AWS IAM PowerUser 适用于特定区域
AWS IAM PowerUser Scoped to Specific Region
我正在尝试创建一个 AWS IAM 策略,允许高级用户访问所有内容 (arn:aws:iam::aws:policy/PowerUserAccess),但仅限于特定区域。
我从现有的 Power User 政策着手,找到了这篇文章:https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_ec2_region.html
所以我将 "condition" 添加到高级用户策略中,结果是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"NotAction": [
"iam:*",
"organizations:*",
"account:*"
],
"Condition": {
"StringEquals": {
"ec2:Region": "us-east-2"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
"iam:DeleteServiceLinkedRole",
"iam:ListRoles",
"organizations:DescribeOrganization",
"account:ListRegions"
],
"Resource": "*"
}
]
}
这似乎不起作用,因为我只能在指定区域创建 EC2 实例...但其他服务不可用:
当您在 Condition 键中使用 ec2:Region 时,即 EC2 specific
您需要尝试 aws:RequestedRegion 作为条件键。
不过要小心,
Some global services, such as IAM, have a single endpoint. Because this endpoint is physically located in the US East (N. Virginia) Region, IAM calls are always made to the us-east-1 Region
试试
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"NotAction": [
"iam:*",
"organizations:*",
"account:*"
],
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "us-east-2"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
"iam:DeleteServiceLinkedRole",
"iam:ListRoles",
"organizations:DescribeOrganization",
"account:ListRegions"
],
"Resource": "*"
}
]
}
我正在尝试创建一个 AWS IAM 策略,允许高级用户访问所有内容 (arn:aws:iam::aws:policy/PowerUserAccess),但仅限于特定区域。
我从现有的 Power User 政策着手,找到了这篇文章:https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_ec2_region.html
所以我将 "condition" 添加到高级用户策略中,结果是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"NotAction": [
"iam:*",
"organizations:*",
"account:*"
],
"Condition": {
"StringEquals": {
"ec2:Region": "us-east-2"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
"iam:DeleteServiceLinkedRole",
"iam:ListRoles",
"organizations:DescribeOrganization",
"account:ListRegions"
],
"Resource": "*"
}
]
}
这似乎不起作用,因为我只能在指定区域创建 EC2 实例...但其他服务不可用:
当您在 Condition 键中使用 ec2:Region 时,即 EC2 specific
您需要尝试 aws:RequestedRegion 作为条件键。
不过要小心,
Some global services, such as IAM, have a single endpoint. Because this endpoint is physically located in the US East (N. Virginia) Region, IAM calls are always made to the us-east-1 Region
试试
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"NotAction": [
"iam:*",
"organizations:*",
"account:*"
],
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "us-east-2"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
"iam:DeleteServiceLinkedRole",
"iam:ListRoles",
"organizations:DescribeOrganization",
"account:ListRegions"
],
"Resource": "*"
}
]
}