找到了一些 EC2SNS .

例如,我们可以分配以下策略:

{
   "Version":"2012-10-17",
   "Statement":[{
      "Effect":"Allow",
      "Action":["s3:ListBucket"],
      "Resource":"*",
      "Condition":{"StringNotEquals":["s3:prefix":"arn:aws:s3:::BUCKET-NAME/home/"]}
      }
   ]
}

它授予对除特定存储桶中的主文件夹之外的所有其他 S3 文件夹和存储桶的权限。

我们可以做这样的事情吗?

{
   "Version":"2012-10-17",
   "Statement":[{
      "Effect":"Allow",
      "Action":["iam:PutUserPolicy"],
      "Resource":"*",
      "Condition":{"StringNotEquals":["iam:policy-contains":"iam:CreateUser"]}
      }
   ]
}

最佳答案

AWS 刚刚推出 Managed Policies for AWS Identity & Access Management ,它提供了一种跨 IAM 实体共享和维护 IAM 策略的新方法,特别是还包括委派权限管理,请参阅 Controlling Access to Managed Policies :

Managed policies give you precise control over how your users can manage policies and manage permissions for others. You can separately control who can create, update, and delete policies, and who can attach and detach policies to and from principal entities (users, groups, and roles). You can also control which policies a user can attach or detach, and to and from which entities. [emphasis mine]

A typical scenario is that you give permissions to an account administrator to create, update, and delete policies. Then, you give permissions to a team leader or other limited administrator to attach and detach these policies [...].

Controlling Permissions for Attaching and Detaching Managed Policies提供了一个示例策略,它只允许将特定的托管策略附加到特定的组或角色,这在概念上允许您实现您正在寻找的东西:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "iam:AttachGroupPolicy",
      "iam:AttachRolePolicy"
    ],
    "Resource": [
      "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:group/TEAM-A/*",
      "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/TEAM-A/*"
    ],
    "Condition": {"ArnLike": 
      {"iam:PolicyArn": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:policy/TEAM-A/*"}
    }
  }
}

关于amazon-web-services - 如何只授予特定的 AWS "iam : putUserPolicy"权限?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/28359474/

26 4 0
文章推荐: kubernetes - GKE 1.10 kubernetes 集群上的网络连接/DNS 问题
文章推荐: amazon-web-services - CloudWatch 警报到不同区域的 SNS
文章推荐: amazon-web-services - AWS Athena : use "folder" name as partition
文章推荐: django - 如何在ckeditor中配置简单的链接和图像附加?
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com