IAM 中的组和路径有什么区别?
What is the difference between groups and paths in IAM?
因此,用户可以按组和路径分组。如果我们有组,为什么我们需要路径? What is the extra advantage of having paths?
我的猜测是用户路径的使用更适合大型组织或高级用户,他们通常依赖 CloudFormation and/or AWS CLI 来管理他们的 AWS 资源。
路径的清晰度 ->
- 可能有
permissions(more than one)适用于开发组和特定用户
- 我们不希望
specific users 使用开发组策略,但是开发组也需要一些适用于开发用户的权限。
- 我会创建一个
dev path
- 可以通过创建策略为路径中的用户使用该特定服务来授予他们访问权限。
- 通过这种方式将特定用户添加到开发路径,允许在不将他们添加到开发组的情况下授予权限。
- 如果以后需要删除dev权限,直接删除路径即可。
使用路径的示例策略
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:GetContextKeysForPrincipalPolicy",
"iam:SimulatePrincipalPolicy"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::*:user/Department/Development/*"
}
]
}
组:
An IAM user group is a collection of IAM users. User groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users. For example, you could have a user group called Admins and give that user group the types of permissions that administrators typically need. Any user in that user group automatically has the permissions that are assigned to the user group. If a new user joins your organization and needs administrator privileges, you can assign the appropriate permissions by adding the user to that admin group
路径:
You can use a single path, or nest multiple paths as a folder structure. For example, you could use the nested path /division_abc/subdivision_xyz/product_1234/engineering/ to match your company organizational structure. You could then create a policy to allow all users in that path to access the policy simulator API.
关键区别
If you have a user and user group in the same path, IAM doesn't automatically put the user in that user group. For example, you might create a Developers user group and specify the path as /division_abc/subdivision_xyz/product_1234/engineering/. If you create a user named Bob and add the same path to him, this doesn't automatically put Bob in the Developers user group. IAM doesn't enforce any boundaries between users or user groups based on their paths.
因此,用户可以按组和路径分组。如果我们有组,为什么我们需要路径? What is the extra advantage of having paths?
我的猜测是用户路径的使用更适合大型组织或高级用户,他们通常依赖 CloudFormation and/or AWS CLI 来管理他们的 AWS 资源。 路径的清晰度 ->
- 可能有
permissions(more than one)适用于开发组和特定用户 - 我们不希望
specific users使用开发组策略,但是开发组也需要一些适用于开发用户的权限。 - 我会创建一个
dev path - 可以通过创建策略为路径中的用户使用该特定服务来授予他们访问权限。
- 通过这种方式将特定用户添加到开发路径,允许在不将他们添加到开发组的情况下授予权限。
- 如果以后需要删除dev权限,直接删除路径即可。
使用路径的示例策略
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:GetContextKeysForPrincipalPolicy",
"iam:SimulatePrincipalPolicy"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::*:user/Department/Development/*"
}
]
}
组:
An IAM user group is a collection of IAM users. User groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users. For example, you could have a user group called Admins and give that user group the types of permissions that administrators typically need. Any user in that user group automatically has the permissions that are assigned to the user group. If a new user joins your organization and needs administrator privileges, you can assign the appropriate permissions by adding the user to that admin group
路径:
You can use a single path, or nest multiple paths as a folder structure. For example, you could use the nested path /division_abc/subdivision_xyz/product_1234/engineering/ to match your company organizational structure. You could then create a policy to allow all users in that path to access the policy simulator API.
关键区别
If you have a user and user group in the same path, IAM doesn't automatically put the user in that user group. For example, you might create a Developers user group and specify the path as /division_abc/subdivision_xyz/product_1234/engineering/. If you create a user named Bob and add the same path to him, this doesn't automatically put Bob in the Developers user group. IAM doesn't enforce any boundaries between users or user groups based on their paths.