我可以应用哪种条件来限制IAM仅承担具有特定名称的角色?
此用户在多个AWS账户上具有可信关系,这些账户都包含角色名称"MyRole".所以我想要一个像这样的条件:
Assumed RoleARN ~= arn:aws:iam::[0-9]*:role/MyRole
谢谢
要让您的IAM用户在多个帐户中承担特定名称的角色,请明确地列出所有必需的角色ARN.这是做到这一点的安全方式.
"Resource": [ "arn:aws:iam::AWS-ACCOUNT-ID1:role/MyRole", "arn:aws:iam::AWS-ACCOUNT-ID2:role/MyRole", "arn:aws:iam::AWS-ACCOUNT-ID3:role/MyRole" ]
这是完整的政策:(AWS-ACCOUNT-ID是12位数字,没有超额)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": [ "arn:aws:iam::AWS-ACCOUNT-ID1:role/MyRole", "arn:aws:iam::AWS-ACCOUNT-ID2:role/MyRole", "arn:aws:iam::AWS-ACCOUNT-ID3:role/MyRole" ] } ] }
但是,考虑到您尝试使用通配符代替帐户ID,我想强调可能会出现以下情况,但会使您的公司面临安全风险.它违反了最小特权原则.
访问以承担任何AWS账户中的任何角色(INSECURE)
"Resource": [ "arn:aws:iam::*" ]
访问任何AWS账户中的"MyRole"(INSECURE)
"Resource": [ "arn:aws:iam::*:role/MyRole" ]
通过此通配符访问,IAM用户可以代表您的公司在任何第三方AWS账户中承担"MyRole"(或任何角色).