使用 IAM 策略的 AWS Lambda 基于属性的访问控制问题
Attribute Based Access Controll issue for AWS Lambda with IAM policy
我正在尝试遵循 this article 的 Secret Manager,并尝试使用此用户角色策略链接为 AWS Lambda 应用基于属性的访问控制 (ABAC):
- 创建 IAM 用户
- 为这个 IAM 用户分配一个角色
- 为角色分配了 lambda 的 ABAC 策略。
目前我的项目中不同用户使用 Lambda 的 ABAC 策略如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "LambdaPolicyForProject",
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:ListStackResources",
"cloudwatch:GetMetricData",
"cloudwatch:ListMetrics",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"kms:ListAliases",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"logs:DescribeLogGroups",
"lambda:Get*",
"lambda:List*",
"states:DescribeStateMachine",
"states:ListStateMachines",
"tag:GetResources",
"xray:GetTraceSummaries",
"xray:BatchGetTraces"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/accessproject": "${aws:PrincipalTag/accessproject}",
"aws:ResourceTag/accessteam": "${aws:PrincipalTag/accessteam}",
"aws:ResourceTag/costcenter": "${aws:PrincipalTag/costcenter}"
}
}
}
]
}
当 IAM 用户和 lambda 的 costcenter、accessteam、accessproject 标签相似时,这对用户不起作用。
但是,当我删除上述策略中的条件时它会起作用(这表明 IAM 能够访问 lambda 策略)。
我能知道我从上面的教程中遗漏了什么吗?我确实交叉检查了 lambda、策略和 IAM 用户的所有标签,它们与文档相同。
问题似乎出在您定义的 Actions 中。根据您遵循的教程:
[...] see Actions, Resources, and Condition Keys for AWS Secrets Manager. That page shows that actions performed on the Secret resource type support the secretsmanager:ResourceTag/tag-key condition key. Some Secrets Manager actions don't support that resource type, including GetRandomPassword and ListSecrets.
查看 actions, resources, and condition keys for AWS services 并确保每个服务的操作支持 aws:ResourceTag/${TagKey} 条件。我没有通过所有权限,但 CloudWatch 操作 GetMetricData 和 ListMetrics 已经不支持 aws:ResourceTag/${TagKey} 条件。同样适用于 ec2:DescribeSecurityGroups,
ec2:DescribeSubnets、ec2:DescribeVpcs,可能还有几个。
您必须创建额外的语句以允许这些操作,即:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "LambdaPolicyForProject",
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:ListStackResources",
"kms:ListAliases",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"logs:DescribeLogGroups",
"lambda:Get*",
"lambda:List*",
"states:DescribeStateMachine",
"states:ListStateMachines",
"tag:GetResources",
"xray:GetTraceSummaries",
"xray:BatchGetTraces"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/accessproject": "${aws:PrincipalTag/accessproject}",
"aws:ResourceTag/accessteam": "${aws:PrincipalTag/accessteam}",
"aws:ResourceTag/costcenter": "${aws:PrincipalTag/costcenter}"
}
}
},{
"Sid": "LambdaPolicyForProjectNoTags",
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricData",
"cloudwatch:ListMetrics",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs"
],
"Resource": "*"
}
]
}
一旦您制定了工作策略,请熟悉 IAM best practices,因为应尽可能避免使用通配符资源访问(授予最少权限的原则)。
我正在尝试遵循 this article 的 Secret Manager,并尝试使用此用户角色策略链接为 AWS Lambda 应用基于属性的访问控制 (ABAC):
- 创建 IAM 用户
- 为这个 IAM 用户分配一个角色
- 为角色分配了 lambda 的 ABAC 策略。
目前我的项目中不同用户使用 Lambda 的 ABAC 策略如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "LambdaPolicyForProject",
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:ListStackResources",
"cloudwatch:GetMetricData",
"cloudwatch:ListMetrics",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"kms:ListAliases",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"logs:DescribeLogGroups",
"lambda:Get*",
"lambda:List*",
"states:DescribeStateMachine",
"states:ListStateMachines",
"tag:GetResources",
"xray:GetTraceSummaries",
"xray:BatchGetTraces"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/accessproject": "${aws:PrincipalTag/accessproject}",
"aws:ResourceTag/accessteam": "${aws:PrincipalTag/accessteam}",
"aws:ResourceTag/costcenter": "${aws:PrincipalTag/costcenter}"
}
}
}
]
}
当 IAM 用户和 lambda 的 costcenter、accessteam、accessproject 标签相似时,这对用户不起作用。
但是,当我删除上述策略中的条件时它会起作用(这表明 IAM 能够访问 lambda 策略)。
我能知道我从上面的教程中遗漏了什么吗?我确实交叉检查了 lambda、策略和 IAM 用户的所有标签,它们与文档相同。
问题似乎出在您定义的 Actions 中。根据您遵循的教程:
[...] see Actions, Resources, and Condition Keys for AWS Secrets Manager. That page shows that actions performed on the Secret resource type support the
secretsmanager:ResourceTag/tag-keycondition key. Some Secrets Manager actions don't support that resource type, includingGetRandomPasswordandListSecrets.
查看 actions, resources, and condition keys for AWS services 并确保每个服务的操作支持 aws:ResourceTag/${TagKey} 条件。我没有通过所有权限,但 CloudWatch 操作 GetMetricData 和 ListMetrics 已经不支持 aws:ResourceTag/${TagKey} 条件。同样适用于 ec2:DescribeSecurityGroups,
ec2:DescribeSubnets、ec2:DescribeVpcs,可能还有几个。
您必须创建额外的语句以允许这些操作,即:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "LambdaPolicyForProject",
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:ListStackResources",
"kms:ListAliases",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"logs:DescribeLogGroups",
"lambda:Get*",
"lambda:List*",
"states:DescribeStateMachine",
"states:ListStateMachines",
"tag:GetResources",
"xray:GetTraceSummaries",
"xray:BatchGetTraces"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/accessproject": "${aws:PrincipalTag/accessproject}",
"aws:ResourceTag/accessteam": "${aws:PrincipalTag/accessteam}",
"aws:ResourceTag/costcenter": "${aws:PrincipalTag/costcenter}"
}
}
},{
"Sid": "LambdaPolicyForProjectNoTags",
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricData",
"cloudwatch:ListMetrics",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs"
],
"Resource": "*"
}
]
}
一旦您制定了工作策略,请熟悉 IAM best practices,因为应尽可能避免使用通配符资源访问(授予最少权限的原则)。