CloudFormation 更新政策如何运作?
How does CloudFormation Update policy works?
我正在尝试使用 IAM 设置我的 CI/CD,只有特定的 IAM 用户才能 Update 我们的 Prod CloudFormation 堆栈。
但我们对 CloudFormation 上的 Update 政策如何运作感到困惑。
如果我的 IAM 用户只有一个策略:Update 在 Prod CloudFormation 堆栈上,他是否能够 edit/change 此堆栈中的任何资源,即使他没有没有那些特定权限?
例如,我在此堆栈上有一个 S3 存储桶,我在更新时更改了它的名称,即使该用户只有 Update 策略,他也能执行此操作吗?
If I have an IAM user who only has one policy : Update on Prod CloudFormation stack, will he be able to edit/change any resources in this stack even though he doesn't have those specific permissions?
没有
Ref:
In addition to AWS CloudFormation actions, you can manage what AWS services and resources are available to each user. That way, you can control which resources users can access when they use AWS CloudFormation. For example, you can specify which users can create Amazon EC2 instances, terminate database instances, or update VPCs. Those same permissions are applied anytime they use AWS CloudFormation to do those actions.
我正在尝试使用 IAM 设置我的 CI/CD,只有特定的 IAM 用户才能 Update 我们的 Prod CloudFormation 堆栈。
但我们对 CloudFormation 上的 Update 政策如何运作感到困惑。
如果我的 IAM 用户只有一个策略:Update 在 Prod CloudFormation 堆栈上,他是否能够 edit/change 此堆栈中的任何资源,即使他没有没有那些特定权限?
例如,我在此堆栈上有一个 S3 存储桶,我在更新时更改了它的名称,即使该用户只有 Update 策略,他也能执行此操作吗?
If I have an IAM user who only has one policy :
UpdateonProdCloudFormation stack, will he be able to edit/change any resources in this stack even though he doesn't have those specific permissions?
没有
Ref:
In addition to AWS CloudFormation actions, you can manage what AWS services and resources are available to each user. That way, you can control which resources users can access when they use AWS CloudFormation. For example, you can specify which users can create Amazon EC2 instances, terminate database instances, or update VPCs. Those same permissions are applied anytime they use AWS CloudFormation to do those actions.