amazon-web-services - 如何通过 SCP 保护 AWS 标记的资源?
问题描述
我有一些敏感的资产(Lambda、S3 Bucket、IAM ...)我想保护以防有人试图擦除存储桶策略、删除函数或对这些资源造成任何损害。它们都被标记为 <<MY_KEY>>:<<MY_VALUE>>。问题是我想在组织级别执行此操作,因为我有多个 AWS 账户。我在SCP 中使用此策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyActionsOnTaggedResources",
"Effect": "Deny",
"Action": [
"s3:PutBucketPolicy",
"s3:PutBucketTagging",
"s3:DeleteBucketPolicy",
"s3:PutAccessPointPolicyForObjectLambda",
"s3:PutBucketPublicAccessBlock",
"s3:DeleteAccessPointPolicyForObjectLambda",
"s3:PutMultiRegionAccessPointPolicy",
"s3:PutBucketAcl",
"s3:PutBucketPolicy",
"s3:DeleteAccessPointPolicy",
"s3:DeleteBucketPolicy",
"s3:PutAccessPointPolicy",
"s3:BypassGovernanceRetention",
"lambda:DeleteFunction",
"lambda:DeleteCodeSigningConfig",
"lambda:DeleteFunctionCodeSigningConfig",
"lambda:AddLayerVersionPermission",
"lambda:RemoveLayerVersionPermission",
"lambda:EnableReplication",
"lambda:AddPermission",
"lambda:DisableReplication",
"lambda:DeleteLayerVersion",
"lambda:DeleteFunctionEventInvokeConfig",
"lambda:PublishVersion",
"lambda:CreateAlias",
"lambda:RemovePermission",
"iam:DeleteRole",
"iam:DeleteInstanceProfile",
"iam:DeletePolicy",
"iam:DeleteRolePolicy",
"iam:DeleteUserPolicy",
"iam:DeleteGroupPolicy",
"iam:UpdateAssumeRolePolicy",
"iam:PutRolePermissionsBoundary",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRolePermissionsBoundary",
"iam:CreatePolicy",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/<<MY_KEY>>": "<<MY_VALUE>>"
},
"StringNotEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::*:role/<<MY_ROLE>>"
]
}
}
}
]
}
为了测试,每当我放置一个不是我角色的角色时,我仍然可以修改资源。我的错误在哪里?
解决方案
推荐阅读
- junit5 - JUnit 5 中的中止/忽略参数化测试
- php - 如何提高我的 codeigniter 应用程序性能?
- node.js - 为什么在使用 @azure/keyvault-keys 和 @azure/identity 时需要租户,但在使用 azure-keyvault 时不需要?
- rest - REST API 设计以获取摘要和详细信息
- python - 使用服务帐户从 python 调用 Google Cloud Function 进行身份验证
- boost-asio - 我有错误它的含义:错误 C2440 'return': cannot convert from 'void (__cdecl &)(yield_context)' to 'void (&)(yield_context)'
- python-3.x - Python SpeechRecognition Snowboy 集成好像坏了
- javascript - 如何防止本机浏览器默认捏缩放行为?
- node.js - 插入json数据时是否有任何解决方案,它在节点js中给出.length错误?
- sparql - 使用自动分配的空白节点和具体数据