amazon-web-services - Restrict an IAM policy to run only in an specified account
问题描述
Can I impose a restriction on an IAM policy to run on a specific account only? I have searched for documentation or examples online but could not find anything on it.
Edited: There are multiple accounts and similar policies to implement, each with a different restriction. In such cases, to prevent any mixing up while implementation of policies; I want to ensure that there is a restriction that imposed on the policy that tells which AWS account this policy can live in.
CFT:
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Policy for XYZ'
Resources:
XYZPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
Description: "Restrictions apply only to Account XYZ"
Path: "/"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "cloudformation:*"
- "cloudtrail:*"
- "cloudwatch:*"
- "ec2:*"
- "sso:*"
- "s3:*"
Resource: "*"
Roles:
-
Ref: "XYZRole"
ManagedPolicyName: "XYZPolicy
解决方案
默认情况下,一个策略只适用于它所属的账户,虽然你可以启用跨账户策略,所以你要做的基本上是默认的。
如果您真的想这样做,您可以尝试以下方法:
"Condition": {
"ArnEquals": {
"iam:PolicyArn": [
"arn:aws:iam::AWS-ACCOUNT-ID:policy/XYZPolicy"
]
}
}
推荐阅读
- java - 在我运行代码从文件中“删除”数据后,随机访问文件似乎从 UTF-16 BE 切换到 UTF-16 LE
- python - 使用 asyncio 和 Python 3.6,如何构建处理/提交多个顺序请求的 TCP 服务器/客户端?
- r - 生成季节性假人
- r - 为什么以下 Regex 表达式不适用于 R Studio-Version(3.1.2) 中的 list.files 函数?
- android - 如何在没有 AppCompatActivity 的情况下使用请求
- android - 为什么 glide 和 picasso 不会在 Google Maps Marker 中加载 url 图片?
- sql - 不能替换变音符号 (ّ) 在阿拉伯语中的符号
- css - 具有填充/边距和相同纵横比的特殊 CSS (Flex)Grid
- oracle-apex - APEX 设置值未更新
- docker-compose - 网络“hbase”被声明为外部,但找不到。您需要在部署堆栈之前创建一个集群范围的网络