如何根据要求创建最小且完整的 IAM roles/permissions?
How to create a minimal and complete IAM roles/permissions given requirements?
IAM 为开发人员提供控制权,以限制哪些用户可以访问特定服务、他们可以执行的操作类型以及哪些资源可用(VM、数据库实例等)。
给定一份资源列表、API 调用和使用的服务,如何为该项目创建最小(但足够自由)的 IAM 角色或用户?
受到 Exelian 在 Is there anyway to determine what IAM permissions I actually need for a CloudFormation template? 中对 Jiew Meng 的回应的启发:
Jiew Meng: "I guess, it should be possible for there to be some parser that given a CloudFormation template can determine the minimum set of permissions it"
Exelian: "I discussed this with multiple AWS engineers at a conference and their answer was: "not really". Best way is to assign nothing and see what errors it throws."
"Not really" 仍然适用。您必须手工制作您的角色和策略并对其进行测试。但是,有一些工具可以提供帮助:
- AWS Policy Generator and AWS Identity and Access Management Template Snippets 让你开始。
- Complete AWS IAM Reference检查细节。
- 然后,同行评审和测试。
IAM 为开发人员提供控制权,以限制哪些用户可以访问特定服务、他们可以执行的操作类型以及哪些资源可用(VM、数据库实例等)。
给定一份资源列表、API 调用和使用的服务,如何为该项目创建最小(但足够自由)的 IAM 角色或用户?
受到 Exelian 在 Is there anyway to determine what IAM permissions I actually need for a CloudFormation template? 中对 Jiew Meng 的回应的启发:
Jiew Meng: "I guess, it should be possible for there to be some parser that given a CloudFormation template can determine the minimum set of permissions it"
Exelian: "I discussed this with multiple AWS engineers at a conference and their answer was: "not really". Best way is to assign nothing and see what errors it throws."
"Not really" 仍然适用。您必须手工制作您的角色和策略并对其进行测试。但是,有一些工具可以提供帮助:
- AWS Policy Generator and AWS Identity and Access Management Template Snippets 让你开始。
- Complete AWS IAM Reference检查细节。
- 然后,同行评审和测试。