AWS SQS 策略不限制根用户
AWS SQS Policy not restricting root user
我以 root 用户身份创建了一些 SQS 队列。 - 现在,当我想通过策略限制访问时,它似乎不起作用。 - 即使有这样的测试政策
{
"Version": "2008-10-17",
"Id": "PolicyDenyTest",
"Statement": [
{
"Sid": "DenyIt",
"Effect": "Deny",
"Principal": "*",
"Action": [
"sqs:DeleteMessage",
"sqs:ReceiveMessage",
"sqs:SendMessage"
],
"Resource": "arn:aws:sqs:us-west-2:xxxxxxxxxx:TST"
}
]
}
我仍然可以 send/retrieve/delete 来自本地机器队列的消息。 - 策略是否仅在使用 IAM 用户创建队列时才有效?
The credentials of the account owner allow full access to all resources in the account. You cannot use IAM policies to explicitly deny the root user access to resources. You can only use an AWS Organizations service control policy (SCP) to limit the permissions of the root user. Because of this, we recommend that you create an IAM user with administrator permissions to use for everyday AWS tasks and lock away the access keys for the root user.
https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html
根密钥是 all-powerful 密钥,即使您错误地拒绝了对所有资源的所有访问,也可用于恢复所有内容。这是一个很好的 thought-out 决定,在链接文档
中有解释
我以 root 用户身份创建了一些 SQS 队列。 - 现在,当我想通过策略限制访问时,它似乎不起作用。 - 即使有这样的测试政策
{
"Version": "2008-10-17",
"Id": "PolicyDenyTest",
"Statement": [
{
"Sid": "DenyIt",
"Effect": "Deny",
"Principal": "*",
"Action": [
"sqs:DeleteMessage",
"sqs:ReceiveMessage",
"sqs:SendMessage"
],
"Resource": "arn:aws:sqs:us-west-2:xxxxxxxxxx:TST"
}
]
}
我仍然可以 send/retrieve/delete 来自本地机器队列的消息。 - 策略是否仅在使用 IAM 用户创建队列时才有效?
The credentials of the account owner allow full access to all resources in the account. You cannot use IAM policies to explicitly deny the root user access to resources. You can only use an AWS Organizations service control policy (SCP) to limit the permissions of the root user. Because of this, we recommend that you create an IAM user with administrator permissions to use for everyday AWS tasks and lock away the access keys for the root user.
https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html
根密钥是 all-powerful 密钥,即使您错误地拒绝了对所有资源的所有访问,也可用于恢复所有内容。这是一个很好的 thought-out 决定,在链接文档
中有解释