AWS SCP 条件不允许创建 iam 用户
AWS SCP Condition disallow iam user creation
我正在尝试创建一个 SCP 策略来禁止在 Admin 以外的成员帐户中创建 iam 用户(假设为 SSO 的角色),但是它甚至不允许管理员创建用户,下面是我正在使用的策略,
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Deny",
"Action": [
"iam:CreateUser",
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:DeleteUser"
],
"Resource": [
"*"
],
"Condition": {
"StringNotLike": {
"aws:PrincipalArn": [
"arn:aws:sts::*:assumed-role/AWSReservedSSO_AWSAdministratorAccess*/*"
]
}
}
}
]
}
不知道哪里有问题,请帮忙
PrincipalArn 应该是:
arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess*
要获得 SSO 代入角色的有效 ARN,您需要将 arn:aws:sts::*:assumed-role 更改为 arn:aws:iam::*:role。
此外,这代表SSO组,所以您不需要在组名后添加/*。因此,以下 ARN 不正确,将不起作用:
arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess*
参考:
Implement service control policy (SCP) for accounts in AWS Organizations
我正在尝试创建一个 SCP 策略来禁止在 Admin 以外的成员帐户中创建 iam 用户(假设为 SSO 的角色),但是它甚至不允许管理员创建用户,下面是我正在使用的策略,
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Deny",
"Action": [
"iam:CreateUser",
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:DeleteUser"
],
"Resource": [
"*"
],
"Condition": {
"StringNotLike": {
"aws:PrincipalArn": [
"arn:aws:sts::*:assumed-role/AWSReservedSSO_AWSAdministratorAccess*/*"
]
}
}
}
]
}
不知道哪里有问题,请帮忙
PrincipalArn 应该是:
arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess*
要获得 SSO 代入角色的有效 ARN,您需要将 arn:aws:sts::*:assumed-role 更改为 arn:aws:iam::*:role。
此外,这代表SSO组,所以您不需要在组名后添加/*。因此,以下 ARN 不正确,将不起作用:
arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess*
参考:
Implement service control policy (SCP) for accounts in AWS Organizations