时间戳

首页 > 解决方案 > 何时/如何在无服务器功能中使用权限边界?

amazon-web-services - 何时/如何在无服务器功能中使用权限边界?

问题描述

SAM 模板下方:

  HelloWorldFunction:
    Type: AWS::Serverless::Function 
    Properties:
      CodeUri: hello-world/
      Handler: app.LambdaHandler
      Runtime: nodejs8.10
      Events:
       MySQSEvent:
        Type: SQS
        Properties:
          Queue: !GetAtt somequeue.Arn
          BatchSize: 10


  somequeue:
    Type: AWS::SQS::Queue

使用以下策略自动创建默认角色(JSON):

{
    "roleName": "somestack-HelloWorldFunctionRole-AAAAAAAAA",
    "policies": [
    {
    "document": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "sqs:ReceiveMessage",
            "sqs:DeleteMessage",
            "sqs:GetQueueAttributes",
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
          ],
          "Resource": "*"
        }
      ]
    },
    "name": "AWSLambdaSQSQueueExecutionRole",
    "id": "ANPAJFWJZI6JNND4TSELK",
    "type": "managed",
    "arn": "arn:aws:iam::aws:policy/service-role/AWSLambdaSQSQueueExecutionRole"
  },
  {
    "document": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
          ],
          "Resource": "*"
        }
      ]
    },
    "name": "AWSLambdaBasicExecutionRole",
    "id": "ANPAJNCQGXC42545SKXIK",
    "type": "managed",
    "arn": "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
  }
],
"trustedEntities": [
  "lambda.amazonaws.com"
]
}

我们需要对特定资源的特定操作强制执行访问规则(如下 yaml 所示)并拒绝访问其他资源(在 log-group 中)。

1) 我是否需要使用权限边界或策略来执行以下这些规则?对于上述 SAM 模板...

- Effect: Allow
Action:
  - "logs:CreateLogGroup"
Resource:
  - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:*"

2)

创建权限边界的程序是什么?通过 Lambda 函数的 SAM 模板.. 因为它要求 ARN

标签: amazon-web-servicesaws-lambdaamazon-iamaws-serverlessaws-sam

解决方案

在这种情况下,我不建议使用权限边界。上述权限由 SAM 默认创建。如果您需要更多限制性权限,那么您可以做的是创建自己的角色并使用该角色,而不是由 SAM 自动创建的角色。

如果您使用自己的角色,SAM 不会为其添加额外的权限,因此您可以根据需要对其进行定制。

这是一个如何做到这一点的示例。

Transform: 'AWS::Serverless-2016-10-31'
Resources:
    ThumbnailFunction:
        Type: 'AWS::Serverless::Function'
        Properties:
            Runtime: nodejs8.10
            Handler: index.handler
            CodeUri: ./src
            Role: !GetAtt FunctionInvokeRole.Arn
            Events:
                MySQSEvent:
                    Type: SQS
                    Properties:
                        Queue: !GetAtt somequeue.Arn
                        BatchSize: 10

    somequeue:
        Type: AWS::SQS::Queue

    FunctionInvokeRole:
        Type: AWS::IAM::Role
        Properties:
            AssumeRolePolicyDocument:
                Version: '2012-10-17'
                Statement:
                    - Effect: 'Allow'
                      Principal:
                          Service:
                              - 'lambda.amazonaws.com'
                      Action:
                          - 'sts:AssumeRole'
            Policies:
                - PolicyName: 'root'
                  PolicyDocument:
                      Version: '2012-10-17'
                      Statement:
                          - Effect: 'Allow'
                            Action: '*'
                            Resource: '*'

使用Policies属性FunctionInvokeRole来指定您自己的策略。

推荐阅读