如何在 AWS 中对 "tag:UntagResources" 操作应用拒绝策略
how to apply Deny policy on "tag:UntagResources" Action in AWS
我有这个政策应该防止用户从 AWS 的任何资源中删除标签。但标签仍在从资源中删除。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Delete*",
"s3:Delete*",
"s3:ReplicateTags",
"iam:Untag*",
"tag:UntagResources"
],
"Effect": "Deny",
"Resource": "*"
},
{
"Action": [
"s3:Create*",
"s3:Describe*",
"s3:Get*",
"s3:List*",
"s3:Put*",
"s3:Update*",
"s3:Replicate*",
"s3:RestoreObject",
"s3:ObjectOwnerOverrideToBucketOwner"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:Create*",
"ec2:Describe*",
"ec2:Get*",
"ec2:Modify*",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"iam:Tag*",
"tag:TagResources",
"tag:GetResources"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"iam:Untag*",
"tag:UntagResources"
],
"Effect": "Deny",
"Resource": "*"
}
]
}
由于我是 AWS 的新手,所以我不知道出了什么问题。其他权限工作正常。只是取消标记是行不通的。如何拒绝取消标记资源?提前致谢。
如何使 tag:UntagResources 工作?
一种方法是使用 IAM 创建策略可视化编辑器。输入您感兴趣的服务,例如 S3,然后在操作搜索对话框中搜索 'tag' 以查找您要拒绝的所有相关操作。使用 'switch to deny permissions' link 使其成为拒绝语句。然后对于资源,选择所有资源。最后,切换到 JSON 选项卡,查看生成的语句。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:DeleteObjectTagging",
"s3:DeleteJobTagging",
"s3:DeleteStorageLensConfigurationTagging",
"s3:DeleteObjectVersionTagging"
],
"Resource": "*"
}
]
}
然后您可以为每个要禁用标记的服务重复该过程,以创建多个策略声明。
我有这个政策应该防止用户从 AWS 的任何资源中删除标签。但标签仍在从资源中删除。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Delete*",
"s3:Delete*",
"s3:ReplicateTags",
"iam:Untag*",
"tag:UntagResources"
],
"Effect": "Deny",
"Resource": "*"
},
{
"Action": [
"s3:Create*",
"s3:Describe*",
"s3:Get*",
"s3:List*",
"s3:Put*",
"s3:Update*",
"s3:Replicate*",
"s3:RestoreObject",
"s3:ObjectOwnerOverrideToBucketOwner"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:Create*",
"ec2:Describe*",
"ec2:Get*",
"ec2:Modify*",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"iam:Tag*",
"tag:TagResources",
"tag:GetResources"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"iam:Untag*",
"tag:UntagResources"
],
"Effect": "Deny",
"Resource": "*"
}
]
}
由于我是 AWS 的新手,所以我不知道出了什么问题。其他权限工作正常。只是取消标记是行不通的。如何拒绝取消标记资源?提前致谢。
如何使 tag:UntagResources 工作?
一种方法是使用 IAM 创建策略可视化编辑器。输入您感兴趣的服务,例如 S3,然后在操作搜索对话框中搜索 'tag' 以查找您要拒绝的所有相关操作。使用 'switch to deny permissions' link 使其成为拒绝语句。然后对于资源,选择所有资源。最后,切换到 JSON 选项卡,查看生成的语句。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:DeleteObjectTagging",
"s3:DeleteJobTagging",
"s3:DeleteStorageLensConfigurationTagging",
"s3:DeleteObjectVersionTagging"
],
"Resource": "*"
}
]
}
然后您可以为每个要禁用标记的服务重复该过程,以创建多个策略声明。