众所周知,点击下拉框很烦人。我一直在尝试获取通用策略存根(包含所有内容而Actions不仅仅是全局变量的存根),以便我可以快速浏览并允许/拒绝我们的组策略。
我查看了 CLI 命令,但没有看到任何内容,我也查看了策略生成器,但它要么点击所有内容,要么*:*是坏的......
有没有办法生成完整的存根,或者网上有人生成了完整的策略存根供我使用?结果应该是这样的……
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1496337889000",
"Effect": "Allow",
"Action": [
"discovery:CreateTags",
"discovery:DeleteTags",
"discovery:DescribeAgents",
"discovery:DescribeConfigurations",
"discovery:DescribeExportConfigurations",
"discovery:DescribeTags",
"discovery:ExportConfigurations",
"discovery:ListConfigurations",
"discovery:StartDataCollectionByAgentIds",
"discovery:StopDataCollectionByAgentIds"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1496337865000",
"Effect": "Allow",
"Action": [
"batch:CancelJob",
"batch:CreateComputeEnvironment",
"batch:CreateJobQueue",
"batch:DeleteComputeEnvironment",
"batch:DeleteJobQueue",
"batch:DeregisterJobDefinition",
"batch:DescribeComputeEnvironments",
"batch:DescribeJobDefinitions",
"batch:DescribeJobQueues",
"batch:DescribeJobs",
"batch:ListJobs",
"batch:RegisterJobDefinition",
"batch:SubmitJob",
"batch:TerminateJob",
"batch:UpdateComputeEnvironment",
"batch:UpdateJobQueue"
],
"Resource": [
"*"
]
},
.... etc ....
]
}
答案1
就 IAM 而言,您必须记住,每个 API 操作都存在隐式拒绝。如果您希望用户/组具有访问权限,则需要明确允许该操作。
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
答案2
虽然没有一份以编程方式提供的列表,列出所有政策的所有操作,但似乎有一个一站式站点,其中记录了所有服务的所有可用政策操作及其可用的条件键。每页一个服务,但所有链接都在这里: