amazon-web-services - Trying to give IAM user rights to create and assign roles, but limit the type of policies available
问题描述
I'm trying to give a user the rights to create Roles (since I'm not providing rights to create Access Keys).
I have figured out a Policy to allow the user to create and assign Roles. The issue I have is that right now, the user can create a role with the Policy of "AdministratorAccess" even though they are not Administrator. Is there a way to deny certain policies in the list of options?
Below is the policy done via the wizard provided.
Thanks,
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:UpdateAssumeRolePolicy",
"iam:ListRoleTags",
"iam:UntagRole",
"iam:PutRolePermissionsBoundary",
"iam:TagRole",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:ListInstanceProfilesForRole",
"iam:PassRole",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListPolicies",
"iam:GetRole",
"iam:ListRoles",
"iam:DeleteRole",
"iam:UpdateRoleDescription",
"iam:CreateServiceLinkedRole",
"iam:UpdateRole",
"iam:DeleteServiceLinkedRole",
"iam:GetRolePolicy"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}
EDIT: 26/6/20 I tried to use Permission Boundaries as suggested, but perhaps my understanding is still insufficient. I made a new policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAdmin",
"Effect": "Deny",
"Action": [
"iam:*"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"iam:PolicyArn": [
"arn:aws:iam::aws:policy/AdministratorAccess"
]
}
}
}
]
}
I would think that would mean Deny any/all iam actions when it concerns the AdministratorAccess Policy. However, the result is that all role assignments/creation are denied even when the policy being attached is NOT AdministratorAccess. However, if I setup a policy and add a Condition of ArnNotEquals the AdministratorAccess - then I seem to be able to do what I want(just using it as a policy, not as a Boundary)
Based on what I have seen, Permissions Boundary is probably the right way to go, but I cannot quite get it yet so I'm hesitant to mark it as "Correct Answer".
解决方案
You can use AWS IAM Permissions Boundaries: Permissions Boundaries for IAM Entities - AWS Identity and Access Management
“A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.“</p>
Here’s a step-by-step introduction on the AWS Security Blog: Delegate permission management to developers by using IAM permissions boundaries | AWS Security Blog
推荐阅读
- javascript - `replace()` 函数版本中的命名捕获组
- android - System.getProperty("line.separator") 和 "\n" 导致列表视图不填充
- php - Codeigniter 4 中 $this->db->last_query() 的等价物是什么?
- fortran - Fortran 77 中的错误,使用二维数组从文件中读取数字
- swift - 我打开 VPN 时无法连接到 SQL - Swift
- linux - 具有 8 个通道的 ALSA 捕获流,但打开流为 4
- javascript - 如何在 highcharts-angular 的全屏视图中删除/隐藏导出按钮
- javascript - React Router Link 内的复选框
- swift - 替换 NSStatusBarButton NSView 以禁用活力
- node.js - 无法将响应发送回 nodeJS 中的 index.js