时间戳

首页 > 解决方案 > 如何通过 SCP 保护 AWS 标记的资源?

amazon-web-services - 如何通过 SCP 保护 AWS 标记的资源?

问题描述

我有一些敏感的资产(Lambda、S3 Bucket、IAM ...)我想保护以防有人试图擦除存储桶策略、删除函数或对这些资源造成任何损害。它们都被标记为 <<MY_KEY>>:<<MY_VALUE>>。问题是我想在组织级别执行此操作,因为我有多个 AWS 账户。我在SCP 中使用此策略。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyActionsOnTaggedResources",
      "Effect": "Deny",
      "Action": [
        "s3:PutBucketPolicy",
        "s3:PutBucketTagging",
        "s3:DeleteBucketPolicy",
        "s3:PutAccessPointPolicyForObjectLambda",
        "s3:PutBucketPublicAccessBlock",
        "s3:DeleteAccessPointPolicyForObjectLambda",
        "s3:PutMultiRegionAccessPointPolicy",
        "s3:PutBucketAcl",
        "s3:PutBucketPolicy",
        "s3:DeleteAccessPointPolicy",
        "s3:DeleteBucketPolicy",
        "s3:PutAccessPointPolicy",
        "s3:BypassGovernanceRetention",
        "lambda:DeleteFunction",
        "lambda:DeleteCodeSigningConfig",
        "lambda:DeleteFunctionCodeSigningConfig",
        "lambda:AddLayerVersionPermission",
        "lambda:RemoveLayerVersionPermission",
        "lambda:EnableReplication",
        "lambda:AddPermission",
        "lambda:DisableReplication",
        "lambda:DeleteLayerVersion",
        "lambda:DeleteFunctionEventInvokeConfig",
        "lambda:PublishVersion",
        "lambda:CreateAlias",
        "lambda:RemovePermission",
        "iam:DeleteRole",
        "iam:DeleteInstanceProfile",
        "iam:DeletePolicy",
        "iam:DeleteRolePolicy",
        "iam:DeleteUserPolicy",
        "iam:DeleteGroupPolicy",
        "iam:UpdateAssumeRolePolicy",
        "iam:PutRolePermissionsBoundary",
        "iam:AttachRolePolicy",
        "iam:PutRolePolicy",
        "iam:DeleteRolePermissionsBoundary",
        "iam:CreatePolicy",
        "iam:DetachRolePolicy",
        "iam:DeleteRolePolicy",
        "iam:CreatePolicyVersion",
        "iam:DeletePolicyVersion"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/<<MY_KEY>>": "<<MY_VALUE>>"
        },
        "StringNotEquals": {
          "aws:PrincipalArn": [
            "arn:aws:iam::*:role/<<MY_ROLE>>"
          ]
        }
      }
    }
  ]
}

为了测试,每当我放置一个不是我角色的角色时,我仍然可以修改资源。我的错误在哪里?

标签: amazon-web-servicesamazon-s3aws-lambdaamazon-iam

解决方案

你可以修改它StringNotEqualsStringNotLike尝试一下吗?当您在条件中使用通配符 ( *) 时,StringNotEquals将不起作用。该政策的其余部分看起来很合理。

字符串条件运算符

我还建议使用 Access Analyzer 来验证策略。这将在构建策略时捕获类似的错误。请参阅访问分析器

推荐阅读