使用 IAM 限制对特定 Cloudfront 分配的访问
Restrict access to a particular Cloudfront distribution using IAM
我正在尝试授予特定 IAM 用户对特定 Cloudfront 分配的访问权限。
我试过这个政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1428659042000",
"Effect": "Allow",
"Action":["cloudfront:*"],
"Resource": [ "arn:aws:cloudfront:E3J2B3GMZI73G0" ]
}
]
}
AWS-IAM 政策检查器说 arn 无效。根据 Cloudfront 上 IAM 限制的文档,AWS 没有指出任何示例来限制对特定发行版的访问。他们总是指:
"Resource":"*"
关于如何让特定用户访问具体 Cloudfront Distribution 的想法?
资源级AWS Identity and Access Management (IAM) permissions are unfortunately not yet supported by all AWS services, and Amazon CloudFront indeed doesn't as per the overview table in AWS Services That Support IAM, which is also explicitly confirmed within CloudFront Resources:
You use an asterisk (*) as the resource when writing a policy to control access to CloudFront actions. This is because you can't use IAM to control access to specific CloudFront resources. For example, you can't give users access to a specific distribution. Permissions granted using IAM include all the resources you use with CloudFront. Because you cannot specify the resources to control access to, there are no CloudFront resource ARNs (Amazon Resource Names) for you to use in an IAM policy. [...] [emphasis mine]
我正在尝试授予特定 IAM 用户对特定 Cloudfront 分配的访问权限。 我试过这个政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1428659042000",
"Effect": "Allow",
"Action":["cloudfront:*"],
"Resource": [ "arn:aws:cloudfront:E3J2B3GMZI73G0" ]
}
]
}
AWS-IAM 政策检查器说 arn 无效。根据 Cloudfront 上 IAM 限制的文档,AWS 没有指出任何示例来限制对特定发行版的访问。他们总是指:
"Resource":"*"
关于如何让特定用户访问具体 Cloudfront Distribution 的想法?
资源级AWS Identity and Access Management (IAM) permissions are unfortunately not yet supported by all AWS services, and Amazon CloudFront indeed doesn't as per the overview table in AWS Services That Support IAM, which is also explicitly confirmed within CloudFront Resources:
You use an asterisk (*) as the resource when writing a policy to control access to CloudFront actions. This is because you can't use IAM to control access to specific CloudFront resources. For example, you can't give users access to a specific distribution. Permissions granted using IAM include all the resources you use with CloudFront. Because you cannot specify the resources to control access to, there are no CloudFront resource ARNs (Amazon Resource Names) for you to use in an IAM policy. [...] [emphasis mine]