amazon-web-services - 如何根据区域限制 AWS 访问?
问题描述
我正在关注有关如何根据区域拒绝访问 AWS 资源的 AWS 文档:https ://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-requested-region.html
这是我的 IAM 政策,当我尝试访问该帐户时,我什至看不到下面“条件”中描述的区域资源。访问“eu-central-1”的 EC2 控制台时出错:You are not authorized to perform this operation
我的目标是限制对条件中不存在的区域的任何资源的访问。例如,我想拥有“eu-central-1”的完全访问权限,但不能访问“ap-northeast-1”
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAccessNotListedRegions",
"Effect": "Deny",
"NotAction": [
"cloudfront:*",
"iam:*",
"route53:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"eu-central-1",
"eu-west-3",
"eu-west-2",
"eu-west-1"
]
}
}
}
]
}
解决方案
这是我找到的解决方案:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AllowAccessAllRegionListed",
"Effect":"Allow",
"Action":"*",
"Resource":"*",
"Condition":{
"StringEquals":{
"aws:RequestedRegion":[
"eu-central-1",
"eu-west-3",
"eu-west-2",
"eu-west-1"
]
}
}
},
{
"Sid":"AllowAccessGlobalServices",
"Effect":"Allow",
"Action":[
"cloudfront:*",
"iam:*",
"route53:*"
],
"Resource":"*"
},
{
"Sid":"DenyAccessNotListedRegionsExceptGlobalServices",
"Effect":"Deny",
"NotAction":[
"cloudfront:*",
"iam:*",
"route53:*"
],
"Resource":"*",
"Condition":{
"StringNotEquals":{
"aws:RequestedRegion":[
"eu-central-1",
"eu-west-3",
"eu-west-2",
"eu-west-1"
]
}
}
}
]
}
推荐阅读
- c# - 如何使用 EAV 模型向 Sql DB 插入数据
- haskell - Is there a wildcard type variable in Haskell?
- reactjs - 如何在 React 应用程序中获取组件的所有实例并使用 Jest 验证其属性?
- python - 调试期间不评估输入语句 - 触发 Try except
- ios - 升级到新的 Xcode 12 时出错
- javascript - 如何最小化在 JavaScript 中的对象数组中查找重复值的代码函数?
- firebase - FireStore 子系列定价?
- c++ - 如何从 C++ 中的字符串中提取多组动态数字?
- swift - 在 SwiftUI 中只接受数字和一个小数点的 TextField
- python - 有没有办法在颤振应用程序本身中编译 python 代码?