cloudformation 的最低权限 AWS IAM 策略

Least privilege AWS IAM policy for cloudformation

对于小型 CloudFormation 和 CodePipeline 模板,我们可以 "try - test" 为所需角色获取最低权限 IAM 策略。

这通常涉及:

这种方法对于较大的 CloudFormation 模板来说太耗时了。
您如何制定 最低权限 IAM 策略

想法:

Grant least privilege is a well-documented IAM Best Practice. The documentation recommends incrementally adding specific permissions, using the Access Advisor 选项卡确定应用程序实际使用了哪些服务(可能在测试阶段使用了更广泛的权限集):

It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.

Defining the right set of permissions requires some research to determine what is required for the specific task, what actions a particular service supports, and what permissions are required in order to perform those actions.

One feature that can help with this is the Access Advisor tab, which is available on the IAM console Summary page whenever you inspect a user, group, role, or policy. This tab includes information about which services are actually used by a user, group, role, or by anyone using a policy. You can use this information to identify unnecessary permissions so that you can refine your IAM policies to better adhere to the principle of least privilege. For more information, see Service Last Accessed Data.

此方法类似于为特定 IAM Role/application 生成的 API 事件抓取 CloudTrail,但后者可能更难过滤整个事件流以找到相关的事件,而访问顾问列表已经为您过滤。