cloudformation 的最低权限 AWS IAM 策略
Least privilege AWS IAM policy for cloudformation
对于小型 CloudFormation 和 CodePipeline 模板,我们可以 "try - test" 为所需角色获取最低权限 IAM 策略。
这通常涉及:
- 从最低政策开始
- 正在创建堆栈
- 它失败了 - 堆栈没有权限 someService:someAction
- 将服务操作添加到策略
- 更新堆栈并重试
这种方法对于较大的 CloudFormation 模板来说太耗时了。
您如何制定 最低权限 IAM 策略?
想法:
允许“*”,然后为事件抓取 cloudtrail,并为列出的事件构建映射到它们的等效角色 - 然后将角色减少到仅在 cloudtrail 日志中列出的角色。
如果您可以将操作隔离到用户名,这会有所帮助
访问顾问
Grant least privilege is a well-documented IAM Best Practice. The documentation recommends incrementally adding specific permissions, using the Access Advisor 选项卡确定应用程序实际使用了哪些服务(可能在测试阶段使用了更广泛的权限集):
It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.
Defining the right set of permissions requires some research to determine what is required for the specific task, what actions a particular service supports, and what permissions are required in order to perform those actions.
One feature that can help with this is the Access Advisor tab, which is available on the IAM console Summary page whenever you inspect a user, group, role, or policy. This tab includes information about which services are actually used by a user, group, role, or by anyone using a policy. You can use this information to identify unnecessary permissions so that you can refine your IAM policies to better adhere to the principle of least privilege. For more information, see Service Last Accessed Data.
此方法类似于为特定 IAM Role/application 生成的 API 事件抓取 CloudTrail,但后者可能更难过滤整个事件流以找到相关的事件,而访问顾问列表已经为您过滤。
对于小型 CloudFormation 和 CodePipeline 模板,我们可以 "try - test" 为所需角色获取最低权限 IAM 策略。
这通常涉及:
- 从最低政策开始
- 正在创建堆栈
- 它失败了 - 堆栈没有权限 someService:someAction
- 将服务操作添加到策略
- 更新堆栈并重试
这种方法对于较大的 CloudFormation 模板来说太耗时了。
您如何制定 最低权限 IAM 策略?
想法:
允许“*”,然后为事件抓取 cloudtrail,并为列出的事件构建映射到它们的等效角色 - 然后将角色减少到仅在 cloudtrail 日志中列出的角色。
如果您可以将操作隔离到用户名,这会有所帮助
访问顾问
Grant least privilege is a well-documented IAM Best Practice. The documentation recommends incrementally adding specific permissions, using the Access Advisor 选项卡确定应用程序实际使用了哪些服务(可能在测试阶段使用了更广泛的权限集):
It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.
Defining the right set of permissions requires some research to determine what is required for the specific task, what actions a particular service supports, and what permissions are required in order to perform those actions.
One feature that can help with this is the Access Advisor tab, which is available on the IAM console Summary page whenever you inspect a user, group, role, or policy. This tab includes information about which services are actually used by a user, group, role, or by anyone using a policy. You can use this information to identify unnecessary permissions so that you can refine your IAM policies to better adhere to the principle of least privilege. For more information, see Service Last Accessed Data.
此方法类似于为特定 IAM Role/application 生成的 API 事件抓取 CloudTrail,但后者可能更难过滤整个事件流以找到相关的事件,而访问顾问列表已经为您过滤。